]>
Commit | Line | Data |
---|---|---|
51580e79 | 1 | /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com |
969bf05e | 2 | * Copyright (c) 2016 Facebook |
fd978bf7 | 3 | * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io |
51580e79 AS |
4 | * |
5 | * This program is free software; you can redistribute it and/or | |
6 | * modify it under the terms of version 2 of the GNU General Public | |
7 | * License as published by the Free Software Foundation. | |
8 | * | |
9 | * This program is distributed in the hope that it will be useful, but | |
10 | * WITHOUT ANY WARRANTY; without even the implied warranty of | |
11 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
12 | * General Public License for more details. | |
13 | */ | |
838e9690 | 14 | #include <uapi/linux/btf.h> |
51580e79 AS |
15 | #include <linux/kernel.h> |
16 | #include <linux/types.h> | |
17 | #include <linux/slab.h> | |
18 | #include <linux/bpf.h> | |
838e9690 | 19 | #include <linux/btf.h> |
58e2af8b | 20 | #include <linux/bpf_verifier.h> |
51580e79 AS |
21 | #include <linux/filter.h> |
22 | #include <net/netlink.h> | |
23 | #include <linux/file.h> | |
24 | #include <linux/vmalloc.h> | |
ebb676da | 25 | #include <linux/stringify.h> |
cc8b0b92 AS |
26 | #include <linux/bsearch.h> |
27 | #include <linux/sort.h> | |
c195651e | 28 | #include <linux/perf_event.h> |
d9762e84 | 29 | #include <linux/ctype.h> |
51580e79 | 30 | |
f4ac7e0b JK |
31 | #include "disasm.h" |
32 | ||
00176a34 JK |
33 | static const struct bpf_verifier_ops * const bpf_verifier_ops[] = { |
34 | #define BPF_PROG_TYPE(_id, _name) \ | |
35 | [_id] = & _name ## _verifier_ops, | |
36 | #define BPF_MAP_TYPE(_id, _ops) | |
37 | #include <linux/bpf_types.h> | |
38 | #undef BPF_PROG_TYPE | |
39 | #undef BPF_MAP_TYPE | |
40 | }; | |
41 | ||
51580e79 AS |
42 | /* bpf_check() is a static code analyzer that walks eBPF program |
43 | * instruction by instruction and updates register/stack state. | |
44 | * All paths of conditional branches are analyzed until 'bpf_exit' insn. | |
45 | * | |
46 | * The first pass is depth-first-search to check that the program is a DAG. | |
47 | * It rejects the following programs: | |
48 | * - larger than BPF_MAXINSNS insns | |
49 | * - if loop is present (detected via back-edge) | |
50 | * - unreachable insns exist (shouldn't be a forest. program = one function) | |
51 | * - out of bounds or malformed jumps | |
52 | * The second pass is all possible path descent from the 1st insn. | |
53 | * Since it's analyzing all pathes through the program, the length of the | |
eba38a96 | 54 | * analysis is limited to 64k insn, which may be hit even if total number of |
51580e79 AS |
55 | * insn is less then 4K, but there are too many branches that change stack/regs. |
56 | * Number of 'branches to be analyzed' is limited to 1k | |
57 | * | |
58 | * On entry to each instruction, each register has a type, and the instruction | |
59 | * changes the types of the registers depending on instruction semantics. | |
60 | * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is | |
61 | * copied to R1. | |
62 | * | |
63 | * All registers are 64-bit. | |
64 | * R0 - return register | |
65 | * R1-R5 argument passing registers | |
66 | * R6-R9 callee saved registers | |
67 | * R10 - frame pointer read-only | |
68 | * | |
69 | * At the start of BPF program the register R1 contains a pointer to bpf_context | |
70 | * and has type PTR_TO_CTX. | |
71 | * | |
72 | * Verifier tracks arithmetic operations on pointers in case: | |
73 | * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), | |
74 | * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20), | |
75 | * 1st insn copies R10 (which has FRAME_PTR) type into R1 | |
76 | * and 2nd arithmetic instruction is pattern matched to recognize | |
77 | * that it wants to construct a pointer to some element within stack. | |
78 | * So after 2nd insn, the register R1 has type PTR_TO_STACK | |
79 | * (and -20 constant is saved for further stack bounds checking). | |
80 | * Meaning that this reg is a pointer to stack plus known immediate constant. | |
81 | * | |
f1174f77 | 82 | * Most of the time the registers have SCALAR_VALUE type, which |
51580e79 | 83 | * means the register has some value, but it's not a valid pointer. |
f1174f77 | 84 | * (like pointer plus pointer becomes SCALAR_VALUE type) |
51580e79 AS |
85 | * |
86 | * When verifier sees load or store instructions the type of base register | |
c64b7983 JS |
87 | * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK, PTR_TO_SOCKET. These are |
88 | * four pointer types recognized by check_mem_access() function. | |
51580e79 AS |
89 | * |
90 | * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value' | |
91 | * and the range of [ptr, ptr + map's value_size) is accessible. | |
92 | * | |
93 | * registers used to pass values to function calls are checked against | |
94 | * function argument constraints. | |
95 | * | |
96 | * ARG_PTR_TO_MAP_KEY is one of such argument constraints. | |
97 | * It means that the register type passed to this function must be | |
98 | * PTR_TO_STACK and it will be used inside the function as | |
99 | * 'pointer to map element key' | |
100 | * | |
101 | * For example the argument constraints for bpf_map_lookup_elem(): | |
102 | * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, | |
103 | * .arg1_type = ARG_CONST_MAP_PTR, | |
104 | * .arg2_type = ARG_PTR_TO_MAP_KEY, | |
105 | * | |
106 | * ret_type says that this function returns 'pointer to map elem value or null' | |
107 | * function expects 1st argument to be a const pointer to 'struct bpf_map' and | |
108 | * 2nd argument should be a pointer to stack, which will be used inside | |
109 | * the helper function as a pointer to map element key. | |
110 | * | |
111 | * On the kernel side the helper function looks like: | |
112 | * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) | |
113 | * { | |
114 | * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1; | |
115 | * void *key = (void *) (unsigned long) r2; | |
116 | * void *value; | |
117 | * | |
118 | * here kernel can access 'key' and 'map' pointers safely, knowing that | |
119 | * [key, key + map->key_size) bytes are valid and were initialized on | |
120 | * the stack of eBPF program. | |
121 | * } | |
122 | * | |
123 | * Corresponding eBPF program may look like: | |
124 | * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR | |
125 | * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK | |
126 | * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP | |
127 | * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), | |
128 | * here verifier looks at prototype of map_lookup_elem() and sees: | |
129 | * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok, | |
130 | * Now verifier knows that this map has key of R1->map_ptr->key_size bytes | |
131 | * | |
132 | * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far, | |
133 | * Now verifier checks that [R2, R2 + map's key_size) are within stack limits | |
134 | * and were initialized prior to this call. | |
135 | * If it's ok, then verifier allows this BPF_CALL insn and looks at | |
136 | * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets | |
137 | * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function | |
138 | * returns ether pointer to map value or NULL. | |
139 | * | |
140 | * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off' | |
141 | * insn, the register holding that pointer in the true branch changes state to | |
142 | * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false | |
143 | * branch. See check_cond_jmp_op(). | |
144 | * | |
145 | * After the call R0 is set to return type of the function and registers R1-R5 | |
146 | * are set to NOT_INIT to indicate that they are no longer readable. | |
fd978bf7 JS |
147 | * |
148 | * The following reference types represent a potential reference to a kernel | |
149 | * resource which, after first being allocated, must be checked and freed by | |
150 | * the BPF program: | |
151 | * - PTR_TO_SOCKET_OR_NULL, PTR_TO_SOCKET | |
152 | * | |
153 | * When the verifier sees a helper call return a reference type, it allocates a | |
154 | * pointer id for the reference and stores it in the current function state. | |
155 | * Similar to the way that PTR_TO_MAP_VALUE_OR_NULL is converted into | |
156 | * PTR_TO_MAP_VALUE, PTR_TO_SOCKET_OR_NULL becomes PTR_TO_SOCKET when the type | |
157 | * passes through a NULL-check conditional. For the branch wherein the state is | |
158 | * changed to CONST_IMM, the verifier releases the reference. | |
6acc9b43 JS |
159 | * |
160 | * For each helper function that allocates a reference, such as | |
161 | * bpf_sk_lookup_tcp(), there is a corresponding release function, such as | |
162 | * bpf_sk_release(). When a reference type passes into the release function, | |
163 | * the verifier also releases the reference. If any unchecked or unreleased | |
164 | * reference remains at the end of the program, the verifier rejects it. | |
51580e79 AS |
165 | */ |
166 | ||
17a52670 | 167 | /* verifier_state + insn_idx are pushed to stack when branch is encountered */ |
58e2af8b | 168 | struct bpf_verifier_stack_elem { |
17a52670 AS |
169 | /* verifer state is 'st' |
170 | * before processing instruction 'insn_idx' | |
171 | * and after processing instruction 'prev_insn_idx' | |
172 | */ | |
58e2af8b | 173 | struct bpf_verifier_state st; |
17a52670 AS |
174 | int insn_idx; |
175 | int prev_insn_idx; | |
58e2af8b | 176 | struct bpf_verifier_stack_elem *next; |
cbd35700 AS |
177 | }; |
178 | ||
8e17c1b1 | 179 | #define BPF_COMPLEXITY_LIMIT_INSNS 131072 |
07016151 | 180 | #define BPF_COMPLEXITY_LIMIT_STACK 1024 |
ceefbc96 | 181 | #define BPF_COMPLEXITY_LIMIT_STATES 64 |
07016151 | 182 | |
c93552c4 DB |
183 | #define BPF_MAP_PTR_UNPRIV 1UL |
184 | #define BPF_MAP_PTR_POISON ((void *)((0xeB9FUL << 1) + \ | |
185 | POISON_POINTER_DELTA)) | |
186 | #define BPF_MAP_PTR(X) ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV)) | |
187 | ||
188 | static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux) | |
189 | { | |
190 | return BPF_MAP_PTR(aux->map_state) == BPF_MAP_PTR_POISON; | |
191 | } | |
192 | ||
193 | static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux) | |
194 | { | |
195 | return aux->map_state & BPF_MAP_PTR_UNPRIV; | |
196 | } | |
197 | ||
198 | static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux, | |
199 | const struct bpf_map *map, bool unpriv) | |
200 | { | |
201 | BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV); | |
202 | unpriv |= bpf_map_ptr_unpriv(aux); | |
203 | aux->map_state = (unsigned long)map | | |
204 | (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL); | |
205 | } | |
fad73a1a | 206 | |
33ff9823 DB |
207 | struct bpf_call_arg_meta { |
208 | struct bpf_map *map_ptr; | |
435faee1 | 209 | bool raw_mode; |
36bbef52 | 210 | bool pkt_access; |
435faee1 DB |
211 | int regno; |
212 | int access_size; | |
849fa506 YS |
213 | s64 msize_smax_value; |
214 | u64 msize_umax_value; | |
1b986589 | 215 | int ref_obj_id; |
d83525ca | 216 | int func_id; |
33ff9823 DB |
217 | }; |
218 | ||
cbd35700 AS |
219 | static DEFINE_MUTEX(bpf_verifier_lock); |
220 | ||
d9762e84 MKL |
221 | static const struct bpf_line_info * |
222 | find_linfo(const struct bpf_verifier_env *env, u32 insn_off) | |
223 | { | |
224 | const struct bpf_line_info *linfo; | |
225 | const struct bpf_prog *prog; | |
226 | u32 i, nr_linfo; | |
227 | ||
228 | prog = env->prog; | |
229 | nr_linfo = prog->aux->nr_linfo; | |
230 | ||
231 | if (!nr_linfo || insn_off >= prog->len) | |
232 | return NULL; | |
233 | ||
234 | linfo = prog->aux->linfo; | |
235 | for (i = 1; i < nr_linfo; i++) | |
236 | if (insn_off < linfo[i].insn_off) | |
237 | break; | |
238 | ||
239 | return &linfo[i - 1]; | |
240 | } | |
241 | ||
77d2e05a MKL |
242 | void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, |
243 | va_list args) | |
cbd35700 | 244 | { |
a2a7d570 | 245 | unsigned int n; |
cbd35700 | 246 | |
a2a7d570 | 247 | n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); |
a2a7d570 JK |
248 | |
249 | WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, | |
250 | "verifier log line truncated - local buffer too short\n"); | |
251 | ||
252 | n = min(log->len_total - log->len_used - 1, n); | |
253 | log->kbuf[n] = '\0'; | |
254 | ||
255 | if (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1)) | |
256 | log->len_used += n; | |
257 | else | |
258 | log->ubuf = NULL; | |
cbd35700 | 259 | } |
abe08840 JO |
260 | |
261 | /* log_level controls verbosity level of eBPF verifier. | |
262 | * bpf_verifier_log_write() is used to dump the verification trace to the log, | |
263 | * so the user can figure out what's wrong with the program | |
430e68d1 | 264 | */ |
abe08840 JO |
265 | __printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env, |
266 | const char *fmt, ...) | |
267 | { | |
268 | va_list args; | |
269 | ||
77d2e05a MKL |
270 | if (!bpf_verifier_log_needed(&env->log)) |
271 | return; | |
272 | ||
abe08840 | 273 | va_start(args, fmt); |
77d2e05a | 274 | bpf_verifier_vlog(&env->log, fmt, args); |
abe08840 JO |
275 | va_end(args); |
276 | } | |
277 | EXPORT_SYMBOL_GPL(bpf_verifier_log_write); | |
278 | ||
279 | __printf(2, 3) static void verbose(void *private_data, const char *fmt, ...) | |
280 | { | |
77d2e05a | 281 | struct bpf_verifier_env *env = private_data; |
abe08840 JO |
282 | va_list args; |
283 | ||
77d2e05a MKL |
284 | if (!bpf_verifier_log_needed(&env->log)) |
285 | return; | |
286 | ||
abe08840 | 287 | va_start(args, fmt); |
77d2e05a | 288 | bpf_verifier_vlog(&env->log, fmt, args); |
abe08840 JO |
289 | va_end(args); |
290 | } | |
cbd35700 | 291 | |
d9762e84 MKL |
292 | static const char *ltrim(const char *s) |
293 | { | |
294 | while (isspace(*s)) | |
295 | s++; | |
296 | ||
297 | return s; | |
298 | } | |
299 | ||
300 | __printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env, | |
301 | u32 insn_off, | |
302 | const char *prefix_fmt, ...) | |
303 | { | |
304 | const struct bpf_line_info *linfo; | |
305 | ||
306 | if (!bpf_verifier_log_needed(&env->log)) | |
307 | return; | |
308 | ||
309 | linfo = find_linfo(env, insn_off); | |
310 | if (!linfo || linfo == env->prev_linfo) | |
311 | return; | |
312 | ||
313 | if (prefix_fmt) { | |
314 | va_list args; | |
315 | ||
316 | va_start(args, prefix_fmt); | |
317 | bpf_verifier_vlog(&env->log, prefix_fmt, args); | |
318 | va_end(args); | |
319 | } | |
320 | ||
321 | verbose(env, "%s\n", | |
322 | ltrim(btf_name_by_offset(env->prog->aux->btf, | |
323 | linfo->line_off))); | |
324 | ||
325 | env->prev_linfo = linfo; | |
326 | } | |
327 | ||
de8f3a83 DB |
328 | static bool type_is_pkt_pointer(enum bpf_reg_type type) |
329 | { | |
330 | return type == PTR_TO_PACKET || | |
331 | type == PTR_TO_PACKET_META; | |
332 | } | |
333 | ||
46f8bc92 MKL |
334 | static bool type_is_sk_pointer(enum bpf_reg_type type) |
335 | { | |
336 | return type == PTR_TO_SOCKET || | |
655a51e5 MKL |
337 | type == PTR_TO_SOCK_COMMON || |
338 | type == PTR_TO_TCP_SOCK; | |
46f8bc92 MKL |
339 | } |
340 | ||
840b9615 JS |
341 | static bool reg_type_may_be_null(enum bpf_reg_type type) |
342 | { | |
fd978bf7 | 343 | return type == PTR_TO_MAP_VALUE_OR_NULL || |
46f8bc92 | 344 | type == PTR_TO_SOCKET_OR_NULL || |
655a51e5 MKL |
345 | type == PTR_TO_SOCK_COMMON_OR_NULL || |
346 | type == PTR_TO_TCP_SOCK_OR_NULL; | |
fd978bf7 JS |
347 | } |
348 | ||
d83525ca AS |
349 | static bool reg_may_point_to_spin_lock(const struct bpf_reg_state *reg) |
350 | { | |
351 | return reg->type == PTR_TO_MAP_VALUE && | |
352 | map_value_has_spin_lock(reg->map_ptr); | |
353 | } | |
354 | ||
1b986589 | 355 | static bool arg_type_may_be_refcounted(enum bpf_arg_type type) |
fd978bf7 | 356 | { |
1b986589 | 357 | return type == ARG_PTR_TO_SOCK_COMMON; |
fd978bf7 JS |
358 | } |
359 | ||
360 | /* Determine whether the function releases some resources allocated by another | |
361 | * function call. The first reference type argument will be assumed to be | |
362 | * released by release_reference(). | |
363 | */ | |
364 | static bool is_release_function(enum bpf_func_id func_id) | |
365 | { | |
6acc9b43 | 366 | return func_id == BPF_FUNC_sk_release; |
840b9615 JS |
367 | } |
368 | ||
46f8bc92 MKL |
369 | static bool is_acquire_function(enum bpf_func_id func_id) |
370 | { | |
371 | return func_id == BPF_FUNC_sk_lookup_tcp || | |
372 | func_id == BPF_FUNC_sk_lookup_udp; | |
373 | } | |
374 | ||
1b986589 MKL |
375 | static bool is_ptr_cast_function(enum bpf_func_id func_id) |
376 | { | |
377 | return func_id == BPF_FUNC_tcp_sock || | |
378 | func_id == BPF_FUNC_sk_fullsock; | |
379 | } | |
380 | ||
17a52670 AS |
381 | /* string representation of 'enum bpf_reg_type' */ |
382 | static const char * const reg_type_str[] = { | |
383 | [NOT_INIT] = "?", | |
f1174f77 | 384 | [SCALAR_VALUE] = "inv", |
17a52670 AS |
385 | [PTR_TO_CTX] = "ctx", |
386 | [CONST_PTR_TO_MAP] = "map_ptr", | |
387 | [PTR_TO_MAP_VALUE] = "map_value", | |
388 | [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null", | |
17a52670 | 389 | [PTR_TO_STACK] = "fp", |
969bf05e | 390 | [PTR_TO_PACKET] = "pkt", |
de8f3a83 | 391 | [PTR_TO_PACKET_META] = "pkt_meta", |
969bf05e | 392 | [PTR_TO_PACKET_END] = "pkt_end", |
d58e468b | 393 | [PTR_TO_FLOW_KEYS] = "flow_keys", |
c64b7983 JS |
394 | [PTR_TO_SOCKET] = "sock", |
395 | [PTR_TO_SOCKET_OR_NULL] = "sock_or_null", | |
46f8bc92 MKL |
396 | [PTR_TO_SOCK_COMMON] = "sock_common", |
397 | [PTR_TO_SOCK_COMMON_OR_NULL] = "sock_common_or_null", | |
655a51e5 MKL |
398 | [PTR_TO_TCP_SOCK] = "tcp_sock", |
399 | [PTR_TO_TCP_SOCK_OR_NULL] = "tcp_sock_or_null", | |
17a52670 AS |
400 | }; |
401 | ||
8efea21d EC |
402 | static char slot_type_char[] = { |
403 | [STACK_INVALID] = '?', | |
404 | [STACK_SPILL] = 'r', | |
405 | [STACK_MISC] = 'm', | |
406 | [STACK_ZERO] = '0', | |
407 | }; | |
408 | ||
4e92024a AS |
409 | static void print_liveness(struct bpf_verifier_env *env, |
410 | enum bpf_reg_liveness live) | |
411 | { | |
9242b5f5 | 412 | if (live & (REG_LIVE_READ | REG_LIVE_WRITTEN | REG_LIVE_DONE)) |
4e92024a AS |
413 | verbose(env, "_"); |
414 | if (live & REG_LIVE_READ) | |
415 | verbose(env, "r"); | |
416 | if (live & REG_LIVE_WRITTEN) | |
417 | verbose(env, "w"); | |
9242b5f5 AS |
418 | if (live & REG_LIVE_DONE) |
419 | verbose(env, "D"); | |
4e92024a AS |
420 | } |
421 | ||
f4d7e40a AS |
422 | static struct bpf_func_state *func(struct bpf_verifier_env *env, |
423 | const struct bpf_reg_state *reg) | |
424 | { | |
425 | struct bpf_verifier_state *cur = env->cur_state; | |
426 | ||
427 | return cur->frame[reg->frameno]; | |
428 | } | |
429 | ||
61bd5218 | 430 | static void print_verifier_state(struct bpf_verifier_env *env, |
f4d7e40a | 431 | const struct bpf_func_state *state) |
17a52670 | 432 | { |
f4d7e40a | 433 | const struct bpf_reg_state *reg; |
17a52670 AS |
434 | enum bpf_reg_type t; |
435 | int i; | |
436 | ||
f4d7e40a AS |
437 | if (state->frameno) |
438 | verbose(env, " frame%d:", state->frameno); | |
17a52670 | 439 | for (i = 0; i < MAX_BPF_REG; i++) { |
1a0dc1ac AS |
440 | reg = &state->regs[i]; |
441 | t = reg->type; | |
17a52670 AS |
442 | if (t == NOT_INIT) |
443 | continue; | |
4e92024a AS |
444 | verbose(env, " R%d", i); |
445 | print_liveness(env, reg->live); | |
446 | verbose(env, "=%s", reg_type_str[t]); | |
f1174f77 EC |
447 | if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && |
448 | tnum_is_const(reg->var_off)) { | |
449 | /* reg->off should be 0 for SCALAR_VALUE */ | |
61bd5218 | 450 | verbose(env, "%lld", reg->var_off.value + reg->off); |
f4d7e40a AS |
451 | if (t == PTR_TO_STACK) |
452 | verbose(env, ",call_%d", func(env, reg)->callsite); | |
f1174f77 | 453 | } else { |
1b986589 MKL |
454 | verbose(env, "(id=%d ref_obj_id=%d", reg->id, |
455 | reg->ref_obj_id); | |
f1174f77 | 456 | if (t != SCALAR_VALUE) |
61bd5218 | 457 | verbose(env, ",off=%d", reg->off); |
de8f3a83 | 458 | if (type_is_pkt_pointer(t)) |
61bd5218 | 459 | verbose(env, ",r=%d", reg->range); |
f1174f77 EC |
460 | else if (t == CONST_PTR_TO_MAP || |
461 | t == PTR_TO_MAP_VALUE || | |
462 | t == PTR_TO_MAP_VALUE_OR_NULL) | |
61bd5218 | 463 | verbose(env, ",ks=%d,vs=%d", |
f1174f77 EC |
464 | reg->map_ptr->key_size, |
465 | reg->map_ptr->value_size); | |
7d1238f2 EC |
466 | if (tnum_is_const(reg->var_off)) { |
467 | /* Typically an immediate SCALAR_VALUE, but | |
468 | * could be a pointer whose offset is too big | |
469 | * for reg->off | |
470 | */ | |
61bd5218 | 471 | verbose(env, ",imm=%llx", reg->var_off.value); |
7d1238f2 EC |
472 | } else { |
473 | if (reg->smin_value != reg->umin_value && | |
474 | reg->smin_value != S64_MIN) | |
61bd5218 | 475 | verbose(env, ",smin_value=%lld", |
7d1238f2 EC |
476 | (long long)reg->smin_value); |
477 | if (reg->smax_value != reg->umax_value && | |
478 | reg->smax_value != S64_MAX) | |
61bd5218 | 479 | verbose(env, ",smax_value=%lld", |
7d1238f2 EC |
480 | (long long)reg->smax_value); |
481 | if (reg->umin_value != 0) | |
61bd5218 | 482 | verbose(env, ",umin_value=%llu", |
7d1238f2 EC |
483 | (unsigned long long)reg->umin_value); |
484 | if (reg->umax_value != U64_MAX) | |
61bd5218 | 485 | verbose(env, ",umax_value=%llu", |
7d1238f2 EC |
486 | (unsigned long long)reg->umax_value); |
487 | if (!tnum_is_unknown(reg->var_off)) { | |
488 | char tn_buf[48]; | |
f1174f77 | 489 | |
7d1238f2 | 490 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
61bd5218 | 491 | verbose(env, ",var_off=%s", tn_buf); |
7d1238f2 | 492 | } |
f1174f77 | 493 | } |
61bd5218 | 494 | verbose(env, ")"); |
f1174f77 | 495 | } |
17a52670 | 496 | } |
638f5b90 | 497 | for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) { |
8efea21d EC |
498 | char types_buf[BPF_REG_SIZE + 1]; |
499 | bool valid = false; | |
500 | int j; | |
501 | ||
502 | for (j = 0; j < BPF_REG_SIZE; j++) { | |
503 | if (state->stack[i].slot_type[j] != STACK_INVALID) | |
504 | valid = true; | |
505 | types_buf[j] = slot_type_char[ | |
506 | state->stack[i].slot_type[j]]; | |
507 | } | |
508 | types_buf[BPF_REG_SIZE] = 0; | |
509 | if (!valid) | |
510 | continue; | |
511 | verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE); | |
512 | print_liveness(env, state->stack[i].spilled_ptr.live); | |
513 | if (state->stack[i].slot_type[0] == STACK_SPILL) | |
4e92024a | 514 | verbose(env, "=%s", |
638f5b90 | 515 | reg_type_str[state->stack[i].spilled_ptr.type]); |
8efea21d EC |
516 | else |
517 | verbose(env, "=%s", types_buf); | |
17a52670 | 518 | } |
fd978bf7 JS |
519 | if (state->acquired_refs && state->refs[0].id) { |
520 | verbose(env, " refs=%d", state->refs[0].id); | |
521 | for (i = 1; i < state->acquired_refs; i++) | |
522 | if (state->refs[i].id) | |
523 | verbose(env, ",%d", state->refs[i].id); | |
524 | } | |
61bd5218 | 525 | verbose(env, "\n"); |
17a52670 AS |
526 | } |
527 | ||
84dbf350 JS |
528 | #define COPY_STATE_FN(NAME, COUNT, FIELD, SIZE) \ |
529 | static int copy_##NAME##_state(struct bpf_func_state *dst, \ | |
530 | const struct bpf_func_state *src) \ | |
531 | { \ | |
532 | if (!src->FIELD) \ | |
533 | return 0; \ | |
534 | if (WARN_ON_ONCE(dst->COUNT < src->COUNT)) { \ | |
535 | /* internal bug, make state invalid to reject the program */ \ | |
536 | memset(dst, 0, sizeof(*dst)); \ | |
537 | return -EFAULT; \ | |
538 | } \ | |
539 | memcpy(dst->FIELD, src->FIELD, \ | |
540 | sizeof(*src->FIELD) * (src->COUNT / SIZE)); \ | |
541 | return 0; \ | |
638f5b90 | 542 | } |
fd978bf7 JS |
543 | /* copy_reference_state() */ |
544 | COPY_STATE_FN(reference, acquired_refs, refs, 1) | |
84dbf350 JS |
545 | /* copy_stack_state() */ |
546 | COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) | |
547 | #undef COPY_STATE_FN | |
548 | ||
549 | #define REALLOC_STATE_FN(NAME, COUNT, FIELD, SIZE) \ | |
550 | static int realloc_##NAME##_state(struct bpf_func_state *state, int size, \ | |
551 | bool copy_old) \ | |
552 | { \ | |
553 | u32 old_size = state->COUNT; \ | |
554 | struct bpf_##NAME##_state *new_##FIELD; \ | |
555 | int slot = size / SIZE; \ | |
556 | \ | |
557 | if (size <= old_size || !size) { \ | |
558 | if (copy_old) \ | |
559 | return 0; \ | |
560 | state->COUNT = slot * SIZE; \ | |
561 | if (!size && old_size) { \ | |
562 | kfree(state->FIELD); \ | |
563 | state->FIELD = NULL; \ | |
564 | } \ | |
565 | return 0; \ | |
566 | } \ | |
567 | new_##FIELD = kmalloc_array(slot, sizeof(struct bpf_##NAME##_state), \ | |
568 | GFP_KERNEL); \ | |
569 | if (!new_##FIELD) \ | |
570 | return -ENOMEM; \ | |
571 | if (copy_old) { \ | |
572 | if (state->FIELD) \ | |
573 | memcpy(new_##FIELD, state->FIELD, \ | |
574 | sizeof(*new_##FIELD) * (old_size / SIZE)); \ | |
575 | memset(new_##FIELD + old_size / SIZE, 0, \ | |
576 | sizeof(*new_##FIELD) * (size - old_size) / SIZE); \ | |
577 | } \ | |
578 | state->COUNT = slot * SIZE; \ | |
579 | kfree(state->FIELD); \ | |
580 | state->FIELD = new_##FIELD; \ | |
581 | return 0; \ | |
582 | } | |
fd978bf7 JS |
583 | /* realloc_reference_state() */ |
584 | REALLOC_STATE_FN(reference, acquired_refs, refs, 1) | |
84dbf350 JS |
585 | /* realloc_stack_state() */ |
586 | REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) | |
587 | #undef REALLOC_STATE_FN | |
638f5b90 AS |
588 | |
589 | /* do_check() starts with zero-sized stack in struct bpf_verifier_state to | |
590 | * make it consume minimal amount of memory. check_stack_write() access from | |
f4d7e40a | 591 | * the program calls into realloc_func_state() to grow the stack size. |
84dbf350 JS |
592 | * Note there is a non-zero 'parent' pointer inside bpf_verifier_state |
593 | * which realloc_stack_state() copies over. It points to previous | |
594 | * bpf_verifier_state which is never reallocated. | |
638f5b90 | 595 | */ |
fd978bf7 JS |
596 | static int realloc_func_state(struct bpf_func_state *state, int stack_size, |
597 | int refs_size, bool copy_old) | |
638f5b90 | 598 | { |
fd978bf7 JS |
599 | int err = realloc_reference_state(state, refs_size, copy_old); |
600 | if (err) | |
601 | return err; | |
602 | return realloc_stack_state(state, stack_size, copy_old); | |
603 | } | |
604 | ||
605 | /* Acquire a pointer id from the env and update the state->refs to include | |
606 | * this new pointer reference. | |
607 | * On success, returns a valid pointer id to associate with the register | |
608 | * On failure, returns a negative errno. | |
638f5b90 | 609 | */ |
fd978bf7 | 610 | static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx) |
638f5b90 | 611 | { |
fd978bf7 JS |
612 | struct bpf_func_state *state = cur_func(env); |
613 | int new_ofs = state->acquired_refs; | |
614 | int id, err; | |
615 | ||
616 | err = realloc_reference_state(state, state->acquired_refs + 1, true); | |
617 | if (err) | |
618 | return err; | |
619 | id = ++env->id_gen; | |
620 | state->refs[new_ofs].id = id; | |
621 | state->refs[new_ofs].insn_idx = insn_idx; | |
638f5b90 | 622 | |
fd978bf7 JS |
623 | return id; |
624 | } | |
625 | ||
626 | /* release function corresponding to acquire_reference_state(). Idempotent. */ | |
46f8bc92 | 627 | static int release_reference_state(struct bpf_func_state *state, int ptr_id) |
fd978bf7 JS |
628 | { |
629 | int i, last_idx; | |
630 | ||
fd978bf7 JS |
631 | last_idx = state->acquired_refs - 1; |
632 | for (i = 0; i < state->acquired_refs; i++) { | |
633 | if (state->refs[i].id == ptr_id) { | |
634 | if (last_idx && i != last_idx) | |
635 | memcpy(&state->refs[i], &state->refs[last_idx], | |
636 | sizeof(*state->refs)); | |
637 | memset(&state->refs[last_idx], 0, sizeof(*state->refs)); | |
638 | state->acquired_refs--; | |
638f5b90 | 639 | return 0; |
638f5b90 | 640 | } |
638f5b90 | 641 | } |
46f8bc92 | 642 | return -EINVAL; |
fd978bf7 JS |
643 | } |
644 | ||
645 | static int transfer_reference_state(struct bpf_func_state *dst, | |
646 | struct bpf_func_state *src) | |
647 | { | |
648 | int err = realloc_reference_state(dst, src->acquired_refs, false); | |
649 | if (err) | |
650 | return err; | |
651 | err = copy_reference_state(dst, src); | |
652 | if (err) | |
653 | return err; | |
638f5b90 AS |
654 | return 0; |
655 | } | |
656 | ||
f4d7e40a AS |
657 | static void free_func_state(struct bpf_func_state *state) |
658 | { | |
5896351e AS |
659 | if (!state) |
660 | return; | |
fd978bf7 | 661 | kfree(state->refs); |
f4d7e40a AS |
662 | kfree(state->stack); |
663 | kfree(state); | |
664 | } | |
665 | ||
1969db47 AS |
666 | static void free_verifier_state(struct bpf_verifier_state *state, |
667 | bool free_self) | |
638f5b90 | 668 | { |
f4d7e40a AS |
669 | int i; |
670 | ||
671 | for (i = 0; i <= state->curframe; i++) { | |
672 | free_func_state(state->frame[i]); | |
673 | state->frame[i] = NULL; | |
674 | } | |
1969db47 AS |
675 | if (free_self) |
676 | kfree(state); | |
638f5b90 AS |
677 | } |
678 | ||
679 | /* copy verifier state from src to dst growing dst stack space | |
680 | * when necessary to accommodate larger src stack | |
681 | */ | |
f4d7e40a AS |
682 | static int copy_func_state(struct bpf_func_state *dst, |
683 | const struct bpf_func_state *src) | |
638f5b90 AS |
684 | { |
685 | int err; | |
686 | ||
fd978bf7 JS |
687 | err = realloc_func_state(dst, src->allocated_stack, src->acquired_refs, |
688 | false); | |
689 | if (err) | |
690 | return err; | |
691 | memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs)); | |
692 | err = copy_reference_state(dst, src); | |
638f5b90 AS |
693 | if (err) |
694 | return err; | |
638f5b90 AS |
695 | return copy_stack_state(dst, src); |
696 | } | |
697 | ||
f4d7e40a AS |
698 | static int copy_verifier_state(struct bpf_verifier_state *dst_state, |
699 | const struct bpf_verifier_state *src) | |
700 | { | |
701 | struct bpf_func_state *dst; | |
702 | int i, err; | |
703 | ||
704 | /* if dst has more stack frames then src frame, free them */ | |
705 | for (i = src->curframe + 1; i <= dst_state->curframe; i++) { | |
706 | free_func_state(dst_state->frame[i]); | |
707 | dst_state->frame[i] = NULL; | |
708 | } | |
979d63d5 | 709 | dst_state->speculative = src->speculative; |
f4d7e40a | 710 | dst_state->curframe = src->curframe; |
d83525ca | 711 | dst_state->active_spin_lock = src->active_spin_lock; |
f4d7e40a AS |
712 | for (i = 0; i <= src->curframe; i++) { |
713 | dst = dst_state->frame[i]; | |
714 | if (!dst) { | |
715 | dst = kzalloc(sizeof(*dst), GFP_KERNEL); | |
716 | if (!dst) | |
717 | return -ENOMEM; | |
718 | dst_state->frame[i] = dst; | |
719 | } | |
720 | err = copy_func_state(dst, src->frame[i]); | |
721 | if (err) | |
722 | return err; | |
723 | } | |
724 | return 0; | |
725 | } | |
726 | ||
638f5b90 AS |
727 | static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx, |
728 | int *insn_idx) | |
729 | { | |
730 | struct bpf_verifier_state *cur = env->cur_state; | |
731 | struct bpf_verifier_stack_elem *elem, *head = env->head; | |
732 | int err; | |
17a52670 AS |
733 | |
734 | if (env->head == NULL) | |
638f5b90 | 735 | return -ENOENT; |
17a52670 | 736 | |
638f5b90 AS |
737 | if (cur) { |
738 | err = copy_verifier_state(cur, &head->st); | |
739 | if (err) | |
740 | return err; | |
741 | } | |
742 | if (insn_idx) | |
743 | *insn_idx = head->insn_idx; | |
17a52670 | 744 | if (prev_insn_idx) |
638f5b90 AS |
745 | *prev_insn_idx = head->prev_insn_idx; |
746 | elem = head->next; | |
1969db47 | 747 | free_verifier_state(&head->st, false); |
638f5b90 | 748 | kfree(head); |
17a52670 AS |
749 | env->head = elem; |
750 | env->stack_size--; | |
638f5b90 | 751 | return 0; |
17a52670 AS |
752 | } |
753 | ||
58e2af8b | 754 | static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, |
979d63d5 DB |
755 | int insn_idx, int prev_insn_idx, |
756 | bool speculative) | |
17a52670 | 757 | { |
638f5b90 | 758 | struct bpf_verifier_state *cur = env->cur_state; |
58e2af8b | 759 | struct bpf_verifier_stack_elem *elem; |
638f5b90 | 760 | int err; |
17a52670 | 761 | |
638f5b90 | 762 | elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL); |
17a52670 AS |
763 | if (!elem) |
764 | goto err; | |
765 | ||
17a52670 AS |
766 | elem->insn_idx = insn_idx; |
767 | elem->prev_insn_idx = prev_insn_idx; | |
768 | elem->next = env->head; | |
769 | env->head = elem; | |
770 | env->stack_size++; | |
1969db47 AS |
771 | err = copy_verifier_state(&elem->st, cur); |
772 | if (err) | |
773 | goto err; | |
979d63d5 | 774 | elem->st.speculative |= speculative; |
07016151 | 775 | if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { |
61bd5218 | 776 | verbose(env, "BPF program is too complex\n"); |
17a52670 AS |
777 | goto err; |
778 | } | |
779 | return &elem->st; | |
780 | err: | |
5896351e AS |
781 | free_verifier_state(env->cur_state, true); |
782 | env->cur_state = NULL; | |
17a52670 | 783 | /* pop all elements and return */ |
638f5b90 | 784 | while (!pop_stack(env, NULL, NULL)); |
17a52670 AS |
785 | return NULL; |
786 | } | |
787 | ||
788 | #define CALLER_SAVED_REGS 6 | |
789 | static const int caller_saved[CALLER_SAVED_REGS] = { | |
790 | BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5 | |
791 | }; | |
792 | ||
f1174f77 EC |
793 | static void __mark_reg_not_init(struct bpf_reg_state *reg); |
794 | ||
b03c9f9f EC |
795 | /* Mark the unknown part of a register (variable offset or scalar value) as |
796 | * known to have the value @imm. | |
797 | */ | |
798 | static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm) | |
799 | { | |
a9c676bc AS |
800 | /* Clear id, off, and union(map_ptr, range) */ |
801 | memset(((u8 *)reg) + sizeof(reg->type), 0, | |
802 | offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type)); | |
b03c9f9f EC |
803 | reg->var_off = tnum_const(imm); |
804 | reg->smin_value = (s64)imm; | |
805 | reg->smax_value = (s64)imm; | |
806 | reg->umin_value = imm; | |
807 | reg->umax_value = imm; | |
808 | } | |
809 | ||
f1174f77 EC |
810 | /* Mark the 'variable offset' part of a register as zero. This should be |
811 | * used only on registers holding a pointer type. | |
812 | */ | |
813 | static void __mark_reg_known_zero(struct bpf_reg_state *reg) | |
a9789ef9 | 814 | { |
b03c9f9f | 815 | __mark_reg_known(reg, 0); |
f1174f77 | 816 | } |
a9789ef9 | 817 | |
cc2b14d5 AS |
818 | static void __mark_reg_const_zero(struct bpf_reg_state *reg) |
819 | { | |
820 | __mark_reg_known(reg, 0); | |
cc2b14d5 AS |
821 | reg->type = SCALAR_VALUE; |
822 | } | |
823 | ||
61bd5218 JK |
824 | static void mark_reg_known_zero(struct bpf_verifier_env *env, |
825 | struct bpf_reg_state *regs, u32 regno) | |
f1174f77 EC |
826 | { |
827 | if (WARN_ON(regno >= MAX_BPF_REG)) { | |
61bd5218 | 828 | verbose(env, "mark_reg_known_zero(regs, %u)\n", regno); |
f1174f77 EC |
829 | /* Something bad happened, let's kill all regs */ |
830 | for (regno = 0; regno < MAX_BPF_REG; regno++) | |
831 | __mark_reg_not_init(regs + regno); | |
832 | return; | |
833 | } | |
834 | __mark_reg_known_zero(regs + regno); | |
835 | } | |
836 | ||
de8f3a83 DB |
837 | static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg) |
838 | { | |
839 | return type_is_pkt_pointer(reg->type); | |
840 | } | |
841 | ||
842 | static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg) | |
843 | { | |
844 | return reg_is_pkt_pointer(reg) || | |
845 | reg->type == PTR_TO_PACKET_END; | |
846 | } | |
847 | ||
848 | /* Unmodified PTR_TO_PACKET[_META,_END] register from ctx access. */ | |
849 | static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg, | |
850 | enum bpf_reg_type which) | |
851 | { | |
852 | /* The register can already have a range from prior markings. | |
853 | * This is fine as long as it hasn't been advanced from its | |
854 | * origin. | |
855 | */ | |
856 | return reg->type == which && | |
857 | reg->id == 0 && | |
858 | reg->off == 0 && | |
859 | tnum_equals_const(reg->var_off, 0); | |
860 | } | |
861 | ||
b03c9f9f EC |
862 | /* Attempts to improve min/max values based on var_off information */ |
863 | static void __update_reg_bounds(struct bpf_reg_state *reg) | |
864 | { | |
865 | /* min signed is max(sign bit) | min(other bits) */ | |
866 | reg->smin_value = max_t(s64, reg->smin_value, | |
867 | reg->var_off.value | (reg->var_off.mask & S64_MIN)); | |
868 | /* max signed is min(sign bit) | max(other bits) */ | |
869 | reg->smax_value = min_t(s64, reg->smax_value, | |
870 | reg->var_off.value | (reg->var_off.mask & S64_MAX)); | |
871 | reg->umin_value = max(reg->umin_value, reg->var_off.value); | |
872 | reg->umax_value = min(reg->umax_value, | |
873 | reg->var_off.value | reg->var_off.mask); | |
874 | } | |
875 | ||
876 | /* Uses signed min/max values to inform unsigned, and vice-versa */ | |
877 | static void __reg_deduce_bounds(struct bpf_reg_state *reg) | |
878 | { | |
879 | /* Learn sign from signed bounds. | |
880 | * If we cannot cross the sign boundary, then signed and unsigned bounds | |
881 | * are the same, so combine. This works even in the negative case, e.g. | |
882 | * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff. | |
883 | */ | |
884 | if (reg->smin_value >= 0 || reg->smax_value < 0) { | |
885 | reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, | |
886 | reg->umin_value); | |
887 | reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, | |
888 | reg->umax_value); | |
889 | return; | |
890 | } | |
891 | /* Learn sign from unsigned bounds. Signed bounds cross the sign | |
892 | * boundary, so we must be careful. | |
893 | */ | |
894 | if ((s64)reg->umax_value >= 0) { | |
895 | /* Positive. We can't learn anything from the smin, but smax | |
896 | * is positive, hence safe. | |
897 | */ | |
898 | reg->smin_value = reg->umin_value; | |
899 | reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, | |
900 | reg->umax_value); | |
901 | } else if ((s64)reg->umin_value < 0) { | |
902 | /* Negative. We can't learn anything from the smax, but smin | |
903 | * is negative, hence safe. | |
904 | */ | |
905 | reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, | |
906 | reg->umin_value); | |
907 | reg->smax_value = reg->umax_value; | |
908 | } | |
909 | } | |
910 | ||
911 | /* Attempts to improve var_off based on unsigned min/max information */ | |
912 | static void __reg_bound_offset(struct bpf_reg_state *reg) | |
913 | { | |
914 | reg->var_off = tnum_intersect(reg->var_off, | |
915 | tnum_range(reg->umin_value, | |
916 | reg->umax_value)); | |
917 | } | |
918 | ||
919 | /* Reset the min/max bounds of a register */ | |
920 | static void __mark_reg_unbounded(struct bpf_reg_state *reg) | |
921 | { | |
922 | reg->smin_value = S64_MIN; | |
923 | reg->smax_value = S64_MAX; | |
924 | reg->umin_value = 0; | |
925 | reg->umax_value = U64_MAX; | |
926 | } | |
927 | ||
f1174f77 EC |
928 | /* Mark a register as having a completely unknown (scalar) value. */ |
929 | static void __mark_reg_unknown(struct bpf_reg_state *reg) | |
930 | { | |
a9c676bc AS |
931 | /* |
932 | * Clear type, id, off, and union(map_ptr, range) and | |
933 | * padding between 'type' and union | |
934 | */ | |
935 | memset(reg, 0, offsetof(struct bpf_reg_state, var_off)); | |
f1174f77 | 936 | reg->type = SCALAR_VALUE; |
f1174f77 | 937 | reg->var_off = tnum_unknown; |
f4d7e40a | 938 | reg->frameno = 0; |
b03c9f9f | 939 | __mark_reg_unbounded(reg); |
f1174f77 EC |
940 | } |
941 | ||
61bd5218 JK |
942 | static void mark_reg_unknown(struct bpf_verifier_env *env, |
943 | struct bpf_reg_state *regs, u32 regno) | |
f1174f77 EC |
944 | { |
945 | if (WARN_ON(regno >= MAX_BPF_REG)) { | |
61bd5218 | 946 | verbose(env, "mark_reg_unknown(regs, %u)\n", regno); |
19ceb417 AS |
947 | /* Something bad happened, let's kill all regs except FP */ |
948 | for (regno = 0; regno < BPF_REG_FP; regno++) | |
f1174f77 EC |
949 | __mark_reg_not_init(regs + regno); |
950 | return; | |
951 | } | |
952 | __mark_reg_unknown(regs + regno); | |
953 | } | |
954 | ||
955 | static void __mark_reg_not_init(struct bpf_reg_state *reg) | |
956 | { | |
957 | __mark_reg_unknown(reg); | |
958 | reg->type = NOT_INIT; | |
959 | } | |
960 | ||
61bd5218 JK |
961 | static void mark_reg_not_init(struct bpf_verifier_env *env, |
962 | struct bpf_reg_state *regs, u32 regno) | |
f1174f77 EC |
963 | { |
964 | if (WARN_ON(regno >= MAX_BPF_REG)) { | |
61bd5218 | 965 | verbose(env, "mark_reg_not_init(regs, %u)\n", regno); |
19ceb417 AS |
966 | /* Something bad happened, let's kill all regs except FP */ |
967 | for (regno = 0; regno < BPF_REG_FP; regno++) | |
f1174f77 EC |
968 | __mark_reg_not_init(regs + regno); |
969 | return; | |
970 | } | |
971 | __mark_reg_not_init(regs + regno); | |
a9789ef9 DB |
972 | } |
973 | ||
61bd5218 | 974 | static void init_reg_state(struct bpf_verifier_env *env, |
f4d7e40a | 975 | struct bpf_func_state *state) |
17a52670 | 976 | { |
f4d7e40a | 977 | struct bpf_reg_state *regs = state->regs; |
17a52670 AS |
978 | int i; |
979 | ||
dc503a8a | 980 | for (i = 0; i < MAX_BPF_REG; i++) { |
61bd5218 | 981 | mark_reg_not_init(env, regs, i); |
dc503a8a | 982 | regs[i].live = REG_LIVE_NONE; |
679c782d | 983 | regs[i].parent = NULL; |
dc503a8a | 984 | } |
17a52670 AS |
985 | |
986 | /* frame pointer */ | |
f1174f77 | 987 | regs[BPF_REG_FP].type = PTR_TO_STACK; |
61bd5218 | 988 | mark_reg_known_zero(env, regs, BPF_REG_FP); |
f4d7e40a | 989 | regs[BPF_REG_FP].frameno = state->frameno; |
17a52670 AS |
990 | |
991 | /* 1st arg to a function */ | |
992 | regs[BPF_REG_1].type = PTR_TO_CTX; | |
61bd5218 | 993 | mark_reg_known_zero(env, regs, BPF_REG_1); |
6760bf2d DB |
994 | } |
995 | ||
f4d7e40a AS |
996 | #define BPF_MAIN_FUNC (-1) |
997 | static void init_func_state(struct bpf_verifier_env *env, | |
998 | struct bpf_func_state *state, | |
999 | int callsite, int frameno, int subprogno) | |
1000 | { | |
1001 | state->callsite = callsite; | |
1002 | state->frameno = frameno; | |
1003 | state->subprogno = subprogno; | |
1004 | init_reg_state(env, state); | |
1005 | } | |
1006 | ||
17a52670 AS |
1007 | enum reg_arg_type { |
1008 | SRC_OP, /* register is used as source operand */ | |
1009 | DST_OP, /* register is used as destination operand */ | |
1010 | DST_OP_NO_MARK /* same as above, check only, don't mark */ | |
1011 | }; | |
1012 | ||
cc8b0b92 AS |
1013 | static int cmp_subprogs(const void *a, const void *b) |
1014 | { | |
9c8105bd JW |
1015 | return ((struct bpf_subprog_info *)a)->start - |
1016 | ((struct bpf_subprog_info *)b)->start; | |
cc8b0b92 AS |
1017 | } |
1018 | ||
1019 | static int find_subprog(struct bpf_verifier_env *env, int off) | |
1020 | { | |
9c8105bd | 1021 | struct bpf_subprog_info *p; |
cc8b0b92 | 1022 | |
9c8105bd JW |
1023 | p = bsearch(&off, env->subprog_info, env->subprog_cnt, |
1024 | sizeof(env->subprog_info[0]), cmp_subprogs); | |
cc8b0b92 AS |
1025 | if (!p) |
1026 | return -ENOENT; | |
9c8105bd | 1027 | return p - env->subprog_info; |
cc8b0b92 AS |
1028 | |
1029 | } | |
1030 | ||
1031 | static int add_subprog(struct bpf_verifier_env *env, int off) | |
1032 | { | |
1033 | int insn_cnt = env->prog->len; | |
1034 | int ret; | |
1035 | ||
1036 | if (off >= insn_cnt || off < 0) { | |
1037 | verbose(env, "call to invalid destination\n"); | |
1038 | return -EINVAL; | |
1039 | } | |
1040 | ret = find_subprog(env, off); | |
1041 | if (ret >= 0) | |
1042 | return 0; | |
4cb3d99c | 1043 | if (env->subprog_cnt >= BPF_MAX_SUBPROGS) { |
cc8b0b92 AS |
1044 | verbose(env, "too many subprograms\n"); |
1045 | return -E2BIG; | |
1046 | } | |
9c8105bd JW |
1047 | env->subprog_info[env->subprog_cnt++].start = off; |
1048 | sort(env->subprog_info, env->subprog_cnt, | |
1049 | sizeof(env->subprog_info[0]), cmp_subprogs, NULL); | |
cc8b0b92 AS |
1050 | return 0; |
1051 | } | |
1052 | ||
1053 | static int check_subprogs(struct bpf_verifier_env *env) | |
1054 | { | |
1055 | int i, ret, subprog_start, subprog_end, off, cur_subprog = 0; | |
9c8105bd | 1056 | struct bpf_subprog_info *subprog = env->subprog_info; |
cc8b0b92 AS |
1057 | struct bpf_insn *insn = env->prog->insnsi; |
1058 | int insn_cnt = env->prog->len; | |
1059 | ||
f910cefa JW |
1060 | /* Add entry function. */ |
1061 | ret = add_subprog(env, 0); | |
1062 | if (ret < 0) | |
1063 | return ret; | |
1064 | ||
cc8b0b92 AS |
1065 | /* determine subprog starts. The end is one before the next starts */ |
1066 | for (i = 0; i < insn_cnt; i++) { | |
1067 | if (insn[i].code != (BPF_JMP | BPF_CALL)) | |
1068 | continue; | |
1069 | if (insn[i].src_reg != BPF_PSEUDO_CALL) | |
1070 | continue; | |
1071 | if (!env->allow_ptr_leaks) { | |
1072 | verbose(env, "function calls to other bpf functions are allowed for root only\n"); | |
1073 | return -EPERM; | |
1074 | } | |
cc8b0b92 AS |
1075 | ret = add_subprog(env, i + insn[i].imm + 1); |
1076 | if (ret < 0) | |
1077 | return ret; | |
1078 | } | |
1079 | ||
4cb3d99c JW |
1080 | /* Add a fake 'exit' subprog which could simplify subprog iteration |
1081 | * logic. 'subprog_cnt' should not be increased. | |
1082 | */ | |
1083 | subprog[env->subprog_cnt].start = insn_cnt; | |
1084 | ||
cc8b0b92 AS |
1085 | if (env->log.level > 1) |
1086 | for (i = 0; i < env->subprog_cnt; i++) | |
9c8105bd | 1087 | verbose(env, "func#%d @%d\n", i, subprog[i].start); |
cc8b0b92 AS |
1088 | |
1089 | /* now check that all jumps are within the same subprog */ | |
4cb3d99c JW |
1090 | subprog_start = subprog[cur_subprog].start; |
1091 | subprog_end = subprog[cur_subprog + 1].start; | |
cc8b0b92 AS |
1092 | for (i = 0; i < insn_cnt; i++) { |
1093 | u8 code = insn[i].code; | |
1094 | ||
092ed096 | 1095 | if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) |
cc8b0b92 AS |
1096 | goto next; |
1097 | if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL) | |
1098 | goto next; | |
1099 | off = i + insn[i].off + 1; | |
1100 | if (off < subprog_start || off >= subprog_end) { | |
1101 | verbose(env, "jump out of range from insn %d to %d\n", i, off); | |
1102 | return -EINVAL; | |
1103 | } | |
1104 | next: | |
1105 | if (i == subprog_end - 1) { | |
1106 | /* to avoid fall-through from one subprog into another | |
1107 | * the last insn of the subprog should be either exit | |
1108 | * or unconditional jump back | |
1109 | */ | |
1110 | if (code != (BPF_JMP | BPF_EXIT) && | |
1111 | code != (BPF_JMP | BPF_JA)) { | |
1112 | verbose(env, "last insn is not an exit or jmp\n"); | |
1113 | return -EINVAL; | |
1114 | } | |
1115 | subprog_start = subprog_end; | |
4cb3d99c JW |
1116 | cur_subprog++; |
1117 | if (cur_subprog < env->subprog_cnt) | |
9c8105bd | 1118 | subprog_end = subprog[cur_subprog + 1].start; |
cc8b0b92 AS |
1119 | } |
1120 | } | |
1121 | return 0; | |
1122 | } | |
1123 | ||
679c782d EC |
1124 | /* Parentage chain of this register (or stack slot) should take care of all |
1125 | * issues like callee-saved registers, stack slot allocation time, etc. | |
1126 | */ | |
f4d7e40a | 1127 | static int mark_reg_read(struct bpf_verifier_env *env, |
679c782d EC |
1128 | const struct bpf_reg_state *state, |
1129 | struct bpf_reg_state *parent) | |
f4d7e40a AS |
1130 | { |
1131 | bool writes = parent == state->parent; /* Observe write marks */ | |
dc503a8a EC |
1132 | |
1133 | while (parent) { | |
1134 | /* if read wasn't screened by an earlier write ... */ | |
679c782d | 1135 | if (writes && state->live & REG_LIVE_WRITTEN) |
dc503a8a | 1136 | break; |
9242b5f5 AS |
1137 | if (parent->live & REG_LIVE_DONE) { |
1138 | verbose(env, "verifier BUG type %s var_off %lld off %d\n", | |
1139 | reg_type_str[parent->type], | |
1140 | parent->var_off.value, parent->off); | |
1141 | return -EFAULT; | |
1142 | } | |
dc503a8a | 1143 | /* ... then we depend on parent's value */ |
679c782d | 1144 | parent->live |= REG_LIVE_READ; |
dc503a8a EC |
1145 | state = parent; |
1146 | parent = state->parent; | |
f4d7e40a | 1147 | writes = true; |
dc503a8a | 1148 | } |
f4d7e40a | 1149 | return 0; |
dc503a8a EC |
1150 | } |
1151 | ||
1152 | static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, | |
17a52670 AS |
1153 | enum reg_arg_type t) |
1154 | { | |
f4d7e40a AS |
1155 | struct bpf_verifier_state *vstate = env->cur_state; |
1156 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
1157 | struct bpf_reg_state *regs = state->regs; | |
dc503a8a | 1158 | |
17a52670 | 1159 | if (regno >= MAX_BPF_REG) { |
61bd5218 | 1160 | verbose(env, "R%d is invalid\n", regno); |
17a52670 AS |
1161 | return -EINVAL; |
1162 | } | |
1163 | ||
1164 | if (t == SRC_OP) { | |
1165 | /* check whether register used as source operand can be read */ | |
1166 | if (regs[regno].type == NOT_INIT) { | |
61bd5218 | 1167 | verbose(env, "R%d !read_ok\n", regno); |
17a52670 AS |
1168 | return -EACCES; |
1169 | } | |
679c782d EC |
1170 | /* We don't need to worry about FP liveness because it's read-only */ |
1171 | if (regno != BPF_REG_FP) | |
1172 | return mark_reg_read(env, ®s[regno], | |
1173 | regs[regno].parent); | |
17a52670 AS |
1174 | } else { |
1175 | /* check whether register used as dest operand can be written to */ | |
1176 | if (regno == BPF_REG_FP) { | |
61bd5218 | 1177 | verbose(env, "frame pointer is read only\n"); |
17a52670 AS |
1178 | return -EACCES; |
1179 | } | |
dc503a8a | 1180 | regs[regno].live |= REG_LIVE_WRITTEN; |
17a52670 | 1181 | if (t == DST_OP) |
61bd5218 | 1182 | mark_reg_unknown(env, regs, regno); |
17a52670 AS |
1183 | } |
1184 | return 0; | |
1185 | } | |
1186 | ||
1be7f75d AS |
1187 | static bool is_spillable_regtype(enum bpf_reg_type type) |
1188 | { | |
1189 | switch (type) { | |
1190 | case PTR_TO_MAP_VALUE: | |
1191 | case PTR_TO_MAP_VALUE_OR_NULL: | |
1192 | case PTR_TO_STACK: | |
1193 | case PTR_TO_CTX: | |
969bf05e | 1194 | case PTR_TO_PACKET: |
de8f3a83 | 1195 | case PTR_TO_PACKET_META: |
969bf05e | 1196 | case PTR_TO_PACKET_END: |
d58e468b | 1197 | case PTR_TO_FLOW_KEYS: |
1be7f75d | 1198 | case CONST_PTR_TO_MAP: |
c64b7983 JS |
1199 | case PTR_TO_SOCKET: |
1200 | case PTR_TO_SOCKET_OR_NULL: | |
46f8bc92 MKL |
1201 | case PTR_TO_SOCK_COMMON: |
1202 | case PTR_TO_SOCK_COMMON_OR_NULL: | |
655a51e5 MKL |
1203 | case PTR_TO_TCP_SOCK: |
1204 | case PTR_TO_TCP_SOCK_OR_NULL: | |
1be7f75d AS |
1205 | return true; |
1206 | default: | |
1207 | return false; | |
1208 | } | |
1209 | } | |
1210 | ||
cc2b14d5 AS |
1211 | /* Does this register contain a constant zero? */ |
1212 | static bool register_is_null(struct bpf_reg_state *reg) | |
1213 | { | |
1214 | return reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0); | |
1215 | } | |
1216 | ||
17a52670 AS |
1217 | /* check_stack_read/write functions track spill/fill of registers, |
1218 | * stack boundary and alignment are checked in check_mem_access() | |
1219 | */ | |
61bd5218 | 1220 | static int check_stack_write(struct bpf_verifier_env *env, |
f4d7e40a | 1221 | struct bpf_func_state *state, /* func where register points to */ |
af86ca4e | 1222 | int off, int size, int value_regno, int insn_idx) |
17a52670 | 1223 | { |
f4d7e40a | 1224 | struct bpf_func_state *cur; /* state of the current function */ |
638f5b90 | 1225 | int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; |
f4d7e40a | 1226 | enum bpf_reg_type type; |
638f5b90 | 1227 | |
f4d7e40a | 1228 | err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE), |
fd978bf7 | 1229 | state->acquired_refs, true); |
638f5b90 AS |
1230 | if (err) |
1231 | return err; | |
9c399760 AS |
1232 | /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, |
1233 | * so it's aligned access and [off, off + size) are within stack limits | |
1234 | */ | |
638f5b90 AS |
1235 | if (!env->allow_ptr_leaks && |
1236 | state->stack[spi].slot_type[0] == STACK_SPILL && | |
1237 | size != BPF_REG_SIZE) { | |
1238 | verbose(env, "attempt to corrupt spilled pointer on stack\n"); | |
1239 | return -EACCES; | |
1240 | } | |
17a52670 | 1241 | |
f4d7e40a | 1242 | cur = env->cur_state->frame[env->cur_state->curframe]; |
17a52670 | 1243 | if (value_regno >= 0 && |
f4d7e40a | 1244 | is_spillable_regtype((type = cur->regs[value_regno].type))) { |
17a52670 AS |
1245 | |
1246 | /* register containing pointer is being spilled into stack */ | |
9c399760 | 1247 | if (size != BPF_REG_SIZE) { |
61bd5218 | 1248 | verbose(env, "invalid size of register spill\n"); |
17a52670 AS |
1249 | return -EACCES; |
1250 | } | |
1251 | ||
f4d7e40a AS |
1252 | if (state != cur && type == PTR_TO_STACK) { |
1253 | verbose(env, "cannot spill pointers to stack into stack frame of the caller\n"); | |
1254 | return -EINVAL; | |
1255 | } | |
1256 | ||
17a52670 | 1257 | /* save register state */ |
f4d7e40a | 1258 | state->stack[spi].spilled_ptr = cur->regs[value_regno]; |
638f5b90 | 1259 | state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; |
17a52670 | 1260 | |
af86ca4e AS |
1261 | for (i = 0; i < BPF_REG_SIZE; i++) { |
1262 | if (state->stack[spi].slot_type[i] == STACK_MISC && | |
1263 | !env->allow_ptr_leaks) { | |
1264 | int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; | |
1265 | int soff = (-spi - 1) * BPF_REG_SIZE; | |
1266 | ||
1267 | /* detected reuse of integer stack slot with a pointer | |
1268 | * which means either llvm is reusing stack slot or | |
1269 | * an attacker is trying to exploit CVE-2018-3639 | |
1270 | * (speculative store bypass) | |
1271 | * Have to sanitize that slot with preemptive | |
1272 | * store of zero. | |
1273 | */ | |
1274 | if (*poff && *poff != soff) { | |
1275 | /* disallow programs where single insn stores | |
1276 | * into two different stack slots, since verifier | |
1277 | * cannot sanitize them | |
1278 | */ | |
1279 | verbose(env, | |
1280 | "insn %d cannot access two stack slots fp%d and fp%d", | |
1281 | insn_idx, *poff, soff); | |
1282 | return -EINVAL; | |
1283 | } | |
1284 | *poff = soff; | |
1285 | } | |
638f5b90 | 1286 | state->stack[spi].slot_type[i] = STACK_SPILL; |
af86ca4e | 1287 | } |
9c399760 | 1288 | } else { |
cc2b14d5 AS |
1289 | u8 type = STACK_MISC; |
1290 | ||
679c782d EC |
1291 | /* regular write of data into stack destroys any spilled ptr */ |
1292 | state->stack[spi].spilled_ptr.type = NOT_INIT; | |
0bae2d4d JW |
1293 | /* Mark slots as STACK_MISC if they belonged to spilled ptr. */ |
1294 | if (state->stack[spi].slot_type[0] == STACK_SPILL) | |
1295 | for (i = 0; i < BPF_REG_SIZE; i++) | |
1296 | state->stack[spi].slot_type[i] = STACK_MISC; | |
9c399760 | 1297 | |
cc2b14d5 AS |
1298 | /* only mark the slot as written if all 8 bytes were written |
1299 | * otherwise read propagation may incorrectly stop too soon | |
1300 | * when stack slots are partially written. | |
1301 | * This heuristic means that read propagation will be | |
1302 | * conservative, since it will add reg_live_read marks | |
1303 | * to stack slots all the way to first state when programs | |
1304 | * writes+reads less than 8 bytes | |
1305 | */ | |
1306 | if (size == BPF_REG_SIZE) | |
1307 | state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; | |
1308 | ||
1309 | /* when we zero initialize stack slots mark them as such */ | |
1310 | if (value_regno >= 0 && | |
1311 | register_is_null(&cur->regs[value_regno])) | |
1312 | type = STACK_ZERO; | |
1313 | ||
0bae2d4d | 1314 | /* Mark slots affected by this stack write. */ |
9c399760 | 1315 | for (i = 0; i < size; i++) |
638f5b90 | 1316 | state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = |
cc2b14d5 | 1317 | type; |
17a52670 AS |
1318 | } |
1319 | return 0; | |
1320 | } | |
1321 | ||
61bd5218 | 1322 | static int check_stack_read(struct bpf_verifier_env *env, |
f4d7e40a AS |
1323 | struct bpf_func_state *reg_state /* func where register points to */, |
1324 | int off, int size, int value_regno) | |
17a52670 | 1325 | { |
f4d7e40a AS |
1326 | struct bpf_verifier_state *vstate = env->cur_state; |
1327 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
638f5b90 AS |
1328 | int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; |
1329 | u8 *stype; | |
17a52670 | 1330 | |
f4d7e40a | 1331 | if (reg_state->allocated_stack <= slot) { |
638f5b90 AS |
1332 | verbose(env, "invalid read from stack off %d+0 size %d\n", |
1333 | off, size); | |
1334 | return -EACCES; | |
1335 | } | |
f4d7e40a | 1336 | stype = reg_state->stack[spi].slot_type; |
17a52670 | 1337 | |
638f5b90 | 1338 | if (stype[0] == STACK_SPILL) { |
9c399760 | 1339 | if (size != BPF_REG_SIZE) { |
61bd5218 | 1340 | verbose(env, "invalid size of register spill\n"); |
17a52670 AS |
1341 | return -EACCES; |
1342 | } | |
9c399760 | 1343 | for (i = 1; i < BPF_REG_SIZE; i++) { |
638f5b90 | 1344 | if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) { |
61bd5218 | 1345 | verbose(env, "corrupted spill memory\n"); |
17a52670 AS |
1346 | return -EACCES; |
1347 | } | |
1348 | } | |
1349 | ||
dc503a8a | 1350 | if (value_regno >= 0) { |
17a52670 | 1351 | /* restore register state from stack */ |
f4d7e40a | 1352 | state->regs[value_regno] = reg_state->stack[spi].spilled_ptr; |
2f18f62e AS |
1353 | /* mark reg as written since spilled pointer state likely |
1354 | * has its liveness marks cleared by is_state_visited() | |
1355 | * which resets stack/reg liveness for state transitions | |
1356 | */ | |
1357 | state->regs[value_regno].live |= REG_LIVE_WRITTEN; | |
dc503a8a | 1358 | } |
679c782d EC |
1359 | mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
1360 | reg_state->stack[spi].spilled_ptr.parent); | |
17a52670 AS |
1361 | return 0; |
1362 | } else { | |
cc2b14d5 AS |
1363 | int zeros = 0; |
1364 | ||
17a52670 | 1365 | for (i = 0; i < size; i++) { |
cc2b14d5 AS |
1366 | if (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC) |
1367 | continue; | |
1368 | if (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) { | |
1369 | zeros++; | |
1370 | continue; | |
17a52670 | 1371 | } |
cc2b14d5 AS |
1372 | verbose(env, "invalid read from stack off %d+%d size %d\n", |
1373 | off, i, size); | |
1374 | return -EACCES; | |
1375 | } | |
679c782d EC |
1376 | mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
1377 | reg_state->stack[spi].spilled_ptr.parent); | |
cc2b14d5 AS |
1378 | if (value_regno >= 0) { |
1379 | if (zeros == size) { | |
1380 | /* any size read into register is zero extended, | |
1381 | * so the whole register == const_zero | |
1382 | */ | |
1383 | __mark_reg_const_zero(&state->regs[value_regno]); | |
1384 | } else { | |
1385 | /* have read misc data from the stack */ | |
1386 | mark_reg_unknown(env, state->regs, value_regno); | |
1387 | } | |
1388 | state->regs[value_regno].live |= REG_LIVE_WRITTEN; | |
17a52670 | 1389 | } |
17a52670 AS |
1390 | return 0; |
1391 | } | |
1392 | } | |
1393 | ||
e4298d25 DB |
1394 | static int check_stack_access(struct bpf_verifier_env *env, |
1395 | const struct bpf_reg_state *reg, | |
1396 | int off, int size) | |
1397 | { | |
1398 | /* Stack accesses must be at a fixed offset, so that we | |
1399 | * can determine what type of data were returned. See | |
1400 | * check_stack_read(). | |
1401 | */ | |
1402 | if (!tnum_is_const(reg->var_off)) { | |
1403 | char tn_buf[48]; | |
1404 | ||
1405 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
1406 | verbose(env, "variable stack access var_off=%s off=%d size=%d", | |
1407 | tn_buf, off, size); | |
1408 | return -EACCES; | |
1409 | } | |
1410 | ||
1411 | if (off >= 0 || off < -MAX_BPF_STACK) { | |
1412 | verbose(env, "invalid stack off=%d size=%d\n", off, size); | |
1413 | return -EACCES; | |
1414 | } | |
1415 | ||
1416 | return 0; | |
1417 | } | |
1418 | ||
17a52670 | 1419 | /* check read/write into map element returned by bpf_map_lookup_elem() */ |
f1174f77 | 1420 | static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off, |
9fd29c08 | 1421 | int size, bool zero_size_allowed) |
17a52670 | 1422 | { |
638f5b90 AS |
1423 | struct bpf_reg_state *regs = cur_regs(env); |
1424 | struct bpf_map *map = regs[regno].map_ptr; | |
17a52670 | 1425 | |
9fd29c08 YS |
1426 | if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) || |
1427 | off + size > map->value_size) { | |
61bd5218 | 1428 | verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n", |
17a52670 AS |
1429 | map->value_size, off, size); |
1430 | return -EACCES; | |
1431 | } | |
1432 | return 0; | |
1433 | } | |
1434 | ||
f1174f77 EC |
1435 | /* check read/write into a map element with possible variable offset */ |
1436 | static int check_map_access(struct bpf_verifier_env *env, u32 regno, | |
9fd29c08 | 1437 | int off, int size, bool zero_size_allowed) |
dbcfe5f7 | 1438 | { |
f4d7e40a AS |
1439 | struct bpf_verifier_state *vstate = env->cur_state; |
1440 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
dbcfe5f7 GB |
1441 | struct bpf_reg_state *reg = &state->regs[regno]; |
1442 | int err; | |
1443 | ||
f1174f77 EC |
1444 | /* We may have adjusted the register to this map value, so we |
1445 | * need to try adding each of min_value and max_value to off | |
1446 | * to make sure our theoretical access will be safe. | |
dbcfe5f7 | 1447 | */ |
61bd5218 JK |
1448 | if (env->log.level) |
1449 | print_verifier_state(env, state); | |
b7137c4e | 1450 | |
dbcfe5f7 GB |
1451 | /* The minimum value is only important with signed |
1452 | * comparisons where we can't assume the floor of a | |
1453 | * value is 0. If we are using signed variables for our | |
1454 | * index'es we need to make sure that whatever we use | |
1455 | * will have a set floor within our range. | |
1456 | */ | |
b7137c4e DB |
1457 | if (reg->smin_value < 0 && |
1458 | (reg->smin_value == S64_MIN || | |
1459 | (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) || | |
1460 | reg->smin_value + off < 0)) { | |
61bd5218 | 1461 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
dbcfe5f7 GB |
1462 | regno); |
1463 | return -EACCES; | |
1464 | } | |
9fd29c08 YS |
1465 | err = __check_map_access(env, regno, reg->smin_value + off, size, |
1466 | zero_size_allowed); | |
dbcfe5f7 | 1467 | if (err) { |
61bd5218 JK |
1468 | verbose(env, "R%d min value is outside of the array range\n", |
1469 | regno); | |
dbcfe5f7 GB |
1470 | return err; |
1471 | } | |
1472 | ||
b03c9f9f EC |
1473 | /* If we haven't set a max value then we need to bail since we can't be |
1474 | * sure we won't do bad things. | |
1475 | * If reg->umax_value + off could overflow, treat that as unbounded too. | |
dbcfe5f7 | 1476 | */ |
b03c9f9f | 1477 | if (reg->umax_value >= BPF_MAX_VAR_OFF) { |
61bd5218 | 1478 | verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n", |
dbcfe5f7 GB |
1479 | regno); |
1480 | return -EACCES; | |
1481 | } | |
9fd29c08 YS |
1482 | err = __check_map_access(env, regno, reg->umax_value + off, size, |
1483 | zero_size_allowed); | |
f1174f77 | 1484 | if (err) |
61bd5218 JK |
1485 | verbose(env, "R%d max value is outside of the array range\n", |
1486 | regno); | |
d83525ca AS |
1487 | |
1488 | if (map_value_has_spin_lock(reg->map_ptr)) { | |
1489 | u32 lock = reg->map_ptr->spin_lock_off; | |
1490 | ||
1491 | /* if any part of struct bpf_spin_lock can be touched by | |
1492 | * load/store reject this program. | |
1493 | * To check that [x1, x2) overlaps with [y1, y2) | |
1494 | * it is sufficient to check x1 < y2 && y1 < x2. | |
1495 | */ | |
1496 | if (reg->smin_value + off < lock + sizeof(struct bpf_spin_lock) && | |
1497 | lock < reg->umax_value + off + size) { | |
1498 | verbose(env, "bpf_spin_lock cannot be accessed directly by load/store\n"); | |
1499 | return -EACCES; | |
1500 | } | |
1501 | } | |
f1174f77 | 1502 | return err; |
dbcfe5f7 GB |
1503 | } |
1504 | ||
969bf05e AS |
1505 | #define MAX_PACKET_OFF 0xffff |
1506 | ||
58e2af8b | 1507 | static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, |
3a0af8fd TG |
1508 | const struct bpf_call_arg_meta *meta, |
1509 | enum bpf_access_type t) | |
4acf6c0b | 1510 | { |
36bbef52 | 1511 | switch (env->prog->type) { |
5d66fa7d | 1512 | /* Program types only with direct read access go here! */ |
3a0af8fd TG |
1513 | case BPF_PROG_TYPE_LWT_IN: |
1514 | case BPF_PROG_TYPE_LWT_OUT: | |
004d4b27 | 1515 | case BPF_PROG_TYPE_LWT_SEG6LOCAL: |
2dbb9b9e | 1516 | case BPF_PROG_TYPE_SK_REUSEPORT: |
5d66fa7d | 1517 | case BPF_PROG_TYPE_FLOW_DISSECTOR: |
d5563d36 | 1518 | case BPF_PROG_TYPE_CGROUP_SKB: |
3a0af8fd TG |
1519 | if (t == BPF_WRITE) |
1520 | return false; | |
7e57fbb2 | 1521 | /* fallthrough */ |
5d66fa7d DB |
1522 | |
1523 | /* Program types with direct read + write access go here! */ | |
36bbef52 DB |
1524 | case BPF_PROG_TYPE_SCHED_CLS: |
1525 | case BPF_PROG_TYPE_SCHED_ACT: | |
4acf6c0b | 1526 | case BPF_PROG_TYPE_XDP: |
3a0af8fd | 1527 | case BPF_PROG_TYPE_LWT_XMIT: |
8a31db56 | 1528 | case BPF_PROG_TYPE_SK_SKB: |
4f738adb | 1529 | case BPF_PROG_TYPE_SK_MSG: |
36bbef52 DB |
1530 | if (meta) |
1531 | return meta->pkt_access; | |
1532 | ||
1533 | env->seen_direct_write = true; | |
4acf6c0b BB |
1534 | return true; |
1535 | default: | |
1536 | return false; | |
1537 | } | |
1538 | } | |
1539 | ||
f1174f77 | 1540 | static int __check_packet_access(struct bpf_verifier_env *env, u32 regno, |
9fd29c08 | 1541 | int off, int size, bool zero_size_allowed) |
969bf05e | 1542 | { |
638f5b90 | 1543 | struct bpf_reg_state *regs = cur_regs(env); |
58e2af8b | 1544 | struct bpf_reg_state *reg = ®s[regno]; |
969bf05e | 1545 | |
9fd29c08 YS |
1546 | if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) || |
1547 | (u64)off + size > reg->range) { | |
61bd5218 | 1548 | verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", |
d91b28ed | 1549 | off, size, regno, reg->id, reg->off, reg->range); |
969bf05e AS |
1550 | return -EACCES; |
1551 | } | |
1552 | return 0; | |
1553 | } | |
1554 | ||
f1174f77 | 1555 | static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, |
9fd29c08 | 1556 | int size, bool zero_size_allowed) |
f1174f77 | 1557 | { |
638f5b90 | 1558 | struct bpf_reg_state *regs = cur_regs(env); |
f1174f77 EC |
1559 | struct bpf_reg_state *reg = ®s[regno]; |
1560 | int err; | |
1561 | ||
1562 | /* We may have added a variable offset to the packet pointer; but any | |
1563 | * reg->range we have comes after that. We are only checking the fixed | |
1564 | * offset. | |
1565 | */ | |
1566 | ||
1567 | /* We don't allow negative numbers, because we aren't tracking enough | |
1568 | * detail to prove they're safe. | |
1569 | */ | |
b03c9f9f | 1570 | if (reg->smin_value < 0) { |
61bd5218 | 1571 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
f1174f77 EC |
1572 | regno); |
1573 | return -EACCES; | |
1574 | } | |
9fd29c08 | 1575 | err = __check_packet_access(env, regno, off, size, zero_size_allowed); |
f1174f77 | 1576 | if (err) { |
61bd5218 | 1577 | verbose(env, "R%d offset is outside of the packet\n", regno); |
f1174f77 EC |
1578 | return err; |
1579 | } | |
e647815a JW |
1580 | |
1581 | /* __check_packet_access has made sure "off + size - 1" is within u16. | |
1582 | * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff, | |
1583 | * otherwise find_good_pkt_pointers would have refused to set range info | |
1584 | * that __check_packet_access would have rejected this pkt access. | |
1585 | * Therefore, "off + reg->umax_value + size - 1" won't overflow u32. | |
1586 | */ | |
1587 | env->prog->aux->max_pkt_offset = | |
1588 | max_t(u32, env->prog->aux->max_pkt_offset, | |
1589 | off + reg->umax_value + size - 1); | |
1590 | ||
f1174f77 EC |
1591 | return err; |
1592 | } | |
1593 | ||
1594 | /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ | |
31fd8581 | 1595 | static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, |
19de99f7 | 1596 | enum bpf_access_type t, enum bpf_reg_type *reg_type) |
17a52670 | 1597 | { |
f96da094 DB |
1598 | struct bpf_insn_access_aux info = { |
1599 | .reg_type = *reg_type, | |
1600 | }; | |
31fd8581 | 1601 | |
4f9218aa | 1602 | if (env->ops->is_valid_access && |
5e43f899 | 1603 | env->ops->is_valid_access(off, size, t, env->prog, &info)) { |
f96da094 DB |
1604 | /* A non zero info.ctx_field_size indicates that this field is a |
1605 | * candidate for later verifier transformation to load the whole | |
1606 | * field and then apply a mask when accessed with a narrower | |
1607 | * access than actual ctx access size. A zero info.ctx_field_size | |
1608 | * will only allow for whole field access and rejects any other | |
1609 | * type of narrower access. | |
31fd8581 | 1610 | */ |
23994631 | 1611 | *reg_type = info.reg_type; |
31fd8581 | 1612 | |
4f9218aa | 1613 | env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size; |
32bbe007 AS |
1614 | /* remember the offset of last byte accessed in ctx */ |
1615 | if (env->prog->aux->max_ctx_offset < off + size) | |
1616 | env->prog->aux->max_ctx_offset = off + size; | |
17a52670 | 1617 | return 0; |
32bbe007 | 1618 | } |
17a52670 | 1619 | |
61bd5218 | 1620 | verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size); |
17a52670 AS |
1621 | return -EACCES; |
1622 | } | |
1623 | ||
d58e468b PP |
1624 | static int check_flow_keys_access(struct bpf_verifier_env *env, int off, |
1625 | int size) | |
1626 | { | |
1627 | if (size < 0 || off < 0 || | |
1628 | (u64)off + size > sizeof(struct bpf_flow_keys)) { | |
1629 | verbose(env, "invalid access to flow keys off=%d size=%d\n", | |
1630 | off, size); | |
1631 | return -EACCES; | |
1632 | } | |
1633 | return 0; | |
1634 | } | |
1635 | ||
5f456649 MKL |
1636 | static int check_sock_access(struct bpf_verifier_env *env, int insn_idx, |
1637 | u32 regno, int off, int size, | |
1638 | enum bpf_access_type t) | |
c64b7983 JS |
1639 | { |
1640 | struct bpf_reg_state *regs = cur_regs(env); | |
1641 | struct bpf_reg_state *reg = ®s[regno]; | |
5f456649 | 1642 | struct bpf_insn_access_aux info = {}; |
46f8bc92 | 1643 | bool valid; |
c64b7983 JS |
1644 | |
1645 | if (reg->smin_value < 0) { | |
1646 | verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", | |
1647 | regno); | |
1648 | return -EACCES; | |
1649 | } | |
1650 | ||
46f8bc92 MKL |
1651 | switch (reg->type) { |
1652 | case PTR_TO_SOCK_COMMON: | |
1653 | valid = bpf_sock_common_is_valid_access(off, size, t, &info); | |
1654 | break; | |
1655 | case PTR_TO_SOCKET: | |
1656 | valid = bpf_sock_is_valid_access(off, size, t, &info); | |
1657 | break; | |
655a51e5 MKL |
1658 | case PTR_TO_TCP_SOCK: |
1659 | valid = bpf_tcp_sock_is_valid_access(off, size, t, &info); | |
1660 | break; | |
46f8bc92 MKL |
1661 | default: |
1662 | valid = false; | |
c64b7983 JS |
1663 | } |
1664 | ||
5f456649 | 1665 | |
46f8bc92 MKL |
1666 | if (valid) { |
1667 | env->insn_aux_data[insn_idx].ctx_field_size = | |
1668 | info.ctx_field_size; | |
1669 | return 0; | |
1670 | } | |
1671 | ||
1672 | verbose(env, "R%d invalid %s access off=%d size=%d\n", | |
1673 | regno, reg_type_str[reg->type], off, size); | |
1674 | ||
1675 | return -EACCES; | |
c64b7983 JS |
1676 | } |
1677 | ||
4cabc5b1 DB |
1678 | static bool __is_pointer_value(bool allow_ptr_leaks, |
1679 | const struct bpf_reg_state *reg) | |
1be7f75d | 1680 | { |
4cabc5b1 | 1681 | if (allow_ptr_leaks) |
1be7f75d AS |
1682 | return false; |
1683 | ||
f1174f77 | 1684 | return reg->type != SCALAR_VALUE; |
1be7f75d AS |
1685 | } |
1686 | ||
2a159c6f DB |
1687 | static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno) |
1688 | { | |
1689 | return cur_regs(env) + regno; | |
1690 | } | |
1691 | ||
4cabc5b1 DB |
1692 | static bool is_pointer_value(struct bpf_verifier_env *env, int regno) |
1693 | { | |
2a159c6f | 1694 | return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno)); |
4cabc5b1 DB |
1695 | } |
1696 | ||
f37a8cb8 DB |
1697 | static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) |
1698 | { | |
2a159c6f | 1699 | const struct bpf_reg_state *reg = reg_state(env, regno); |
f37a8cb8 | 1700 | |
46f8bc92 MKL |
1701 | return reg->type == PTR_TO_CTX; |
1702 | } | |
1703 | ||
1704 | static bool is_sk_reg(struct bpf_verifier_env *env, int regno) | |
1705 | { | |
1706 | const struct bpf_reg_state *reg = reg_state(env, regno); | |
1707 | ||
1708 | return type_is_sk_pointer(reg->type); | |
f37a8cb8 DB |
1709 | } |
1710 | ||
ca369602 DB |
1711 | static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) |
1712 | { | |
2a159c6f | 1713 | const struct bpf_reg_state *reg = reg_state(env, regno); |
ca369602 DB |
1714 | |
1715 | return type_is_pkt_pointer(reg->type); | |
1716 | } | |
1717 | ||
4b5defde DB |
1718 | static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno) |
1719 | { | |
1720 | const struct bpf_reg_state *reg = reg_state(env, regno); | |
1721 | ||
1722 | /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */ | |
1723 | return reg->type == PTR_TO_FLOW_KEYS; | |
1724 | } | |
1725 | ||
61bd5218 JK |
1726 | static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, |
1727 | const struct bpf_reg_state *reg, | |
d1174416 | 1728 | int off, int size, bool strict) |
969bf05e | 1729 | { |
f1174f77 | 1730 | struct tnum reg_off; |
e07b98d9 | 1731 | int ip_align; |
d1174416 DM |
1732 | |
1733 | /* Byte size accesses are always allowed. */ | |
1734 | if (!strict || size == 1) | |
1735 | return 0; | |
1736 | ||
e4eda884 DM |
1737 | /* For platforms that do not have a Kconfig enabling |
1738 | * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of | |
1739 | * NET_IP_ALIGN is universally set to '2'. And on platforms | |
1740 | * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get | |
1741 | * to this code only in strict mode where we want to emulate | |
1742 | * the NET_IP_ALIGN==2 checking. Therefore use an | |
1743 | * unconditional IP align value of '2'. | |
e07b98d9 | 1744 | */ |
e4eda884 | 1745 | ip_align = 2; |
f1174f77 EC |
1746 | |
1747 | reg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off)); | |
1748 | if (!tnum_is_aligned(reg_off, size)) { | |
1749 | char tn_buf[48]; | |
1750 | ||
1751 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 JK |
1752 | verbose(env, |
1753 | "misaligned packet access off %d+%s+%d+%d size %d\n", | |
f1174f77 | 1754 | ip_align, tn_buf, reg->off, off, size); |
969bf05e AS |
1755 | return -EACCES; |
1756 | } | |
79adffcd | 1757 | |
969bf05e AS |
1758 | return 0; |
1759 | } | |
1760 | ||
61bd5218 JK |
1761 | static int check_generic_ptr_alignment(struct bpf_verifier_env *env, |
1762 | const struct bpf_reg_state *reg, | |
f1174f77 EC |
1763 | const char *pointer_desc, |
1764 | int off, int size, bool strict) | |
79adffcd | 1765 | { |
f1174f77 EC |
1766 | struct tnum reg_off; |
1767 | ||
1768 | /* Byte size accesses are always allowed. */ | |
1769 | if (!strict || size == 1) | |
1770 | return 0; | |
1771 | ||
1772 | reg_off = tnum_add(reg->var_off, tnum_const(reg->off + off)); | |
1773 | if (!tnum_is_aligned(reg_off, size)) { | |
1774 | char tn_buf[48]; | |
1775 | ||
1776 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 | 1777 | verbose(env, "misaligned %saccess off %s+%d+%d size %d\n", |
f1174f77 | 1778 | pointer_desc, tn_buf, reg->off, off, size); |
79adffcd DB |
1779 | return -EACCES; |
1780 | } | |
1781 | ||
969bf05e AS |
1782 | return 0; |
1783 | } | |
1784 | ||
e07b98d9 | 1785 | static int check_ptr_alignment(struct bpf_verifier_env *env, |
ca369602 DB |
1786 | const struct bpf_reg_state *reg, int off, |
1787 | int size, bool strict_alignment_once) | |
79adffcd | 1788 | { |
ca369602 | 1789 | bool strict = env->strict_alignment || strict_alignment_once; |
f1174f77 | 1790 | const char *pointer_desc = ""; |
d1174416 | 1791 | |
79adffcd DB |
1792 | switch (reg->type) { |
1793 | case PTR_TO_PACKET: | |
de8f3a83 DB |
1794 | case PTR_TO_PACKET_META: |
1795 | /* Special case, because of NET_IP_ALIGN. Given metadata sits | |
1796 | * right in front, treat it the very same way. | |
1797 | */ | |
61bd5218 | 1798 | return check_pkt_ptr_alignment(env, reg, off, size, strict); |
d58e468b PP |
1799 | case PTR_TO_FLOW_KEYS: |
1800 | pointer_desc = "flow keys "; | |
1801 | break; | |
f1174f77 EC |
1802 | case PTR_TO_MAP_VALUE: |
1803 | pointer_desc = "value "; | |
1804 | break; | |
1805 | case PTR_TO_CTX: | |
1806 | pointer_desc = "context "; | |
1807 | break; | |
1808 | case PTR_TO_STACK: | |
1809 | pointer_desc = "stack "; | |
a5ec6ae1 JH |
1810 | /* The stack spill tracking logic in check_stack_write() |
1811 | * and check_stack_read() relies on stack accesses being | |
1812 | * aligned. | |
1813 | */ | |
1814 | strict = true; | |
f1174f77 | 1815 | break; |
c64b7983 JS |
1816 | case PTR_TO_SOCKET: |
1817 | pointer_desc = "sock "; | |
1818 | break; | |
46f8bc92 MKL |
1819 | case PTR_TO_SOCK_COMMON: |
1820 | pointer_desc = "sock_common "; | |
1821 | break; | |
655a51e5 MKL |
1822 | case PTR_TO_TCP_SOCK: |
1823 | pointer_desc = "tcp_sock "; | |
1824 | break; | |
79adffcd | 1825 | default: |
f1174f77 | 1826 | break; |
79adffcd | 1827 | } |
61bd5218 JK |
1828 | return check_generic_ptr_alignment(env, reg, pointer_desc, off, size, |
1829 | strict); | |
79adffcd DB |
1830 | } |
1831 | ||
f4d7e40a AS |
1832 | static int update_stack_depth(struct bpf_verifier_env *env, |
1833 | const struct bpf_func_state *func, | |
1834 | int off) | |
1835 | { | |
9c8105bd | 1836 | u16 stack = env->subprog_info[func->subprogno].stack_depth; |
f4d7e40a AS |
1837 | |
1838 | if (stack >= -off) | |
1839 | return 0; | |
1840 | ||
1841 | /* update known max for given subprogram */ | |
9c8105bd | 1842 | env->subprog_info[func->subprogno].stack_depth = -off; |
70a87ffe AS |
1843 | return 0; |
1844 | } | |
f4d7e40a | 1845 | |
70a87ffe AS |
1846 | /* starting from main bpf function walk all instructions of the function |
1847 | * and recursively walk all callees that given function can call. | |
1848 | * Ignore jump and exit insns. | |
1849 | * Since recursion is prevented by check_cfg() this algorithm | |
1850 | * only needs a local stack of MAX_CALL_FRAMES to remember callsites | |
1851 | */ | |
1852 | static int check_max_stack_depth(struct bpf_verifier_env *env) | |
1853 | { | |
9c8105bd JW |
1854 | int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; |
1855 | struct bpf_subprog_info *subprog = env->subprog_info; | |
70a87ffe | 1856 | struct bpf_insn *insn = env->prog->insnsi; |
70a87ffe AS |
1857 | int ret_insn[MAX_CALL_FRAMES]; |
1858 | int ret_prog[MAX_CALL_FRAMES]; | |
f4d7e40a | 1859 | |
70a87ffe AS |
1860 | process_func: |
1861 | /* round up to 32-bytes, since this is granularity | |
1862 | * of interpreter stack size | |
1863 | */ | |
9c8105bd | 1864 | depth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32); |
70a87ffe | 1865 | if (depth > MAX_BPF_STACK) { |
f4d7e40a | 1866 | verbose(env, "combined stack size of %d calls is %d. Too large\n", |
70a87ffe | 1867 | frame + 1, depth); |
f4d7e40a AS |
1868 | return -EACCES; |
1869 | } | |
70a87ffe | 1870 | continue_func: |
4cb3d99c | 1871 | subprog_end = subprog[idx + 1].start; |
70a87ffe AS |
1872 | for (; i < subprog_end; i++) { |
1873 | if (insn[i].code != (BPF_JMP | BPF_CALL)) | |
1874 | continue; | |
1875 | if (insn[i].src_reg != BPF_PSEUDO_CALL) | |
1876 | continue; | |
1877 | /* remember insn and function to return to */ | |
1878 | ret_insn[frame] = i + 1; | |
9c8105bd | 1879 | ret_prog[frame] = idx; |
70a87ffe AS |
1880 | |
1881 | /* find the callee */ | |
1882 | i = i + insn[i].imm + 1; | |
9c8105bd JW |
1883 | idx = find_subprog(env, i); |
1884 | if (idx < 0) { | |
70a87ffe AS |
1885 | WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", |
1886 | i); | |
1887 | return -EFAULT; | |
1888 | } | |
70a87ffe AS |
1889 | frame++; |
1890 | if (frame >= MAX_CALL_FRAMES) { | |
1891 | WARN_ONCE(1, "verifier bug. Call stack is too deep\n"); | |
1892 | return -EFAULT; | |
1893 | } | |
1894 | goto process_func; | |
1895 | } | |
1896 | /* end of for() loop means the last insn of the 'subprog' | |
1897 | * was reached. Doesn't matter whether it was JA or EXIT | |
1898 | */ | |
1899 | if (frame == 0) | |
1900 | return 0; | |
9c8105bd | 1901 | depth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32); |
70a87ffe AS |
1902 | frame--; |
1903 | i = ret_insn[frame]; | |
9c8105bd | 1904 | idx = ret_prog[frame]; |
70a87ffe | 1905 | goto continue_func; |
f4d7e40a AS |
1906 | } |
1907 | ||
19d28fbd | 1908 | #ifndef CONFIG_BPF_JIT_ALWAYS_ON |
1ea47e01 AS |
1909 | static int get_callee_stack_depth(struct bpf_verifier_env *env, |
1910 | const struct bpf_insn *insn, int idx) | |
1911 | { | |
1912 | int start = idx + insn->imm + 1, subprog; | |
1913 | ||
1914 | subprog = find_subprog(env, start); | |
1915 | if (subprog < 0) { | |
1916 | WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", | |
1917 | start); | |
1918 | return -EFAULT; | |
1919 | } | |
9c8105bd | 1920 | return env->subprog_info[subprog].stack_depth; |
1ea47e01 | 1921 | } |
19d28fbd | 1922 | #endif |
1ea47e01 | 1923 | |
58990d1f DB |
1924 | static int check_ctx_reg(struct bpf_verifier_env *env, |
1925 | const struct bpf_reg_state *reg, int regno) | |
1926 | { | |
1927 | /* Access to ctx or passing it to a helper is only allowed in | |
1928 | * its original, unmodified form. | |
1929 | */ | |
1930 | ||
1931 | if (reg->off) { | |
1932 | verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n", | |
1933 | regno, reg->off); | |
1934 | return -EACCES; | |
1935 | } | |
1936 | ||
1937 | if (!tnum_is_const(reg->var_off) || reg->var_off.value) { | |
1938 | char tn_buf[48]; | |
1939 | ||
1940 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
1941 | verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf); | |
1942 | return -EACCES; | |
1943 | } | |
1944 | ||
1945 | return 0; | |
1946 | } | |
1947 | ||
0c17d1d2 JH |
1948 | /* truncate register to smaller size (in bytes) |
1949 | * must be called with size < BPF_REG_SIZE | |
1950 | */ | |
1951 | static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) | |
1952 | { | |
1953 | u64 mask; | |
1954 | ||
1955 | /* clear high bits in bit representation */ | |
1956 | reg->var_off = tnum_cast(reg->var_off, size); | |
1957 | ||
1958 | /* fix arithmetic bounds */ | |
1959 | mask = ((u64)1 << (size * 8)) - 1; | |
1960 | if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { | |
1961 | reg->umin_value &= mask; | |
1962 | reg->umax_value &= mask; | |
1963 | } else { | |
1964 | reg->umin_value = 0; | |
1965 | reg->umax_value = mask; | |
1966 | } | |
1967 | reg->smin_value = reg->umin_value; | |
1968 | reg->smax_value = reg->umax_value; | |
1969 | } | |
1970 | ||
17a52670 AS |
1971 | /* check whether memory at (regno + off) is accessible for t = (read | write) |
1972 | * if t==write, value_regno is a register which value is stored into memory | |
1973 | * if t==read, value_regno is a register which will receive the value from memory | |
1974 | * if t==write && value_regno==-1, some unknown value is stored into memory | |
1975 | * if t==read && value_regno==-1, don't care what we read from memory | |
1976 | */ | |
ca369602 DB |
1977 | static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, |
1978 | int off, int bpf_size, enum bpf_access_type t, | |
1979 | int value_regno, bool strict_alignment_once) | |
17a52670 | 1980 | { |
638f5b90 AS |
1981 | struct bpf_reg_state *regs = cur_regs(env); |
1982 | struct bpf_reg_state *reg = regs + regno; | |
f4d7e40a | 1983 | struct bpf_func_state *state; |
17a52670 AS |
1984 | int size, err = 0; |
1985 | ||
1986 | size = bpf_size_to_bytes(bpf_size); | |
1987 | if (size < 0) | |
1988 | return size; | |
1989 | ||
f1174f77 | 1990 | /* alignment checks will add in reg->off themselves */ |
ca369602 | 1991 | err = check_ptr_alignment(env, reg, off, size, strict_alignment_once); |
969bf05e AS |
1992 | if (err) |
1993 | return err; | |
17a52670 | 1994 | |
f1174f77 EC |
1995 | /* for access checks, reg->off is just part of off */ |
1996 | off += reg->off; | |
1997 | ||
1998 | if (reg->type == PTR_TO_MAP_VALUE) { | |
1be7f75d AS |
1999 | if (t == BPF_WRITE && value_regno >= 0 && |
2000 | is_pointer_value(env, value_regno)) { | |
61bd5218 | 2001 | verbose(env, "R%d leaks addr into map\n", value_regno); |
1be7f75d AS |
2002 | return -EACCES; |
2003 | } | |
48461135 | 2004 | |
9fd29c08 | 2005 | err = check_map_access(env, regno, off, size, false); |
17a52670 | 2006 | if (!err && t == BPF_READ && value_regno >= 0) |
638f5b90 | 2007 | mark_reg_unknown(env, regs, value_regno); |
17a52670 | 2008 | |
1a0dc1ac | 2009 | } else if (reg->type == PTR_TO_CTX) { |
f1174f77 | 2010 | enum bpf_reg_type reg_type = SCALAR_VALUE; |
19de99f7 | 2011 | |
1be7f75d AS |
2012 | if (t == BPF_WRITE && value_regno >= 0 && |
2013 | is_pointer_value(env, value_regno)) { | |
61bd5218 | 2014 | verbose(env, "R%d leaks addr into ctx\n", value_regno); |
1be7f75d AS |
2015 | return -EACCES; |
2016 | } | |
f1174f77 | 2017 | |
58990d1f DB |
2018 | err = check_ctx_reg(env, reg, regno); |
2019 | if (err < 0) | |
2020 | return err; | |
2021 | ||
31fd8581 | 2022 | err = check_ctx_access(env, insn_idx, off, size, t, ®_type); |
969bf05e | 2023 | if (!err && t == BPF_READ && value_regno >= 0) { |
f1174f77 | 2024 | /* ctx access returns either a scalar, or a |
de8f3a83 DB |
2025 | * PTR_TO_PACKET[_META,_END]. In the latter |
2026 | * case, we know the offset is zero. | |
f1174f77 | 2027 | */ |
46f8bc92 | 2028 | if (reg_type == SCALAR_VALUE) { |
638f5b90 | 2029 | mark_reg_unknown(env, regs, value_regno); |
46f8bc92 | 2030 | } else { |
638f5b90 | 2031 | mark_reg_known_zero(env, regs, |
61bd5218 | 2032 | value_regno); |
46f8bc92 MKL |
2033 | if (reg_type_may_be_null(reg_type)) |
2034 | regs[value_regno].id = ++env->id_gen; | |
2035 | } | |
638f5b90 | 2036 | regs[value_regno].type = reg_type; |
969bf05e | 2037 | } |
17a52670 | 2038 | |
f1174f77 | 2039 | } else if (reg->type == PTR_TO_STACK) { |
f1174f77 | 2040 | off += reg->var_off.value; |
e4298d25 DB |
2041 | err = check_stack_access(env, reg, off, size); |
2042 | if (err) | |
2043 | return err; | |
8726679a | 2044 | |
f4d7e40a AS |
2045 | state = func(env, reg); |
2046 | err = update_stack_depth(env, state, off); | |
2047 | if (err) | |
2048 | return err; | |
8726679a | 2049 | |
638f5b90 | 2050 | if (t == BPF_WRITE) |
61bd5218 | 2051 | err = check_stack_write(env, state, off, size, |
af86ca4e | 2052 | value_regno, insn_idx); |
638f5b90 | 2053 | else |
61bd5218 JK |
2054 | err = check_stack_read(env, state, off, size, |
2055 | value_regno); | |
de8f3a83 | 2056 | } else if (reg_is_pkt_pointer(reg)) { |
3a0af8fd | 2057 | if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { |
61bd5218 | 2058 | verbose(env, "cannot write into packet\n"); |
969bf05e AS |
2059 | return -EACCES; |
2060 | } | |
4acf6c0b BB |
2061 | if (t == BPF_WRITE && value_regno >= 0 && |
2062 | is_pointer_value(env, value_regno)) { | |
61bd5218 JK |
2063 | verbose(env, "R%d leaks addr into packet\n", |
2064 | value_regno); | |
4acf6c0b BB |
2065 | return -EACCES; |
2066 | } | |
9fd29c08 | 2067 | err = check_packet_access(env, regno, off, size, false); |
969bf05e | 2068 | if (!err && t == BPF_READ && value_regno >= 0) |
638f5b90 | 2069 | mark_reg_unknown(env, regs, value_regno); |
d58e468b PP |
2070 | } else if (reg->type == PTR_TO_FLOW_KEYS) { |
2071 | if (t == BPF_WRITE && value_regno >= 0 && | |
2072 | is_pointer_value(env, value_regno)) { | |
2073 | verbose(env, "R%d leaks addr into flow keys\n", | |
2074 | value_regno); | |
2075 | return -EACCES; | |
2076 | } | |
2077 | ||
2078 | err = check_flow_keys_access(env, off, size); | |
2079 | if (!err && t == BPF_READ && value_regno >= 0) | |
2080 | mark_reg_unknown(env, regs, value_regno); | |
46f8bc92 | 2081 | } else if (type_is_sk_pointer(reg->type)) { |
c64b7983 | 2082 | if (t == BPF_WRITE) { |
46f8bc92 MKL |
2083 | verbose(env, "R%d cannot write into %s\n", |
2084 | regno, reg_type_str[reg->type]); | |
c64b7983 JS |
2085 | return -EACCES; |
2086 | } | |
5f456649 | 2087 | err = check_sock_access(env, insn_idx, regno, off, size, t); |
c64b7983 JS |
2088 | if (!err && value_regno >= 0) |
2089 | mark_reg_unknown(env, regs, value_regno); | |
17a52670 | 2090 | } else { |
61bd5218 JK |
2091 | verbose(env, "R%d invalid mem access '%s'\n", regno, |
2092 | reg_type_str[reg->type]); | |
17a52670 AS |
2093 | return -EACCES; |
2094 | } | |
969bf05e | 2095 | |
f1174f77 | 2096 | if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && |
638f5b90 | 2097 | regs[value_regno].type == SCALAR_VALUE) { |
f1174f77 | 2098 | /* b/h/w load zero-extends, mark upper bits as known 0 */ |
0c17d1d2 | 2099 | coerce_reg_to_size(®s[value_regno], size); |
969bf05e | 2100 | } |
17a52670 AS |
2101 | return err; |
2102 | } | |
2103 | ||
31fd8581 | 2104 | static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn) |
17a52670 | 2105 | { |
17a52670 AS |
2106 | int err; |
2107 | ||
2108 | if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || | |
2109 | insn->imm != 0) { | |
61bd5218 | 2110 | verbose(env, "BPF_XADD uses reserved fields\n"); |
17a52670 AS |
2111 | return -EINVAL; |
2112 | } | |
2113 | ||
2114 | /* check src1 operand */ | |
dc503a8a | 2115 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
2116 | if (err) |
2117 | return err; | |
2118 | ||
2119 | /* check src2 operand */ | |
dc503a8a | 2120 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
2121 | if (err) |
2122 | return err; | |
2123 | ||
6bdf6abc | 2124 | if (is_pointer_value(env, insn->src_reg)) { |
61bd5218 | 2125 | verbose(env, "R%d leaks addr into mem\n", insn->src_reg); |
6bdf6abc DB |
2126 | return -EACCES; |
2127 | } | |
2128 | ||
ca369602 | 2129 | if (is_ctx_reg(env, insn->dst_reg) || |
4b5defde | 2130 | is_pkt_reg(env, insn->dst_reg) || |
46f8bc92 MKL |
2131 | is_flow_key_reg(env, insn->dst_reg) || |
2132 | is_sk_reg(env, insn->dst_reg)) { | |
ca369602 | 2133 | verbose(env, "BPF_XADD stores into R%d %s is not allowed\n", |
2a159c6f DB |
2134 | insn->dst_reg, |
2135 | reg_type_str[reg_state(env, insn->dst_reg)->type]); | |
f37a8cb8 DB |
2136 | return -EACCES; |
2137 | } | |
2138 | ||
17a52670 | 2139 | /* check whether atomic_add can read the memory */ |
31fd8581 | 2140 | err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
ca369602 | 2141 | BPF_SIZE(insn->code), BPF_READ, -1, true); |
17a52670 AS |
2142 | if (err) |
2143 | return err; | |
2144 | ||
2145 | /* check whether atomic_add can write into the same memory */ | |
31fd8581 | 2146 | return check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
ca369602 | 2147 | BPF_SIZE(insn->code), BPF_WRITE, -1, true); |
17a52670 AS |
2148 | } |
2149 | ||
2150 | /* when register 'regno' is passed into function that will read 'access_size' | |
2151 | * bytes from that pointer, make sure that it's within stack boundary | |
f1174f77 EC |
2152 | * and all elements of stack are initialized. |
2153 | * Unlike most pointer bounds-checking functions, this one doesn't take an | |
2154 | * 'off' argument, so it has to add in reg->off itself. | |
17a52670 | 2155 | */ |
58e2af8b | 2156 | static int check_stack_boundary(struct bpf_verifier_env *env, int regno, |
435faee1 DB |
2157 | int access_size, bool zero_size_allowed, |
2158 | struct bpf_call_arg_meta *meta) | |
17a52670 | 2159 | { |
2a159c6f | 2160 | struct bpf_reg_state *reg = reg_state(env, regno); |
f4d7e40a | 2161 | struct bpf_func_state *state = func(env, reg); |
638f5b90 | 2162 | int off, i, slot, spi; |
17a52670 | 2163 | |
914cb781 | 2164 | if (reg->type != PTR_TO_STACK) { |
f1174f77 | 2165 | /* Allow zero-byte read from NULL, regardless of pointer type */ |
8e2fe1d9 | 2166 | if (zero_size_allowed && access_size == 0 && |
914cb781 | 2167 | register_is_null(reg)) |
8e2fe1d9 DB |
2168 | return 0; |
2169 | ||
61bd5218 | 2170 | verbose(env, "R%d type=%s expected=%s\n", regno, |
914cb781 | 2171 | reg_type_str[reg->type], |
8e2fe1d9 | 2172 | reg_type_str[PTR_TO_STACK]); |
17a52670 | 2173 | return -EACCES; |
8e2fe1d9 | 2174 | } |
17a52670 | 2175 | |
f1174f77 | 2176 | /* Only allow fixed-offset stack reads */ |
914cb781 | 2177 | if (!tnum_is_const(reg->var_off)) { |
f1174f77 EC |
2178 | char tn_buf[48]; |
2179 | ||
914cb781 | 2180 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
61bd5218 | 2181 | verbose(env, "invalid variable stack read R%d var_off=%s\n", |
f1174f77 | 2182 | regno, tn_buf); |
ea25f914 | 2183 | return -EACCES; |
f1174f77 | 2184 | } |
914cb781 | 2185 | off = reg->off + reg->var_off.value; |
17a52670 | 2186 | if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || |
9fd29c08 | 2187 | access_size < 0 || (access_size == 0 && !zero_size_allowed)) { |
61bd5218 | 2188 | verbose(env, "invalid stack type R%d off=%d access_size=%d\n", |
17a52670 AS |
2189 | regno, off, access_size); |
2190 | return -EACCES; | |
2191 | } | |
2192 | ||
435faee1 DB |
2193 | if (meta && meta->raw_mode) { |
2194 | meta->access_size = access_size; | |
2195 | meta->regno = regno; | |
2196 | return 0; | |
2197 | } | |
2198 | ||
17a52670 | 2199 | for (i = 0; i < access_size; i++) { |
cc2b14d5 AS |
2200 | u8 *stype; |
2201 | ||
638f5b90 AS |
2202 | slot = -(off + i) - 1; |
2203 | spi = slot / BPF_REG_SIZE; | |
cc2b14d5 AS |
2204 | if (state->allocated_stack <= slot) |
2205 | goto err; | |
2206 | stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE]; | |
2207 | if (*stype == STACK_MISC) | |
2208 | goto mark; | |
2209 | if (*stype == STACK_ZERO) { | |
2210 | /* helper can write anything into the stack */ | |
2211 | *stype = STACK_MISC; | |
2212 | goto mark; | |
17a52670 | 2213 | } |
cc2b14d5 AS |
2214 | err: |
2215 | verbose(env, "invalid indirect read from stack off %d+%d size %d\n", | |
2216 | off, i, access_size); | |
2217 | return -EACCES; | |
2218 | mark: | |
2219 | /* reading any byte out of 8-byte 'spill_slot' will cause | |
2220 | * the whole slot to be marked as 'read' | |
2221 | */ | |
679c782d EC |
2222 | mark_reg_read(env, &state->stack[spi].spilled_ptr, |
2223 | state->stack[spi].spilled_ptr.parent); | |
17a52670 | 2224 | } |
f4d7e40a | 2225 | return update_stack_depth(env, state, off); |
17a52670 AS |
2226 | } |
2227 | ||
06c1c049 GB |
2228 | static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, |
2229 | int access_size, bool zero_size_allowed, | |
2230 | struct bpf_call_arg_meta *meta) | |
2231 | { | |
638f5b90 | 2232 | struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
06c1c049 | 2233 | |
f1174f77 | 2234 | switch (reg->type) { |
06c1c049 | 2235 | case PTR_TO_PACKET: |
de8f3a83 | 2236 | case PTR_TO_PACKET_META: |
9fd29c08 YS |
2237 | return check_packet_access(env, regno, reg->off, access_size, |
2238 | zero_size_allowed); | |
06c1c049 | 2239 | case PTR_TO_MAP_VALUE: |
9fd29c08 YS |
2240 | return check_map_access(env, regno, reg->off, access_size, |
2241 | zero_size_allowed); | |
f1174f77 | 2242 | default: /* scalar_value|ptr_to_stack or invalid ptr */ |
06c1c049 GB |
2243 | return check_stack_boundary(env, regno, access_size, |
2244 | zero_size_allowed, meta); | |
2245 | } | |
2246 | } | |
2247 | ||
d83525ca AS |
2248 | /* Implementation details: |
2249 | * bpf_map_lookup returns PTR_TO_MAP_VALUE_OR_NULL | |
2250 | * Two bpf_map_lookups (even with the same key) will have different reg->id. | |
2251 | * For traditional PTR_TO_MAP_VALUE the verifier clears reg->id after | |
2252 | * value_or_null->value transition, since the verifier only cares about | |
2253 | * the range of access to valid map value pointer and doesn't care about actual | |
2254 | * address of the map element. | |
2255 | * For maps with 'struct bpf_spin_lock' inside map value the verifier keeps | |
2256 | * reg->id > 0 after value_or_null->value transition. By doing so | |
2257 | * two bpf_map_lookups will be considered two different pointers that | |
2258 | * point to different bpf_spin_locks. | |
2259 | * The verifier allows taking only one bpf_spin_lock at a time to avoid | |
2260 | * dead-locks. | |
2261 | * Since only one bpf_spin_lock is allowed the checks are simpler than | |
2262 | * reg_is_refcounted() logic. The verifier needs to remember only | |
2263 | * one spin_lock instead of array of acquired_refs. | |
2264 | * cur_state->active_spin_lock remembers which map value element got locked | |
2265 | * and clears it after bpf_spin_unlock. | |
2266 | */ | |
2267 | static int process_spin_lock(struct bpf_verifier_env *env, int regno, | |
2268 | bool is_lock) | |
2269 | { | |
2270 | struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; | |
2271 | struct bpf_verifier_state *cur = env->cur_state; | |
2272 | bool is_const = tnum_is_const(reg->var_off); | |
2273 | struct bpf_map *map = reg->map_ptr; | |
2274 | u64 val = reg->var_off.value; | |
2275 | ||
2276 | if (reg->type != PTR_TO_MAP_VALUE) { | |
2277 | verbose(env, "R%d is not a pointer to map_value\n", regno); | |
2278 | return -EINVAL; | |
2279 | } | |
2280 | if (!is_const) { | |
2281 | verbose(env, | |
2282 | "R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\n", | |
2283 | regno); | |
2284 | return -EINVAL; | |
2285 | } | |
2286 | if (!map->btf) { | |
2287 | verbose(env, | |
2288 | "map '%s' has to have BTF in order to use bpf_spin_lock\n", | |
2289 | map->name); | |
2290 | return -EINVAL; | |
2291 | } | |
2292 | if (!map_value_has_spin_lock(map)) { | |
2293 | if (map->spin_lock_off == -E2BIG) | |
2294 | verbose(env, | |
2295 | "map '%s' has more than one 'struct bpf_spin_lock'\n", | |
2296 | map->name); | |
2297 | else if (map->spin_lock_off == -ENOENT) | |
2298 | verbose(env, | |
2299 | "map '%s' doesn't have 'struct bpf_spin_lock'\n", | |
2300 | map->name); | |
2301 | else | |
2302 | verbose(env, | |
2303 | "map '%s' is not a struct type or bpf_spin_lock is mangled\n", | |
2304 | map->name); | |
2305 | return -EINVAL; | |
2306 | } | |
2307 | if (map->spin_lock_off != val + reg->off) { | |
2308 | verbose(env, "off %lld doesn't point to 'struct bpf_spin_lock'\n", | |
2309 | val + reg->off); | |
2310 | return -EINVAL; | |
2311 | } | |
2312 | if (is_lock) { | |
2313 | if (cur->active_spin_lock) { | |
2314 | verbose(env, | |
2315 | "Locking two bpf_spin_locks are not allowed\n"); | |
2316 | return -EINVAL; | |
2317 | } | |
2318 | cur->active_spin_lock = reg->id; | |
2319 | } else { | |
2320 | if (!cur->active_spin_lock) { | |
2321 | verbose(env, "bpf_spin_unlock without taking a lock\n"); | |
2322 | return -EINVAL; | |
2323 | } | |
2324 | if (cur->active_spin_lock != reg->id) { | |
2325 | verbose(env, "bpf_spin_unlock of different lock\n"); | |
2326 | return -EINVAL; | |
2327 | } | |
2328 | cur->active_spin_lock = 0; | |
2329 | } | |
2330 | return 0; | |
2331 | } | |
2332 | ||
90133415 DB |
2333 | static bool arg_type_is_mem_ptr(enum bpf_arg_type type) |
2334 | { | |
2335 | return type == ARG_PTR_TO_MEM || | |
2336 | type == ARG_PTR_TO_MEM_OR_NULL || | |
2337 | type == ARG_PTR_TO_UNINIT_MEM; | |
2338 | } | |
2339 | ||
2340 | static bool arg_type_is_mem_size(enum bpf_arg_type type) | |
2341 | { | |
2342 | return type == ARG_CONST_SIZE || | |
2343 | type == ARG_CONST_SIZE_OR_ZERO; | |
2344 | } | |
2345 | ||
58e2af8b | 2346 | static int check_func_arg(struct bpf_verifier_env *env, u32 regno, |
33ff9823 DB |
2347 | enum bpf_arg_type arg_type, |
2348 | struct bpf_call_arg_meta *meta) | |
17a52670 | 2349 | { |
638f5b90 | 2350 | struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
6841de8b | 2351 | enum bpf_reg_type expected_type, type = reg->type; |
17a52670 AS |
2352 | int err = 0; |
2353 | ||
80f1d68c | 2354 | if (arg_type == ARG_DONTCARE) |
17a52670 AS |
2355 | return 0; |
2356 | ||
dc503a8a EC |
2357 | err = check_reg_arg(env, regno, SRC_OP); |
2358 | if (err) | |
2359 | return err; | |
17a52670 | 2360 | |
1be7f75d AS |
2361 | if (arg_type == ARG_ANYTHING) { |
2362 | if (is_pointer_value(env, regno)) { | |
61bd5218 JK |
2363 | verbose(env, "R%d leaks addr into helper function\n", |
2364 | regno); | |
1be7f75d AS |
2365 | return -EACCES; |
2366 | } | |
80f1d68c | 2367 | return 0; |
1be7f75d | 2368 | } |
80f1d68c | 2369 | |
de8f3a83 | 2370 | if (type_is_pkt_pointer(type) && |
3a0af8fd | 2371 | !may_access_direct_pkt_data(env, meta, BPF_READ)) { |
61bd5218 | 2372 | verbose(env, "helper access to the packet is not allowed\n"); |
6841de8b AS |
2373 | return -EACCES; |
2374 | } | |
2375 | ||
8e2fe1d9 | 2376 | if (arg_type == ARG_PTR_TO_MAP_KEY || |
2ea864c5 MV |
2377 | arg_type == ARG_PTR_TO_MAP_VALUE || |
2378 | arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) { | |
17a52670 | 2379 | expected_type = PTR_TO_STACK; |
d71962f3 | 2380 | if (!type_is_pkt_pointer(type) && type != PTR_TO_MAP_VALUE && |
de8f3a83 | 2381 | type != expected_type) |
6841de8b | 2382 | goto err_type; |
39f19ebb AS |
2383 | } else if (arg_type == ARG_CONST_SIZE || |
2384 | arg_type == ARG_CONST_SIZE_OR_ZERO) { | |
f1174f77 EC |
2385 | expected_type = SCALAR_VALUE; |
2386 | if (type != expected_type) | |
6841de8b | 2387 | goto err_type; |
17a52670 AS |
2388 | } else if (arg_type == ARG_CONST_MAP_PTR) { |
2389 | expected_type = CONST_PTR_TO_MAP; | |
6841de8b AS |
2390 | if (type != expected_type) |
2391 | goto err_type; | |
608cd71a AS |
2392 | } else if (arg_type == ARG_PTR_TO_CTX) { |
2393 | expected_type = PTR_TO_CTX; | |
6841de8b AS |
2394 | if (type != expected_type) |
2395 | goto err_type; | |
58990d1f DB |
2396 | err = check_ctx_reg(env, reg, regno); |
2397 | if (err < 0) | |
2398 | return err; | |
46f8bc92 MKL |
2399 | } else if (arg_type == ARG_PTR_TO_SOCK_COMMON) { |
2400 | expected_type = PTR_TO_SOCK_COMMON; | |
2401 | /* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */ | |
2402 | if (!type_is_sk_pointer(type)) | |
2403 | goto err_type; | |
1b986589 MKL |
2404 | if (reg->ref_obj_id) { |
2405 | if (meta->ref_obj_id) { | |
2406 | verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n", | |
2407 | regno, reg->ref_obj_id, | |
2408 | meta->ref_obj_id); | |
2409 | return -EFAULT; | |
2410 | } | |
2411 | meta->ref_obj_id = reg->ref_obj_id; | |
fd978bf7 | 2412 | } |
d83525ca AS |
2413 | } else if (arg_type == ARG_PTR_TO_SPIN_LOCK) { |
2414 | if (meta->func_id == BPF_FUNC_spin_lock) { | |
2415 | if (process_spin_lock(env, regno, true)) | |
2416 | return -EACCES; | |
2417 | } else if (meta->func_id == BPF_FUNC_spin_unlock) { | |
2418 | if (process_spin_lock(env, regno, false)) | |
2419 | return -EACCES; | |
2420 | } else { | |
2421 | verbose(env, "verifier internal error\n"); | |
2422 | return -EFAULT; | |
2423 | } | |
90133415 | 2424 | } else if (arg_type_is_mem_ptr(arg_type)) { |
8e2fe1d9 DB |
2425 | expected_type = PTR_TO_STACK; |
2426 | /* One exception here. In case function allows for NULL to be | |
f1174f77 | 2427 | * passed in as argument, it's a SCALAR_VALUE type. Final test |
8e2fe1d9 DB |
2428 | * happens during stack boundary checking. |
2429 | */ | |
914cb781 | 2430 | if (register_is_null(reg) && |
db1ac496 | 2431 | arg_type == ARG_PTR_TO_MEM_OR_NULL) |
6841de8b | 2432 | /* final test in check_stack_boundary() */; |
de8f3a83 DB |
2433 | else if (!type_is_pkt_pointer(type) && |
2434 | type != PTR_TO_MAP_VALUE && | |
f1174f77 | 2435 | type != expected_type) |
6841de8b | 2436 | goto err_type; |
39f19ebb | 2437 | meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; |
17a52670 | 2438 | } else { |
61bd5218 | 2439 | verbose(env, "unsupported arg_type %d\n", arg_type); |
17a52670 AS |
2440 | return -EFAULT; |
2441 | } | |
2442 | ||
17a52670 AS |
2443 | if (arg_type == ARG_CONST_MAP_PTR) { |
2444 | /* bpf_map_xxx(map_ptr) call: remember that map_ptr */ | |
33ff9823 | 2445 | meta->map_ptr = reg->map_ptr; |
17a52670 AS |
2446 | } else if (arg_type == ARG_PTR_TO_MAP_KEY) { |
2447 | /* bpf_map_xxx(..., map_ptr, ..., key) call: | |
2448 | * check that [key, key + map->key_size) are within | |
2449 | * stack limits and initialized | |
2450 | */ | |
33ff9823 | 2451 | if (!meta->map_ptr) { |
17a52670 AS |
2452 | /* in function declaration map_ptr must come before |
2453 | * map_key, so that it's verified and known before | |
2454 | * we have to check map_key here. Otherwise it means | |
2455 | * that kernel subsystem misconfigured verifier | |
2456 | */ | |
61bd5218 | 2457 | verbose(env, "invalid map_ptr to access map->key\n"); |
17a52670 AS |
2458 | return -EACCES; |
2459 | } | |
d71962f3 PC |
2460 | err = check_helper_mem_access(env, regno, |
2461 | meta->map_ptr->key_size, false, | |
2462 | NULL); | |
2ea864c5 MV |
2463 | } else if (arg_type == ARG_PTR_TO_MAP_VALUE || |
2464 | arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) { | |
17a52670 AS |
2465 | /* bpf_map_xxx(..., map_ptr, ..., value) call: |
2466 | * check [value, value + map->value_size) validity | |
2467 | */ | |
33ff9823 | 2468 | if (!meta->map_ptr) { |
17a52670 | 2469 | /* kernel subsystem misconfigured verifier */ |
61bd5218 | 2470 | verbose(env, "invalid map_ptr to access map->value\n"); |
17a52670 AS |
2471 | return -EACCES; |
2472 | } | |
2ea864c5 | 2473 | meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE); |
d71962f3 PC |
2474 | err = check_helper_mem_access(env, regno, |
2475 | meta->map_ptr->value_size, false, | |
2ea864c5 | 2476 | meta); |
90133415 | 2477 | } else if (arg_type_is_mem_size(arg_type)) { |
39f19ebb | 2478 | bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO); |
17a52670 | 2479 | |
849fa506 YS |
2480 | /* remember the mem_size which may be used later |
2481 | * to refine return values. | |
2482 | */ | |
2483 | meta->msize_smax_value = reg->smax_value; | |
2484 | meta->msize_umax_value = reg->umax_value; | |
2485 | ||
f1174f77 EC |
2486 | /* The register is SCALAR_VALUE; the access check |
2487 | * happens using its boundaries. | |
06c1c049 | 2488 | */ |
f1174f77 | 2489 | if (!tnum_is_const(reg->var_off)) |
06c1c049 GB |
2490 | /* For unprivileged variable accesses, disable raw |
2491 | * mode so that the program is required to | |
2492 | * initialize all the memory that the helper could | |
2493 | * just partially fill up. | |
2494 | */ | |
2495 | meta = NULL; | |
2496 | ||
b03c9f9f | 2497 | if (reg->smin_value < 0) { |
61bd5218 | 2498 | verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", |
f1174f77 EC |
2499 | regno); |
2500 | return -EACCES; | |
2501 | } | |
06c1c049 | 2502 | |
b03c9f9f | 2503 | if (reg->umin_value == 0) { |
f1174f77 EC |
2504 | err = check_helper_mem_access(env, regno - 1, 0, |
2505 | zero_size_allowed, | |
2506 | meta); | |
06c1c049 GB |
2507 | if (err) |
2508 | return err; | |
06c1c049 | 2509 | } |
f1174f77 | 2510 | |
b03c9f9f | 2511 | if (reg->umax_value >= BPF_MAX_VAR_SIZ) { |
61bd5218 | 2512 | verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", |
f1174f77 EC |
2513 | regno); |
2514 | return -EACCES; | |
2515 | } | |
2516 | err = check_helper_mem_access(env, regno - 1, | |
b03c9f9f | 2517 | reg->umax_value, |
f1174f77 | 2518 | zero_size_allowed, meta); |
17a52670 AS |
2519 | } |
2520 | ||
2521 | return err; | |
6841de8b | 2522 | err_type: |
61bd5218 | 2523 | verbose(env, "R%d type=%s expected=%s\n", regno, |
6841de8b AS |
2524 | reg_type_str[type], reg_type_str[expected_type]); |
2525 | return -EACCES; | |
17a52670 AS |
2526 | } |
2527 | ||
61bd5218 JK |
2528 | static int check_map_func_compatibility(struct bpf_verifier_env *env, |
2529 | struct bpf_map *map, int func_id) | |
35578d79 | 2530 | { |
35578d79 KX |
2531 | if (!map) |
2532 | return 0; | |
2533 | ||
6aff67c8 AS |
2534 | /* We need a two way check, first is from map perspective ... */ |
2535 | switch (map->map_type) { | |
2536 | case BPF_MAP_TYPE_PROG_ARRAY: | |
2537 | if (func_id != BPF_FUNC_tail_call) | |
2538 | goto error; | |
2539 | break; | |
2540 | case BPF_MAP_TYPE_PERF_EVENT_ARRAY: | |
2541 | if (func_id != BPF_FUNC_perf_event_read && | |
908432ca YS |
2542 | func_id != BPF_FUNC_perf_event_output && |
2543 | func_id != BPF_FUNC_perf_event_read_value) | |
6aff67c8 AS |
2544 | goto error; |
2545 | break; | |
2546 | case BPF_MAP_TYPE_STACK_TRACE: | |
2547 | if (func_id != BPF_FUNC_get_stackid) | |
2548 | goto error; | |
2549 | break; | |
4ed8ec52 | 2550 | case BPF_MAP_TYPE_CGROUP_ARRAY: |
60747ef4 | 2551 | if (func_id != BPF_FUNC_skb_under_cgroup && |
60d20f91 | 2552 | func_id != BPF_FUNC_current_task_under_cgroup) |
4a482f34 MKL |
2553 | goto error; |
2554 | break; | |
cd339431 | 2555 | case BPF_MAP_TYPE_CGROUP_STORAGE: |
b741f163 | 2556 | case BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE: |
cd339431 RG |
2557 | if (func_id != BPF_FUNC_get_local_storage) |
2558 | goto error; | |
2559 | break; | |
546ac1ff JF |
2560 | /* devmap returns a pointer to a live net_device ifindex that we cannot |
2561 | * allow to be modified from bpf side. So do not allow lookup elements | |
2562 | * for now. | |
2563 | */ | |
2564 | case BPF_MAP_TYPE_DEVMAP: | |
2ddf71e2 | 2565 | if (func_id != BPF_FUNC_redirect_map) |
546ac1ff JF |
2566 | goto error; |
2567 | break; | |
fbfc504a BT |
2568 | /* Restrict bpf side of cpumap and xskmap, open when use-cases |
2569 | * appear. | |
2570 | */ | |
6710e112 | 2571 | case BPF_MAP_TYPE_CPUMAP: |
fbfc504a | 2572 | case BPF_MAP_TYPE_XSKMAP: |
6710e112 JDB |
2573 | if (func_id != BPF_FUNC_redirect_map) |
2574 | goto error; | |
2575 | break; | |
56f668df | 2576 | case BPF_MAP_TYPE_ARRAY_OF_MAPS: |
bcc6b1b7 | 2577 | case BPF_MAP_TYPE_HASH_OF_MAPS: |
56f668df MKL |
2578 | if (func_id != BPF_FUNC_map_lookup_elem) |
2579 | goto error; | |
16a43625 | 2580 | break; |
174a79ff JF |
2581 | case BPF_MAP_TYPE_SOCKMAP: |
2582 | if (func_id != BPF_FUNC_sk_redirect_map && | |
2583 | func_id != BPF_FUNC_sock_map_update && | |
4f738adb JF |
2584 | func_id != BPF_FUNC_map_delete_elem && |
2585 | func_id != BPF_FUNC_msg_redirect_map) | |
174a79ff JF |
2586 | goto error; |
2587 | break; | |
81110384 JF |
2588 | case BPF_MAP_TYPE_SOCKHASH: |
2589 | if (func_id != BPF_FUNC_sk_redirect_hash && | |
2590 | func_id != BPF_FUNC_sock_hash_update && | |
2591 | func_id != BPF_FUNC_map_delete_elem && | |
2592 | func_id != BPF_FUNC_msg_redirect_hash) | |
2593 | goto error; | |
2594 | break; | |
2dbb9b9e MKL |
2595 | case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY: |
2596 | if (func_id != BPF_FUNC_sk_select_reuseport) | |
2597 | goto error; | |
2598 | break; | |
f1a2e44a MV |
2599 | case BPF_MAP_TYPE_QUEUE: |
2600 | case BPF_MAP_TYPE_STACK: | |
2601 | if (func_id != BPF_FUNC_map_peek_elem && | |
2602 | func_id != BPF_FUNC_map_pop_elem && | |
2603 | func_id != BPF_FUNC_map_push_elem) | |
2604 | goto error; | |
2605 | break; | |
6aff67c8 AS |
2606 | default: |
2607 | break; | |
2608 | } | |
2609 | ||
2610 | /* ... and second from the function itself. */ | |
2611 | switch (func_id) { | |
2612 | case BPF_FUNC_tail_call: | |
2613 | if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) | |
2614 | goto error; | |
f910cefa | 2615 | if (env->subprog_cnt > 1) { |
f4d7e40a AS |
2616 | verbose(env, "tail_calls are not allowed in programs with bpf-to-bpf calls\n"); |
2617 | return -EINVAL; | |
2618 | } | |
6aff67c8 AS |
2619 | break; |
2620 | case BPF_FUNC_perf_event_read: | |
2621 | case BPF_FUNC_perf_event_output: | |
908432ca | 2622 | case BPF_FUNC_perf_event_read_value: |
6aff67c8 AS |
2623 | if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) |
2624 | goto error; | |
2625 | break; | |
2626 | case BPF_FUNC_get_stackid: | |
2627 | if (map->map_type != BPF_MAP_TYPE_STACK_TRACE) | |
2628 | goto error; | |
2629 | break; | |
60d20f91 | 2630 | case BPF_FUNC_current_task_under_cgroup: |
747ea55e | 2631 | case BPF_FUNC_skb_under_cgroup: |
4a482f34 MKL |
2632 | if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY) |
2633 | goto error; | |
2634 | break; | |
97f91a7c | 2635 | case BPF_FUNC_redirect_map: |
9c270af3 | 2636 | if (map->map_type != BPF_MAP_TYPE_DEVMAP && |
fbfc504a BT |
2637 | map->map_type != BPF_MAP_TYPE_CPUMAP && |
2638 | map->map_type != BPF_MAP_TYPE_XSKMAP) | |
97f91a7c JF |
2639 | goto error; |
2640 | break; | |
174a79ff | 2641 | case BPF_FUNC_sk_redirect_map: |
4f738adb | 2642 | case BPF_FUNC_msg_redirect_map: |
81110384 | 2643 | case BPF_FUNC_sock_map_update: |
174a79ff JF |
2644 | if (map->map_type != BPF_MAP_TYPE_SOCKMAP) |
2645 | goto error; | |
2646 | break; | |
81110384 JF |
2647 | case BPF_FUNC_sk_redirect_hash: |
2648 | case BPF_FUNC_msg_redirect_hash: | |
2649 | case BPF_FUNC_sock_hash_update: | |
2650 | if (map->map_type != BPF_MAP_TYPE_SOCKHASH) | |
174a79ff JF |
2651 | goto error; |
2652 | break; | |
cd339431 | 2653 | case BPF_FUNC_get_local_storage: |
b741f163 RG |
2654 | if (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE && |
2655 | map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) | |
cd339431 RG |
2656 | goto error; |
2657 | break; | |
2dbb9b9e MKL |
2658 | case BPF_FUNC_sk_select_reuseport: |
2659 | if (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) | |
2660 | goto error; | |
2661 | break; | |
f1a2e44a MV |
2662 | case BPF_FUNC_map_peek_elem: |
2663 | case BPF_FUNC_map_pop_elem: | |
2664 | case BPF_FUNC_map_push_elem: | |
2665 | if (map->map_type != BPF_MAP_TYPE_QUEUE && | |
2666 | map->map_type != BPF_MAP_TYPE_STACK) | |
2667 | goto error; | |
2668 | break; | |
6aff67c8 AS |
2669 | default: |
2670 | break; | |
35578d79 KX |
2671 | } |
2672 | ||
2673 | return 0; | |
6aff67c8 | 2674 | error: |
61bd5218 | 2675 | verbose(env, "cannot pass map_type %d into func %s#%d\n", |
ebb676da | 2676 | map->map_type, func_id_name(func_id), func_id); |
6aff67c8 | 2677 | return -EINVAL; |
35578d79 KX |
2678 | } |
2679 | ||
90133415 | 2680 | static bool check_raw_mode_ok(const struct bpf_func_proto *fn) |
435faee1 DB |
2681 | { |
2682 | int count = 0; | |
2683 | ||
39f19ebb | 2684 | if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2685 | count++; |
39f19ebb | 2686 | if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2687 | count++; |
39f19ebb | 2688 | if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2689 | count++; |
39f19ebb | 2690 | if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 | 2691 | count++; |
39f19ebb | 2692 | if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) |
435faee1 DB |
2693 | count++; |
2694 | ||
90133415 DB |
2695 | /* We only support one arg being in raw mode at the moment, |
2696 | * which is sufficient for the helper functions we have | |
2697 | * right now. | |
2698 | */ | |
2699 | return count <= 1; | |
2700 | } | |
2701 | ||
2702 | static bool check_args_pair_invalid(enum bpf_arg_type arg_curr, | |
2703 | enum bpf_arg_type arg_next) | |
2704 | { | |
2705 | return (arg_type_is_mem_ptr(arg_curr) && | |
2706 | !arg_type_is_mem_size(arg_next)) || | |
2707 | (!arg_type_is_mem_ptr(arg_curr) && | |
2708 | arg_type_is_mem_size(arg_next)); | |
2709 | } | |
2710 | ||
2711 | static bool check_arg_pair_ok(const struct bpf_func_proto *fn) | |
2712 | { | |
2713 | /* bpf_xxx(..., buf, len) call will access 'len' | |
2714 | * bytes from memory 'buf'. Both arg types need | |
2715 | * to be paired, so make sure there's no buggy | |
2716 | * helper function specification. | |
2717 | */ | |
2718 | if (arg_type_is_mem_size(fn->arg1_type) || | |
2719 | arg_type_is_mem_ptr(fn->arg5_type) || | |
2720 | check_args_pair_invalid(fn->arg1_type, fn->arg2_type) || | |
2721 | check_args_pair_invalid(fn->arg2_type, fn->arg3_type) || | |
2722 | check_args_pair_invalid(fn->arg3_type, fn->arg4_type) || | |
2723 | check_args_pair_invalid(fn->arg4_type, fn->arg5_type)) | |
2724 | return false; | |
2725 | ||
2726 | return true; | |
2727 | } | |
2728 | ||
1b986589 | 2729 | static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id) |
fd978bf7 JS |
2730 | { |
2731 | int count = 0; | |
2732 | ||
1b986589 | 2733 | if (arg_type_may_be_refcounted(fn->arg1_type)) |
fd978bf7 | 2734 | count++; |
1b986589 | 2735 | if (arg_type_may_be_refcounted(fn->arg2_type)) |
fd978bf7 | 2736 | count++; |
1b986589 | 2737 | if (arg_type_may_be_refcounted(fn->arg3_type)) |
fd978bf7 | 2738 | count++; |
1b986589 | 2739 | if (arg_type_may_be_refcounted(fn->arg4_type)) |
fd978bf7 | 2740 | count++; |
1b986589 | 2741 | if (arg_type_may_be_refcounted(fn->arg5_type)) |
fd978bf7 JS |
2742 | count++; |
2743 | ||
1b986589 MKL |
2744 | /* A reference acquiring function cannot acquire |
2745 | * another refcounted ptr. | |
2746 | */ | |
2747 | if (is_acquire_function(func_id) && count) | |
2748 | return false; | |
2749 | ||
fd978bf7 JS |
2750 | /* We only support one arg being unreferenced at the moment, |
2751 | * which is sufficient for the helper functions we have right now. | |
2752 | */ | |
2753 | return count <= 1; | |
2754 | } | |
2755 | ||
1b986589 | 2756 | static int check_func_proto(const struct bpf_func_proto *fn, int func_id) |
90133415 DB |
2757 | { |
2758 | return check_raw_mode_ok(fn) && | |
fd978bf7 | 2759 | check_arg_pair_ok(fn) && |
1b986589 | 2760 | check_refcount_ok(fn, func_id) ? 0 : -EINVAL; |
435faee1 DB |
2761 | } |
2762 | ||
de8f3a83 DB |
2763 | /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END] |
2764 | * are now invalid, so turn them into unknown SCALAR_VALUE. | |
f1174f77 | 2765 | */ |
f4d7e40a AS |
2766 | static void __clear_all_pkt_pointers(struct bpf_verifier_env *env, |
2767 | struct bpf_func_state *state) | |
969bf05e | 2768 | { |
58e2af8b | 2769 | struct bpf_reg_state *regs = state->regs, *reg; |
969bf05e AS |
2770 | int i; |
2771 | ||
2772 | for (i = 0; i < MAX_BPF_REG; i++) | |
de8f3a83 | 2773 | if (reg_is_pkt_pointer_any(®s[i])) |
61bd5218 | 2774 | mark_reg_unknown(env, regs, i); |
969bf05e | 2775 | |
f3709f69 JS |
2776 | bpf_for_each_spilled_reg(i, state, reg) { |
2777 | if (!reg) | |
969bf05e | 2778 | continue; |
de8f3a83 DB |
2779 | if (reg_is_pkt_pointer_any(reg)) |
2780 | __mark_reg_unknown(reg); | |
969bf05e AS |
2781 | } |
2782 | } | |
2783 | ||
f4d7e40a AS |
2784 | static void clear_all_pkt_pointers(struct bpf_verifier_env *env) |
2785 | { | |
2786 | struct bpf_verifier_state *vstate = env->cur_state; | |
2787 | int i; | |
2788 | ||
2789 | for (i = 0; i <= vstate->curframe; i++) | |
2790 | __clear_all_pkt_pointers(env, vstate->frame[i]); | |
2791 | } | |
2792 | ||
fd978bf7 | 2793 | static void release_reg_references(struct bpf_verifier_env *env, |
1b986589 MKL |
2794 | struct bpf_func_state *state, |
2795 | int ref_obj_id) | |
fd978bf7 JS |
2796 | { |
2797 | struct bpf_reg_state *regs = state->regs, *reg; | |
2798 | int i; | |
2799 | ||
2800 | for (i = 0; i < MAX_BPF_REG; i++) | |
1b986589 | 2801 | if (regs[i].ref_obj_id == ref_obj_id) |
fd978bf7 JS |
2802 | mark_reg_unknown(env, regs, i); |
2803 | ||
2804 | bpf_for_each_spilled_reg(i, state, reg) { | |
2805 | if (!reg) | |
2806 | continue; | |
1b986589 | 2807 | if (reg->ref_obj_id == ref_obj_id) |
fd978bf7 JS |
2808 | __mark_reg_unknown(reg); |
2809 | } | |
2810 | } | |
2811 | ||
2812 | /* The pointer with the specified id has released its reference to kernel | |
2813 | * resources. Identify all copies of the same pointer and clear the reference. | |
2814 | */ | |
2815 | static int release_reference(struct bpf_verifier_env *env, | |
1b986589 | 2816 | int ref_obj_id) |
fd978bf7 JS |
2817 | { |
2818 | struct bpf_verifier_state *vstate = env->cur_state; | |
1b986589 | 2819 | int err; |
fd978bf7 JS |
2820 | int i; |
2821 | ||
1b986589 MKL |
2822 | err = release_reference_state(cur_func(env), ref_obj_id); |
2823 | if (err) | |
2824 | return err; | |
2825 | ||
fd978bf7 | 2826 | for (i = 0; i <= vstate->curframe; i++) |
1b986589 | 2827 | release_reg_references(env, vstate->frame[i], ref_obj_id); |
fd978bf7 | 2828 | |
1b986589 | 2829 | return 0; |
fd978bf7 JS |
2830 | } |
2831 | ||
f4d7e40a AS |
2832 | static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn, |
2833 | int *insn_idx) | |
2834 | { | |
2835 | struct bpf_verifier_state *state = env->cur_state; | |
2836 | struct bpf_func_state *caller, *callee; | |
fd978bf7 | 2837 | int i, err, subprog, target_insn; |
f4d7e40a | 2838 | |
aada9ce6 | 2839 | if (state->curframe + 1 >= MAX_CALL_FRAMES) { |
f4d7e40a | 2840 | verbose(env, "the call stack of %d frames is too deep\n", |
aada9ce6 | 2841 | state->curframe + 2); |
f4d7e40a AS |
2842 | return -E2BIG; |
2843 | } | |
2844 | ||
2845 | target_insn = *insn_idx + insn->imm; | |
2846 | subprog = find_subprog(env, target_insn + 1); | |
2847 | if (subprog < 0) { | |
2848 | verbose(env, "verifier bug. No program starts at insn %d\n", | |
2849 | target_insn + 1); | |
2850 | return -EFAULT; | |
2851 | } | |
2852 | ||
2853 | caller = state->frame[state->curframe]; | |
2854 | if (state->frame[state->curframe + 1]) { | |
2855 | verbose(env, "verifier bug. Frame %d already allocated\n", | |
2856 | state->curframe + 1); | |
2857 | return -EFAULT; | |
2858 | } | |
2859 | ||
2860 | callee = kzalloc(sizeof(*callee), GFP_KERNEL); | |
2861 | if (!callee) | |
2862 | return -ENOMEM; | |
2863 | state->frame[state->curframe + 1] = callee; | |
2864 | ||
2865 | /* callee cannot access r0, r6 - r9 for reading and has to write | |
2866 | * into its own stack before reading from it. | |
2867 | * callee can read/write into caller's stack | |
2868 | */ | |
2869 | init_func_state(env, callee, | |
2870 | /* remember the callsite, it will be used by bpf_exit */ | |
2871 | *insn_idx /* callsite */, | |
2872 | state->curframe + 1 /* frameno within this callchain */, | |
f910cefa | 2873 | subprog /* subprog number within this prog */); |
f4d7e40a | 2874 | |
fd978bf7 JS |
2875 | /* Transfer references to the callee */ |
2876 | err = transfer_reference_state(callee, caller); | |
2877 | if (err) | |
2878 | return err; | |
2879 | ||
679c782d EC |
2880 | /* copy r1 - r5 args that callee can access. The copy includes parent |
2881 | * pointers, which connects us up to the liveness chain | |
2882 | */ | |
f4d7e40a AS |
2883 | for (i = BPF_REG_1; i <= BPF_REG_5; i++) |
2884 | callee->regs[i] = caller->regs[i]; | |
2885 | ||
679c782d | 2886 | /* after the call registers r0 - r5 were scratched */ |
f4d7e40a AS |
2887 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
2888 | mark_reg_not_init(env, caller->regs, caller_saved[i]); | |
2889 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); | |
2890 | } | |
2891 | ||
2892 | /* only increment it after check_reg_arg() finished */ | |
2893 | state->curframe++; | |
2894 | ||
2895 | /* and go analyze first insn of the callee */ | |
2896 | *insn_idx = target_insn; | |
2897 | ||
2898 | if (env->log.level) { | |
2899 | verbose(env, "caller:\n"); | |
2900 | print_verifier_state(env, caller); | |
2901 | verbose(env, "callee:\n"); | |
2902 | print_verifier_state(env, callee); | |
2903 | } | |
2904 | return 0; | |
2905 | } | |
2906 | ||
2907 | static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) | |
2908 | { | |
2909 | struct bpf_verifier_state *state = env->cur_state; | |
2910 | struct bpf_func_state *caller, *callee; | |
2911 | struct bpf_reg_state *r0; | |
fd978bf7 | 2912 | int err; |
f4d7e40a AS |
2913 | |
2914 | callee = state->frame[state->curframe]; | |
2915 | r0 = &callee->regs[BPF_REG_0]; | |
2916 | if (r0->type == PTR_TO_STACK) { | |
2917 | /* technically it's ok to return caller's stack pointer | |
2918 | * (or caller's caller's pointer) back to the caller, | |
2919 | * since these pointers are valid. Only current stack | |
2920 | * pointer will be invalid as soon as function exits, | |
2921 | * but let's be conservative | |
2922 | */ | |
2923 | verbose(env, "cannot return stack pointer to the caller\n"); | |
2924 | return -EINVAL; | |
2925 | } | |
2926 | ||
2927 | state->curframe--; | |
2928 | caller = state->frame[state->curframe]; | |
2929 | /* return to the caller whatever r0 had in the callee */ | |
2930 | caller->regs[BPF_REG_0] = *r0; | |
2931 | ||
fd978bf7 JS |
2932 | /* Transfer references to the caller */ |
2933 | err = transfer_reference_state(caller, callee); | |
2934 | if (err) | |
2935 | return err; | |
2936 | ||
f4d7e40a AS |
2937 | *insn_idx = callee->callsite + 1; |
2938 | if (env->log.level) { | |
2939 | verbose(env, "returning from callee:\n"); | |
2940 | print_verifier_state(env, callee); | |
2941 | verbose(env, "to caller at %d:\n", *insn_idx); | |
2942 | print_verifier_state(env, caller); | |
2943 | } | |
2944 | /* clear everything in the callee */ | |
2945 | free_func_state(callee); | |
2946 | state->frame[state->curframe + 1] = NULL; | |
2947 | return 0; | |
2948 | } | |
2949 | ||
849fa506 YS |
2950 | static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type, |
2951 | int func_id, | |
2952 | struct bpf_call_arg_meta *meta) | |
2953 | { | |
2954 | struct bpf_reg_state *ret_reg = ®s[BPF_REG_0]; | |
2955 | ||
2956 | if (ret_type != RET_INTEGER || | |
2957 | (func_id != BPF_FUNC_get_stack && | |
2958 | func_id != BPF_FUNC_probe_read_str)) | |
2959 | return; | |
2960 | ||
2961 | ret_reg->smax_value = meta->msize_smax_value; | |
2962 | ret_reg->umax_value = meta->msize_umax_value; | |
2963 | __reg_deduce_bounds(ret_reg); | |
2964 | __reg_bound_offset(ret_reg); | |
2965 | } | |
2966 | ||
c93552c4 DB |
2967 | static int |
2968 | record_func_map(struct bpf_verifier_env *env, struct bpf_call_arg_meta *meta, | |
2969 | int func_id, int insn_idx) | |
2970 | { | |
2971 | struct bpf_insn_aux_data *aux = &env->insn_aux_data[insn_idx]; | |
2972 | ||
2973 | if (func_id != BPF_FUNC_tail_call && | |
09772d92 DB |
2974 | func_id != BPF_FUNC_map_lookup_elem && |
2975 | func_id != BPF_FUNC_map_update_elem && | |
f1a2e44a MV |
2976 | func_id != BPF_FUNC_map_delete_elem && |
2977 | func_id != BPF_FUNC_map_push_elem && | |
2978 | func_id != BPF_FUNC_map_pop_elem && | |
2979 | func_id != BPF_FUNC_map_peek_elem) | |
c93552c4 | 2980 | return 0; |
09772d92 | 2981 | |
c93552c4 DB |
2982 | if (meta->map_ptr == NULL) { |
2983 | verbose(env, "kernel subsystem misconfigured verifier\n"); | |
2984 | return -EINVAL; | |
2985 | } | |
2986 | ||
2987 | if (!BPF_MAP_PTR(aux->map_state)) | |
2988 | bpf_map_ptr_store(aux, meta->map_ptr, | |
2989 | meta->map_ptr->unpriv_array); | |
2990 | else if (BPF_MAP_PTR(aux->map_state) != meta->map_ptr) | |
2991 | bpf_map_ptr_store(aux, BPF_MAP_PTR_POISON, | |
2992 | meta->map_ptr->unpriv_array); | |
2993 | return 0; | |
2994 | } | |
2995 | ||
fd978bf7 JS |
2996 | static int check_reference_leak(struct bpf_verifier_env *env) |
2997 | { | |
2998 | struct bpf_func_state *state = cur_func(env); | |
2999 | int i; | |
3000 | ||
3001 | for (i = 0; i < state->acquired_refs; i++) { | |
3002 | verbose(env, "Unreleased reference id=%d alloc_insn=%d\n", | |
3003 | state->refs[i].id, state->refs[i].insn_idx); | |
3004 | } | |
3005 | return state->acquired_refs ? -EINVAL : 0; | |
3006 | } | |
3007 | ||
f4d7e40a | 3008 | static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn_idx) |
17a52670 | 3009 | { |
17a52670 | 3010 | const struct bpf_func_proto *fn = NULL; |
638f5b90 | 3011 | struct bpf_reg_state *regs; |
33ff9823 | 3012 | struct bpf_call_arg_meta meta; |
969bf05e | 3013 | bool changes_data; |
17a52670 AS |
3014 | int i, err; |
3015 | ||
3016 | /* find function prototype */ | |
3017 | if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { | |
61bd5218 JK |
3018 | verbose(env, "invalid func %s#%d\n", func_id_name(func_id), |
3019 | func_id); | |
17a52670 AS |
3020 | return -EINVAL; |
3021 | } | |
3022 | ||
00176a34 | 3023 | if (env->ops->get_func_proto) |
5e43f899 | 3024 | fn = env->ops->get_func_proto(func_id, env->prog); |
17a52670 | 3025 | if (!fn) { |
61bd5218 JK |
3026 | verbose(env, "unknown func %s#%d\n", func_id_name(func_id), |
3027 | func_id); | |
17a52670 AS |
3028 | return -EINVAL; |
3029 | } | |
3030 | ||
3031 | /* eBPF programs must be GPL compatible to use GPL-ed functions */ | |
24701ece | 3032 | if (!env->prog->gpl_compatible && fn->gpl_only) { |
3fe2867c | 3033 | verbose(env, "cannot call GPL-restricted function from non-GPL compatible program\n"); |
17a52670 AS |
3034 | return -EINVAL; |
3035 | } | |
3036 | ||
04514d13 | 3037 | /* With LD_ABS/IND some JITs save/restore skb from r1. */ |
17bedab2 | 3038 | changes_data = bpf_helper_changes_pkt_data(fn->func); |
04514d13 DB |
3039 | if (changes_data && fn->arg1_type != ARG_PTR_TO_CTX) { |
3040 | verbose(env, "kernel subsystem misconfigured func %s#%d: r1 != ctx\n", | |
3041 | func_id_name(func_id), func_id); | |
3042 | return -EINVAL; | |
3043 | } | |
969bf05e | 3044 | |
33ff9823 | 3045 | memset(&meta, 0, sizeof(meta)); |
36bbef52 | 3046 | meta.pkt_access = fn->pkt_access; |
33ff9823 | 3047 | |
1b986589 | 3048 | err = check_func_proto(fn, func_id); |
435faee1 | 3049 | if (err) { |
61bd5218 | 3050 | verbose(env, "kernel subsystem misconfigured func %s#%d\n", |
ebb676da | 3051 | func_id_name(func_id), func_id); |
435faee1 DB |
3052 | return err; |
3053 | } | |
3054 | ||
d83525ca | 3055 | meta.func_id = func_id; |
17a52670 | 3056 | /* check args */ |
33ff9823 | 3057 | err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta); |
17a52670 AS |
3058 | if (err) |
3059 | return err; | |
33ff9823 | 3060 | err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta); |
17a52670 AS |
3061 | if (err) |
3062 | return err; | |
33ff9823 | 3063 | err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta); |
17a52670 AS |
3064 | if (err) |
3065 | return err; | |
33ff9823 | 3066 | err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta); |
17a52670 AS |
3067 | if (err) |
3068 | return err; | |
33ff9823 | 3069 | err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta); |
17a52670 AS |
3070 | if (err) |
3071 | return err; | |
3072 | ||
c93552c4 DB |
3073 | err = record_func_map(env, &meta, func_id, insn_idx); |
3074 | if (err) | |
3075 | return err; | |
3076 | ||
435faee1 DB |
3077 | /* Mark slots with STACK_MISC in case of raw mode, stack offset |
3078 | * is inferred from register state. | |
3079 | */ | |
3080 | for (i = 0; i < meta.access_size; i++) { | |
ca369602 DB |
3081 | err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, |
3082 | BPF_WRITE, -1, false); | |
435faee1 DB |
3083 | if (err) |
3084 | return err; | |
3085 | } | |
3086 | ||
fd978bf7 JS |
3087 | if (func_id == BPF_FUNC_tail_call) { |
3088 | err = check_reference_leak(env); | |
3089 | if (err) { | |
3090 | verbose(env, "tail_call would lead to reference leak\n"); | |
3091 | return err; | |
3092 | } | |
3093 | } else if (is_release_function(func_id)) { | |
1b986589 | 3094 | err = release_reference(env, meta.ref_obj_id); |
46f8bc92 MKL |
3095 | if (err) { |
3096 | verbose(env, "func %s#%d reference has not been acquired before\n", | |
3097 | func_id_name(func_id), func_id); | |
fd978bf7 | 3098 | return err; |
46f8bc92 | 3099 | } |
fd978bf7 JS |
3100 | } |
3101 | ||
638f5b90 | 3102 | regs = cur_regs(env); |
cd339431 RG |
3103 | |
3104 | /* check that flags argument in get_local_storage(map, flags) is 0, | |
3105 | * this is required because get_local_storage() can't return an error. | |
3106 | */ | |
3107 | if (func_id == BPF_FUNC_get_local_storage && | |
3108 | !register_is_null(®s[BPF_REG_2])) { | |
3109 | verbose(env, "get_local_storage() doesn't support non-zero flags\n"); | |
3110 | return -EINVAL; | |
3111 | } | |
3112 | ||
17a52670 | 3113 | /* reset caller saved regs */ |
dc503a8a | 3114 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
61bd5218 | 3115 | mark_reg_not_init(env, regs, caller_saved[i]); |
dc503a8a EC |
3116 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
3117 | } | |
17a52670 | 3118 | |
dc503a8a | 3119 | /* update return register (already marked as written above) */ |
17a52670 | 3120 | if (fn->ret_type == RET_INTEGER) { |
f1174f77 | 3121 | /* sets type to SCALAR_VALUE */ |
61bd5218 | 3122 | mark_reg_unknown(env, regs, BPF_REG_0); |
17a52670 AS |
3123 | } else if (fn->ret_type == RET_VOID) { |
3124 | regs[BPF_REG_0].type = NOT_INIT; | |
3e6a4b3e RG |
3125 | } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL || |
3126 | fn->ret_type == RET_PTR_TO_MAP_VALUE) { | |
f1174f77 | 3127 | /* There is no offset yet applied, variable or fixed */ |
61bd5218 | 3128 | mark_reg_known_zero(env, regs, BPF_REG_0); |
17a52670 AS |
3129 | /* remember map_ptr, so that check_map_access() |
3130 | * can check 'value_size' boundary of memory access | |
3131 | * to map element returned from bpf_map_lookup_elem() | |
3132 | */ | |
33ff9823 | 3133 | if (meta.map_ptr == NULL) { |
61bd5218 JK |
3134 | verbose(env, |
3135 | "kernel subsystem misconfigured verifier\n"); | |
17a52670 AS |
3136 | return -EINVAL; |
3137 | } | |
33ff9823 | 3138 | regs[BPF_REG_0].map_ptr = meta.map_ptr; |
4d31f301 DB |
3139 | if (fn->ret_type == RET_PTR_TO_MAP_VALUE) { |
3140 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE; | |
e16d2f1a AS |
3141 | if (map_value_has_spin_lock(meta.map_ptr)) |
3142 | regs[BPF_REG_0].id = ++env->id_gen; | |
4d31f301 DB |
3143 | } else { |
3144 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; | |
3145 | regs[BPF_REG_0].id = ++env->id_gen; | |
3146 | } | |
c64b7983 JS |
3147 | } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) { |
3148 | mark_reg_known_zero(env, regs, BPF_REG_0); | |
3149 | regs[BPF_REG_0].type = PTR_TO_SOCKET_OR_NULL; | |
46f8bc92 MKL |
3150 | if (is_acquire_function(func_id)) { |
3151 | int id = acquire_reference_state(env, insn_idx); | |
3152 | ||
3153 | if (id < 0) | |
3154 | return id; | |
1b986589 | 3155 | /* For mark_ptr_or_null_reg() */ |
46f8bc92 | 3156 | regs[BPF_REG_0].id = id; |
1b986589 MKL |
3157 | /* For release_reference() */ |
3158 | regs[BPF_REG_0].ref_obj_id = id; | |
46f8bc92 MKL |
3159 | } else { |
3160 | /* For mark_ptr_or_null_reg() */ | |
3161 | regs[BPF_REG_0].id = ++env->id_gen; | |
3162 | } | |
655a51e5 MKL |
3163 | } else if (fn->ret_type == RET_PTR_TO_TCP_SOCK_OR_NULL) { |
3164 | mark_reg_known_zero(env, regs, BPF_REG_0); | |
3165 | regs[BPF_REG_0].type = PTR_TO_TCP_SOCK_OR_NULL; | |
3166 | regs[BPF_REG_0].id = ++env->id_gen; | |
17a52670 | 3167 | } else { |
61bd5218 | 3168 | verbose(env, "unknown return type %d of func %s#%d\n", |
ebb676da | 3169 | fn->ret_type, func_id_name(func_id), func_id); |
17a52670 AS |
3170 | return -EINVAL; |
3171 | } | |
04fd61ab | 3172 | |
1b986589 MKL |
3173 | if (is_ptr_cast_function(func_id)) |
3174 | /* For release_reference() */ | |
3175 | regs[BPF_REG_0].ref_obj_id = meta.ref_obj_id; | |
3176 | ||
849fa506 YS |
3177 | do_refine_retval_range(regs, fn->ret_type, func_id, &meta); |
3178 | ||
61bd5218 | 3179 | err = check_map_func_compatibility(env, meta.map_ptr, func_id); |
35578d79 KX |
3180 | if (err) |
3181 | return err; | |
04fd61ab | 3182 | |
c195651e YS |
3183 | if (func_id == BPF_FUNC_get_stack && !env->prog->has_callchain_buf) { |
3184 | const char *err_str; | |
3185 | ||
3186 | #ifdef CONFIG_PERF_EVENTS | |
3187 | err = get_callchain_buffers(sysctl_perf_event_max_stack); | |
3188 | err_str = "cannot get callchain buffer for func %s#%d\n"; | |
3189 | #else | |
3190 | err = -ENOTSUPP; | |
3191 | err_str = "func %s#%d not supported without CONFIG_PERF_EVENTS\n"; | |
3192 | #endif | |
3193 | if (err) { | |
3194 | verbose(env, err_str, func_id_name(func_id), func_id); | |
3195 | return err; | |
3196 | } | |
3197 | ||
3198 | env->prog->has_callchain_buf = true; | |
3199 | } | |
3200 | ||
969bf05e AS |
3201 | if (changes_data) |
3202 | clear_all_pkt_pointers(env); | |
3203 | return 0; | |
3204 | } | |
3205 | ||
b03c9f9f EC |
3206 | static bool signed_add_overflows(s64 a, s64 b) |
3207 | { | |
3208 | /* Do the add in u64, where overflow is well-defined */ | |
3209 | s64 res = (s64)((u64)a + (u64)b); | |
3210 | ||
3211 | if (b < 0) | |
3212 | return res > a; | |
3213 | return res < a; | |
3214 | } | |
3215 | ||
3216 | static bool signed_sub_overflows(s64 a, s64 b) | |
3217 | { | |
3218 | /* Do the sub in u64, where overflow is well-defined */ | |
3219 | s64 res = (s64)((u64)a - (u64)b); | |
3220 | ||
3221 | if (b < 0) | |
3222 | return res < a; | |
3223 | return res > a; | |
969bf05e AS |
3224 | } |
3225 | ||
bb7f0f98 AS |
3226 | static bool check_reg_sane_offset(struct bpf_verifier_env *env, |
3227 | const struct bpf_reg_state *reg, | |
3228 | enum bpf_reg_type type) | |
3229 | { | |
3230 | bool known = tnum_is_const(reg->var_off); | |
3231 | s64 val = reg->var_off.value; | |
3232 | s64 smin = reg->smin_value; | |
3233 | ||
3234 | if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) { | |
3235 | verbose(env, "math between %s pointer and %lld is not allowed\n", | |
3236 | reg_type_str[type], val); | |
3237 | return false; | |
3238 | } | |
3239 | ||
3240 | if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) { | |
3241 | verbose(env, "%s pointer offset %d is not allowed\n", | |
3242 | reg_type_str[type], reg->off); | |
3243 | return false; | |
3244 | } | |
3245 | ||
3246 | if (smin == S64_MIN) { | |
3247 | verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n", | |
3248 | reg_type_str[type]); | |
3249 | return false; | |
3250 | } | |
3251 | ||
3252 | if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) { | |
3253 | verbose(env, "value %lld makes %s pointer be out of bounds\n", | |
3254 | smin, reg_type_str[type]); | |
3255 | return false; | |
3256 | } | |
3257 | ||
3258 | return true; | |
3259 | } | |
3260 | ||
979d63d5 DB |
3261 | static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) |
3262 | { | |
3263 | return &env->insn_aux_data[env->insn_idx]; | |
3264 | } | |
3265 | ||
3266 | static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, | |
3267 | u32 *ptr_limit, u8 opcode, bool off_is_neg) | |
3268 | { | |
3269 | bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || | |
3270 | (opcode == BPF_SUB && !off_is_neg); | |
3271 | u32 off; | |
3272 | ||
3273 | switch (ptr_reg->type) { | |
3274 | case PTR_TO_STACK: | |
3275 | off = ptr_reg->off + ptr_reg->var_off.value; | |
3276 | if (mask_to_left) | |
3277 | *ptr_limit = MAX_BPF_STACK + off; | |
3278 | else | |
3279 | *ptr_limit = -off; | |
3280 | return 0; | |
3281 | case PTR_TO_MAP_VALUE: | |
3282 | if (mask_to_left) { | |
3283 | *ptr_limit = ptr_reg->umax_value + ptr_reg->off; | |
3284 | } else { | |
3285 | off = ptr_reg->smin_value + ptr_reg->off; | |
3286 | *ptr_limit = ptr_reg->map_ptr->value_size - off; | |
3287 | } | |
3288 | return 0; | |
3289 | default: | |
3290 | return -EINVAL; | |
3291 | } | |
3292 | } | |
3293 | ||
d3bd7413 DB |
3294 | static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, |
3295 | const struct bpf_insn *insn) | |
3296 | { | |
3297 | return env->allow_ptr_leaks || BPF_SRC(insn->code) == BPF_K; | |
3298 | } | |
3299 | ||
3300 | static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux, | |
3301 | u32 alu_state, u32 alu_limit) | |
3302 | { | |
3303 | /* If we arrived here from different branches with different | |
3304 | * state or limits to sanitize, then this won't work. | |
3305 | */ | |
3306 | if (aux->alu_state && | |
3307 | (aux->alu_state != alu_state || | |
3308 | aux->alu_limit != alu_limit)) | |
3309 | return -EACCES; | |
3310 | ||
3311 | /* Corresponding fixup done in fixup_bpf_calls(). */ | |
3312 | aux->alu_state = alu_state; | |
3313 | aux->alu_limit = alu_limit; | |
3314 | return 0; | |
3315 | } | |
3316 | ||
3317 | static int sanitize_val_alu(struct bpf_verifier_env *env, | |
3318 | struct bpf_insn *insn) | |
3319 | { | |
3320 | struct bpf_insn_aux_data *aux = cur_aux(env); | |
3321 | ||
3322 | if (can_skip_alu_sanitation(env, insn)) | |
3323 | return 0; | |
3324 | ||
3325 | return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); | |
3326 | } | |
3327 | ||
979d63d5 DB |
3328 | static int sanitize_ptr_alu(struct bpf_verifier_env *env, |
3329 | struct bpf_insn *insn, | |
3330 | const struct bpf_reg_state *ptr_reg, | |
3331 | struct bpf_reg_state *dst_reg, | |
3332 | bool off_is_neg) | |
3333 | { | |
3334 | struct bpf_verifier_state *vstate = env->cur_state; | |
3335 | struct bpf_insn_aux_data *aux = cur_aux(env); | |
3336 | bool ptr_is_dst_reg = ptr_reg == dst_reg; | |
3337 | u8 opcode = BPF_OP(insn->code); | |
3338 | u32 alu_state, alu_limit; | |
3339 | struct bpf_reg_state tmp; | |
3340 | bool ret; | |
3341 | ||
d3bd7413 | 3342 | if (can_skip_alu_sanitation(env, insn)) |
979d63d5 DB |
3343 | return 0; |
3344 | ||
3345 | /* We already marked aux for masking from non-speculative | |
3346 | * paths, thus we got here in the first place. We only care | |
3347 | * to explore bad access from here. | |
3348 | */ | |
3349 | if (vstate->speculative) | |
3350 | goto do_sim; | |
3351 | ||
3352 | alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; | |
3353 | alu_state |= ptr_is_dst_reg ? | |
3354 | BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; | |
3355 | ||
3356 | if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg)) | |
3357 | return 0; | |
d3bd7413 | 3358 | if (update_alu_sanitation_state(aux, alu_state, alu_limit)) |
979d63d5 | 3359 | return -EACCES; |
979d63d5 DB |
3360 | do_sim: |
3361 | /* Simulate and find potential out-of-bounds access under | |
3362 | * speculative execution from truncation as a result of | |
3363 | * masking when off was not within expected range. If off | |
3364 | * sits in dst, then we temporarily need to move ptr there | |
3365 | * to simulate dst (== 0) +/-= ptr. Needed, for example, | |
3366 | * for cases where we use K-based arithmetic in one direction | |
3367 | * and truncated reg-based in the other in order to explore | |
3368 | * bad access. | |
3369 | */ | |
3370 | if (!ptr_is_dst_reg) { | |
3371 | tmp = *dst_reg; | |
3372 | *dst_reg = *ptr_reg; | |
3373 | } | |
3374 | ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); | |
3375 | if (!ptr_is_dst_reg) | |
3376 | *dst_reg = tmp; | |
3377 | return !ret ? -EFAULT : 0; | |
3378 | } | |
3379 | ||
f1174f77 | 3380 | /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. |
f1174f77 EC |
3381 | * Caller should also handle BPF_MOV case separately. |
3382 | * If we return -EACCES, caller may want to try again treating pointer as a | |
3383 | * scalar. So we only emit a diagnostic if !env->allow_ptr_leaks. | |
3384 | */ | |
3385 | static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | |
3386 | struct bpf_insn *insn, | |
3387 | const struct bpf_reg_state *ptr_reg, | |
3388 | const struct bpf_reg_state *off_reg) | |
969bf05e | 3389 | { |
f4d7e40a AS |
3390 | struct bpf_verifier_state *vstate = env->cur_state; |
3391 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
3392 | struct bpf_reg_state *regs = state->regs, *dst_reg; | |
f1174f77 | 3393 | bool known = tnum_is_const(off_reg->var_off); |
b03c9f9f EC |
3394 | s64 smin_val = off_reg->smin_value, smax_val = off_reg->smax_value, |
3395 | smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; | |
3396 | u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, | |
3397 | umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; | |
9d7eceed | 3398 | u32 dst = insn->dst_reg, src = insn->src_reg; |
969bf05e | 3399 | u8 opcode = BPF_OP(insn->code); |
979d63d5 | 3400 | int ret; |
969bf05e | 3401 | |
f1174f77 | 3402 | dst_reg = ®s[dst]; |
969bf05e | 3403 | |
6f16101e DB |
3404 | if ((known && (smin_val != smax_val || umin_val != umax_val)) || |
3405 | smin_val > smax_val || umin_val > umax_val) { | |
3406 | /* Taint dst register if offset had invalid bounds derived from | |
3407 | * e.g. dead branches. | |
3408 | */ | |
3409 | __mark_reg_unknown(dst_reg); | |
3410 | return 0; | |
f1174f77 EC |
3411 | } |
3412 | ||
3413 | if (BPF_CLASS(insn->code) != BPF_ALU64) { | |
3414 | /* 32-bit ALU ops on pointers produce (meaningless) scalars */ | |
82abbf8d AS |
3415 | verbose(env, |
3416 | "R%d 32-bit pointer arithmetic prohibited\n", | |
3417 | dst); | |
f1174f77 | 3418 | return -EACCES; |
969bf05e AS |
3419 | } |
3420 | ||
aad2eeaf JS |
3421 | switch (ptr_reg->type) { |
3422 | case PTR_TO_MAP_VALUE_OR_NULL: | |
3423 | verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n", | |
3424 | dst, reg_type_str[ptr_reg->type]); | |
f1174f77 | 3425 | return -EACCES; |
aad2eeaf JS |
3426 | case CONST_PTR_TO_MAP: |
3427 | case PTR_TO_PACKET_END: | |
c64b7983 JS |
3428 | case PTR_TO_SOCKET: |
3429 | case PTR_TO_SOCKET_OR_NULL: | |
46f8bc92 MKL |
3430 | case PTR_TO_SOCK_COMMON: |
3431 | case PTR_TO_SOCK_COMMON_OR_NULL: | |
655a51e5 MKL |
3432 | case PTR_TO_TCP_SOCK: |
3433 | case PTR_TO_TCP_SOCK_OR_NULL: | |
aad2eeaf JS |
3434 | verbose(env, "R%d pointer arithmetic on %s prohibited\n", |
3435 | dst, reg_type_str[ptr_reg->type]); | |
f1174f77 | 3436 | return -EACCES; |
9d7eceed DB |
3437 | case PTR_TO_MAP_VALUE: |
3438 | if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { | |
3439 | verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", | |
3440 | off_reg == dst_reg ? dst : src); | |
3441 | return -EACCES; | |
3442 | } | |
3443 | /* fall-through */ | |
aad2eeaf JS |
3444 | default: |
3445 | break; | |
f1174f77 EC |
3446 | } |
3447 | ||
3448 | /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. | |
3449 | * The id may be overwritten later if we create a new variable offset. | |
969bf05e | 3450 | */ |
f1174f77 EC |
3451 | dst_reg->type = ptr_reg->type; |
3452 | dst_reg->id = ptr_reg->id; | |
969bf05e | 3453 | |
bb7f0f98 AS |
3454 | if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) || |
3455 | !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) | |
3456 | return -EINVAL; | |
3457 | ||
f1174f77 EC |
3458 | switch (opcode) { |
3459 | case BPF_ADD: | |
979d63d5 DB |
3460 | ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); |
3461 | if (ret < 0) { | |
3462 | verbose(env, "R%d tried to add from different maps or paths\n", dst); | |
3463 | return ret; | |
3464 | } | |
f1174f77 EC |
3465 | /* We can take a fixed offset as long as it doesn't overflow |
3466 | * the s32 'off' field | |
969bf05e | 3467 | */ |
b03c9f9f EC |
3468 | if (known && (ptr_reg->off + smin_val == |
3469 | (s64)(s32)(ptr_reg->off + smin_val))) { | |
f1174f77 | 3470 | /* pointer += K. Accumulate it into fixed offset */ |
b03c9f9f EC |
3471 | dst_reg->smin_value = smin_ptr; |
3472 | dst_reg->smax_value = smax_ptr; | |
3473 | dst_reg->umin_value = umin_ptr; | |
3474 | dst_reg->umax_value = umax_ptr; | |
f1174f77 | 3475 | dst_reg->var_off = ptr_reg->var_off; |
b03c9f9f | 3476 | dst_reg->off = ptr_reg->off + smin_val; |
0962590e | 3477 | dst_reg->raw = ptr_reg->raw; |
f1174f77 EC |
3478 | break; |
3479 | } | |
f1174f77 EC |
3480 | /* A new variable offset is created. Note that off_reg->off |
3481 | * == 0, since it's a scalar. | |
3482 | * dst_reg gets the pointer type and since some positive | |
3483 | * integer value was added to the pointer, give it a new 'id' | |
3484 | * if it's a PTR_TO_PACKET. | |
3485 | * this creates a new 'base' pointer, off_reg (variable) gets | |
3486 | * added into the variable offset, and we copy the fixed offset | |
3487 | * from ptr_reg. | |
969bf05e | 3488 | */ |
b03c9f9f EC |
3489 | if (signed_add_overflows(smin_ptr, smin_val) || |
3490 | signed_add_overflows(smax_ptr, smax_val)) { | |
3491 | dst_reg->smin_value = S64_MIN; | |
3492 | dst_reg->smax_value = S64_MAX; | |
3493 | } else { | |
3494 | dst_reg->smin_value = smin_ptr + smin_val; | |
3495 | dst_reg->smax_value = smax_ptr + smax_val; | |
3496 | } | |
3497 | if (umin_ptr + umin_val < umin_ptr || | |
3498 | umax_ptr + umax_val < umax_ptr) { | |
3499 | dst_reg->umin_value = 0; | |
3500 | dst_reg->umax_value = U64_MAX; | |
3501 | } else { | |
3502 | dst_reg->umin_value = umin_ptr + umin_val; | |
3503 | dst_reg->umax_value = umax_ptr + umax_val; | |
3504 | } | |
f1174f77 EC |
3505 | dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off); |
3506 | dst_reg->off = ptr_reg->off; | |
0962590e | 3507 | dst_reg->raw = ptr_reg->raw; |
de8f3a83 | 3508 | if (reg_is_pkt_pointer(ptr_reg)) { |
f1174f77 EC |
3509 | dst_reg->id = ++env->id_gen; |
3510 | /* something was added to pkt_ptr, set range to zero */ | |
0962590e | 3511 | dst_reg->raw = 0; |
f1174f77 EC |
3512 | } |
3513 | break; | |
3514 | case BPF_SUB: | |
979d63d5 DB |
3515 | ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); |
3516 | if (ret < 0) { | |
3517 | verbose(env, "R%d tried to sub from different maps or paths\n", dst); | |
3518 | return ret; | |
3519 | } | |
f1174f77 EC |
3520 | if (dst_reg == off_reg) { |
3521 | /* scalar -= pointer. Creates an unknown scalar */ | |
82abbf8d AS |
3522 | verbose(env, "R%d tried to subtract pointer from scalar\n", |
3523 | dst); | |
f1174f77 EC |
3524 | return -EACCES; |
3525 | } | |
3526 | /* We don't allow subtraction from FP, because (according to | |
3527 | * test_verifier.c test "invalid fp arithmetic", JITs might not | |
3528 | * be able to deal with it. | |
969bf05e | 3529 | */ |
f1174f77 | 3530 | if (ptr_reg->type == PTR_TO_STACK) { |
82abbf8d AS |
3531 | verbose(env, "R%d subtraction from stack pointer prohibited\n", |
3532 | dst); | |
f1174f77 EC |
3533 | return -EACCES; |
3534 | } | |
b03c9f9f EC |
3535 | if (known && (ptr_reg->off - smin_val == |
3536 | (s64)(s32)(ptr_reg->off - smin_val))) { | |
f1174f77 | 3537 | /* pointer -= K. Subtract it from fixed offset */ |
b03c9f9f EC |
3538 | dst_reg->smin_value = smin_ptr; |
3539 | dst_reg->smax_value = smax_ptr; | |
3540 | dst_reg->umin_value = umin_ptr; | |
3541 | dst_reg->umax_value = umax_ptr; | |
f1174f77 EC |
3542 | dst_reg->var_off = ptr_reg->var_off; |
3543 | dst_reg->id = ptr_reg->id; | |
b03c9f9f | 3544 | dst_reg->off = ptr_reg->off - smin_val; |
0962590e | 3545 | dst_reg->raw = ptr_reg->raw; |
f1174f77 EC |
3546 | break; |
3547 | } | |
f1174f77 EC |
3548 | /* A new variable offset is created. If the subtrahend is known |
3549 | * nonnegative, then any reg->range we had before is still good. | |
969bf05e | 3550 | */ |
b03c9f9f EC |
3551 | if (signed_sub_overflows(smin_ptr, smax_val) || |
3552 | signed_sub_overflows(smax_ptr, smin_val)) { | |
3553 | /* Overflow possible, we know nothing */ | |
3554 | dst_reg->smin_value = S64_MIN; | |
3555 | dst_reg->smax_value = S64_MAX; | |
3556 | } else { | |
3557 | dst_reg->smin_value = smin_ptr - smax_val; | |
3558 | dst_reg->smax_value = smax_ptr - smin_val; | |
3559 | } | |
3560 | if (umin_ptr < umax_val) { | |
3561 | /* Overflow possible, we know nothing */ | |
3562 | dst_reg->umin_value = 0; | |
3563 | dst_reg->umax_value = U64_MAX; | |
3564 | } else { | |
3565 | /* Cannot overflow (as long as bounds are consistent) */ | |
3566 | dst_reg->umin_value = umin_ptr - umax_val; | |
3567 | dst_reg->umax_value = umax_ptr - umin_val; | |
3568 | } | |
f1174f77 EC |
3569 | dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off); |
3570 | dst_reg->off = ptr_reg->off; | |
0962590e | 3571 | dst_reg->raw = ptr_reg->raw; |
de8f3a83 | 3572 | if (reg_is_pkt_pointer(ptr_reg)) { |
f1174f77 EC |
3573 | dst_reg->id = ++env->id_gen; |
3574 | /* something was added to pkt_ptr, set range to zero */ | |
b03c9f9f | 3575 | if (smin_val < 0) |
0962590e | 3576 | dst_reg->raw = 0; |
43188702 | 3577 | } |
f1174f77 EC |
3578 | break; |
3579 | case BPF_AND: | |
3580 | case BPF_OR: | |
3581 | case BPF_XOR: | |
82abbf8d AS |
3582 | /* bitwise ops on pointers are troublesome, prohibit. */ |
3583 | verbose(env, "R%d bitwise operator %s on pointer prohibited\n", | |
3584 | dst, bpf_alu_string[opcode >> 4]); | |
f1174f77 EC |
3585 | return -EACCES; |
3586 | default: | |
3587 | /* other operators (e.g. MUL,LSH) produce non-pointer results */ | |
82abbf8d AS |
3588 | verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", |
3589 | dst, bpf_alu_string[opcode >> 4]); | |
f1174f77 | 3590 | return -EACCES; |
43188702 JF |
3591 | } |
3592 | ||
bb7f0f98 AS |
3593 | if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type)) |
3594 | return -EINVAL; | |
3595 | ||
b03c9f9f EC |
3596 | __update_reg_bounds(dst_reg); |
3597 | __reg_deduce_bounds(dst_reg); | |
3598 | __reg_bound_offset(dst_reg); | |
0d6303db DB |
3599 | |
3600 | /* For unprivileged we require that resulting offset must be in bounds | |
3601 | * in order to be able to sanitize access later on. | |
3602 | */ | |
e4298d25 DB |
3603 | if (!env->allow_ptr_leaks) { |
3604 | if (dst_reg->type == PTR_TO_MAP_VALUE && | |
3605 | check_map_access(env, dst, dst_reg->off, 1, false)) { | |
3606 | verbose(env, "R%d pointer arithmetic of map value goes out of range, " | |
3607 | "prohibited for !root\n", dst); | |
3608 | return -EACCES; | |
3609 | } else if (dst_reg->type == PTR_TO_STACK && | |
3610 | check_stack_access(env, dst_reg, dst_reg->off + | |
3611 | dst_reg->var_off.value, 1)) { | |
3612 | verbose(env, "R%d stack pointer arithmetic goes out of range, " | |
3613 | "prohibited for !root\n", dst); | |
3614 | return -EACCES; | |
3615 | } | |
0d6303db DB |
3616 | } |
3617 | ||
43188702 JF |
3618 | return 0; |
3619 | } | |
3620 | ||
468f6eaf JH |
3621 | /* WARNING: This function does calculations on 64-bit values, but the actual |
3622 | * execution may occur on 32-bit values. Therefore, things like bitshifts | |
3623 | * need extra checks in the 32-bit case. | |
3624 | */ | |
f1174f77 EC |
3625 | static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
3626 | struct bpf_insn *insn, | |
3627 | struct bpf_reg_state *dst_reg, | |
3628 | struct bpf_reg_state src_reg) | |
969bf05e | 3629 | { |
638f5b90 | 3630 | struct bpf_reg_state *regs = cur_regs(env); |
48461135 | 3631 | u8 opcode = BPF_OP(insn->code); |
f1174f77 | 3632 | bool src_known, dst_known; |
b03c9f9f EC |
3633 | s64 smin_val, smax_val; |
3634 | u64 umin_val, umax_val; | |
468f6eaf | 3635 | u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; |
d3bd7413 DB |
3636 | u32 dst = insn->dst_reg; |
3637 | int ret; | |
48461135 | 3638 | |
b799207e JH |
3639 | if (insn_bitness == 32) { |
3640 | /* Relevant for 32-bit RSH: Information can propagate towards | |
3641 | * LSB, so it isn't sufficient to only truncate the output to | |
3642 | * 32 bits. | |
3643 | */ | |
3644 | coerce_reg_to_size(dst_reg, 4); | |
3645 | coerce_reg_to_size(&src_reg, 4); | |
3646 | } | |
3647 | ||
b03c9f9f EC |
3648 | smin_val = src_reg.smin_value; |
3649 | smax_val = src_reg.smax_value; | |
3650 | umin_val = src_reg.umin_value; | |
3651 | umax_val = src_reg.umax_value; | |
f1174f77 EC |
3652 | src_known = tnum_is_const(src_reg.var_off); |
3653 | dst_known = tnum_is_const(dst_reg->var_off); | |
f23cc643 | 3654 | |
6f16101e DB |
3655 | if ((src_known && (smin_val != smax_val || umin_val != umax_val)) || |
3656 | smin_val > smax_val || umin_val > umax_val) { | |
3657 | /* Taint dst register if offset had invalid bounds derived from | |
3658 | * e.g. dead branches. | |
3659 | */ | |
3660 | __mark_reg_unknown(dst_reg); | |
3661 | return 0; | |
3662 | } | |
3663 | ||
bb7f0f98 AS |
3664 | if (!src_known && |
3665 | opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) { | |
3666 | __mark_reg_unknown(dst_reg); | |
3667 | return 0; | |
3668 | } | |
3669 | ||
48461135 JB |
3670 | switch (opcode) { |
3671 | case BPF_ADD: | |
d3bd7413 DB |
3672 | ret = sanitize_val_alu(env, insn); |
3673 | if (ret < 0) { | |
3674 | verbose(env, "R%d tried to add from different pointers or scalars\n", dst); | |
3675 | return ret; | |
3676 | } | |
b03c9f9f EC |
3677 | if (signed_add_overflows(dst_reg->smin_value, smin_val) || |
3678 | signed_add_overflows(dst_reg->smax_value, smax_val)) { | |
3679 | dst_reg->smin_value = S64_MIN; | |
3680 | dst_reg->smax_value = S64_MAX; | |
3681 | } else { | |
3682 | dst_reg->smin_value += smin_val; | |
3683 | dst_reg->smax_value += smax_val; | |
3684 | } | |
3685 | if (dst_reg->umin_value + umin_val < umin_val || | |
3686 | dst_reg->umax_value + umax_val < umax_val) { | |
3687 | dst_reg->umin_value = 0; | |
3688 | dst_reg->umax_value = U64_MAX; | |
3689 | } else { | |
3690 | dst_reg->umin_value += umin_val; | |
3691 | dst_reg->umax_value += umax_val; | |
3692 | } | |
f1174f77 | 3693 | dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); |
48461135 JB |
3694 | break; |
3695 | case BPF_SUB: | |
d3bd7413 DB |
3696 | ret = sanitize_val_alu(env, insn); |
3697 | if (ret < 0) { | |
3698 | verbose(env, "R%d tried to sub from different pointers or scalars\n", dst); | |
3699 | return ret; | |
3700 | } | |
b03c9f9f EC |
3701 | if (signed_sub_overflows(dst_reg->smin_value, smax_val) || |
3702 | signed_sub_overflows(dst_reg->smax_value, smin_val)) { | |
3703 | /* Overflow possible, we know nothing */ | |
3704 | dst_reg->smin_value = S64_MIN; | |
3705 | dst_reg->smax_value = S64_MAX; | |
3706 | } else { | |
3707 | dst_reg->smin_value -= smax_val; | |
3708 | dst_reg->smax_value -= smin_val; | |
3709 | } | |
3710 | if (dst_reg->umin_value < umax_val) { | |
3711 | /* Overflow possible, we know nothing */ | |
3712 | dst_reg->umin_value = 0; | |
3713 | dst_reg->umax_value = U64_MAX; | |
3714 | } else { | |
3715 | /* Cannot overflow (as long as bounds are consistent) */ | |
3716 | dst_reg->umin_value -= umax_val; | |
3717 | dst_reg->umax_value -= umin_val; | |
3718 | } | |
f1174f77 | 3719 | dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off); |
48461135 JB |
3720 | break; |
3721 | case BPF_MUL: | |
b03c9f9f EC |
3722 | dst_reg->var_off = tnum_mul(dst_reg->var_off, src_reg.var_off); |
3723 | if (smin_val < 0 || dst_reg->smin_value < 0) { | |
f1174f77 | 3724 | /* Ain't nobody got time to multiply that sign */ |
b03c9f9f EC |
3725 | __mark_reg_unbounded(dst_reg); |
3726 | __update_reg_bounds(dst_reg); | |
f1174f77 EC |
3727 | break; |
3728 | } | |
b03c9f9f EC |
3729 | /* Both values are positive, so we can work with unsigned and |
3730 | * copy the result to signed (unless it exceeds S64_MAX). | |
f1174f77 | 3731 | */ |
b03c9f9f EC |
3732 | if (umax_val > U32_MAX || dst_reg->umax_value > U32_MAX) { |
3733 | /* Potential overflow, we know nothing */ | |
3734 | __mark_reg_unbounded(dst_reg); | |
3735 | /* (except what we can learn from the var_off) */ | |
3736 | __update_reg_bounds(dst_reg); | |
3737 | break; | |
3738 | } | |
3739 | dst_reg->umin_value *= umin_val; | |
3740 | dst_reg->umax_value *= umax_val; | |
3741 | if (dst_reg->umax_value > S64_MAX) { | |
3742 | /* Overflow possible, we know nothing */ | |
3743 | dst_reg->smin_value = S64_MIN; | |
3744 | dst_reg->smax_value = S64_MAX; | |
3745 | } else { | |
3746 | dst_reg->smin_value = dst_reg->umin_value; | |
3747 | dst_reg->smax_value = dst_reg->umax_value; | |
3748 | } | |
48461135 JB |
3749 | break; |
3750 | case BPF_AND: | |
f1174f77 | 3751 | if (src_known && dst_known) { |
b03c9f9f EC |
3752 | __mark_reg_known(dst_reg, dst_reg->var_off.value & |
3753 | src_reg.var_off.value); | |
f1174f77 EC |
3754 | break; |
3755 | } | |
b03c9f9f EC |
3756 | /* We get our minimum from the var_off, since that's inherently |
3757 | * bitwise. Our maximum is the minimum of the operands' maxima. | |
f23cc643 | 3758 | */ |
f1174f77 | 3759 | dst_reg->var_off = tnum_and(dst_reg->var_off, src_reg.var_off); |
b03c9f9f EC |
3760 | dst_reg->umin_value = dst_reg->var_off.value; |
3761 | dst_reg->umax_value = min(dst_reg->umax_value, umax_val); | |
3762 | if (dst_reg->smin_value < 0 || smin_val < 0) { | |
3763 | /* Lose signed bounds when ANDing negative numbers, | |
3764 | * ain't nobody got time for that. | |
3765 | */ | |
3766 | dst_reg->smin_value = S64_MIN; | |
3767 | dst_reg->smax_value = S64_MAX; | |
3768 | } else { | |
3769 | /* ANDing two positives gives a positive, so safe to | |
3770 | * cast result into s64. | |
3771 | */ | |
3772 | dst_reg->smin_value = dst_reg->umin_value; | |
3773 | dst_reg->smax_value = dst_reg->umax_value; | |
3774 | } | |
3775 | /* We may learn something more from the var_off */ | |
3776 | __update_reg_bounds(dst_reg); | |
f1174f77 EC |
3777 | break; |
3778 | case BPF_OR: | |
3779 | if (src_known && dst_known) { | |
b03c9f9f EC |
3780 | __mark_reg_known(dst_reg, dst_reg->var_off.value | |
3781 | src_reg.var_off.value); | |
f1174f77 EC |
3782 | break; |
3783 | } | |
b03c9f9f EC |
3784 | /* We get our maximum from the var_off, and our minimum is the |
3785 | * maximum of the operands' minima | |
f1174f77 EC |
3786 | */ |
3787 | dst_reg->var_off = tnum_or(dst_reg->var_off, src_reg.var_off); | |
b03c9f9f EC |
3788 | dst_reg->umin_value = max(dst_reg->umin_value, umin_val); |
3789 | dst_reg->umax_value = dst_reg->var_off.value | | |
3790 | dst_reg->var_off.mask; | |
3791 | if (dst_reg->smin_value < 0 || smin_val < 0) { | |
3792 | /* Lose signed bounds when ORing negative numbers, | |
3793 | * ain't nobody got time for that. | |
3794 | */ | |
3795 | dst_reg->smin_value = S64_MIN; | |
3796 | dst_reg->smax_value = S64_MAX; | |
f1174f77 | 3797 | } else { |
b03c9f9f EC |
3798 | /* ORing two positives gives a positive, so safe to |
3799 | * cast result into s64. | |
3800 | */ | |
3801 | dst_reg->smin_value = dst_reg->umin_value; | |
3802 | dst_reg->smax_value = dst_reg->umax_value; | |
f1174f77 | 3803 | } |
b03c9f9f EC |
3804 | /* We may learn something more from the var_off */ |
3805 | __update_reg_bounds(dst_reg); | |
48461135 JB |
3806 | break; |
3807 | case BPF_LSH: | |
468f6eaf JH |
3808 | if (umax_val >= insn_bitness) { |
3809 | /* Shifts greater than 31 or 63 are undefined. | |
3810 | * This includes shifts by a negative number. | |
b03c9f9f | 3811 | */ |
61bd5218 | 3812 | mark_reg_unknown(env, regs, insn->dst_reg); |
f1174f77 EC |
3813 | break; |
3814 | } | |
b03c9f9f EC |
3815 | /* We lose all sign bit information (except what we can pick |
3816 | * up from var_off) | |
48461135 | 3817 | */ |
b03c9f9f EC |
3818 | dst_reg->smin_value = S64_MIN; |
3819 | dst_reg->smax_value = S64_MAX; | |
3820 | /* If we might shift our top bit out, then we know nothing */ | |
3821 | if (dst_reg->umax_value > 1ULL << (63 - umax_val)) { | |
3822 | dst_reg->umin_value = 0; | |
3823 | dst_reg->umax_value = U64_MAX; | |
d1174416 | 3824 | } else { |
b03c9f9f EC |
3825 | dst_reg->umin_value <<= umin_val; |
3826 | dst_reg->umax_value <<= umax_val; | |
d1174416 | 3827 | } |
afbe1a5b | 3828 | dst_reg->var_off = tnum_lshift(dst_reg->var_off, umin_val); |
b03c9f9f EC |
3829 | /* We may learn something more from the var_off */ |
3830 | __update_reg_bounds(dst_reg); | |
48461135 JB |
3831 | break; |
3832 | case BPF_RSH: | |
468f6eaf JH |
3833 | if (umax_val >= insn_bitness) { |
3834 | /* Shifts greater than 31 or 63 are undefined. | |
3835 | * This includes shifts by a negative number. | |
b03c9f9f | 3836 | */ |
61bd5218 | 3837 | mark_reg_unknown(env, regs, insn->dst_reg); |
f1174f77 EC |
3838 | break; |
3839 | } | |
4374f256 EC |
3840 | /* BPF_RSH is an unsigned shift. If the value in dst_reg might |
3841 | * be negative, then either: | |
3842 | * 1) src_reg might be zero, so the sign bit of the result is | |
3843 | * unknown, so we lose our signed bounds | |
3844 | * 2) it's known negative, thus the unsigned bounds capture the | |
3845 | * signed bounds | |
3846 | * 3) the signed bounds cross zero, so they tell us nothing | |
3847 | * about the result | |
3848 | * If the value in dst_reg is known nonnegative, then again the | |
3849 | * unsigned bounts capture the signed bounds. | |
3850 | * Thus, in all cases it suffices to blow away our signed bounds | |
3851 | * and rely on inferring new ones from the unsigned bounds and | |
3852 | * var_off of the result. | |
3853 | */ | |
3854 | dst_reg->smin_value = S64_MIN; | |
3855 | dst_reg->smax_value = S64_MAX; | |
afbe1a5b | 3856 | dst_reg->var_off = tnum_rshift(dst_reg->var_off, umin_val); |
b03c9f9f EC |
3857 | dst_reg->umin_value >>= umax_val; |
3858 | dst_reg->umax_value >>= umin_val; | |
3859 | /* We may learn something more from the var_off */ | |
3860 | __update_reg_bounds(dst_reg); | |
48461135 | 3861 | break; |
9cbe1f5a YS |
3862 | case BPF_ARSH: |
3863 | if (umax_val >= insn_bitness) { | |
3864 | /* Shifts greater than 31 or 63 are undefined. | |
3865 | * This includes shifts by a negative number. | |
3866 | */ | |
3867 | mark_reg_unknown(env, regs, insn->dst_reg); | |
3868 | break; | |
3869 | } | |
3870 | ||
3871 | /* Upon reaching here, src_known is true and | |
3872 | * umax_val is equal to umin_val. | |
3873 | */ | |
3874 | dst_reg->smin_value >>= umin_val; | |
3875 | dst_reg->smax_value >>= umin_val; | |
3876 | dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val); | |
3877 | ||
3878 | /* blow away the dst_reg umin_value/umax_value and rely on | |
3879 | * dst_reg var_off to refine the result. | |
3880 | */ | |
3881 | dst_reg->umin_value = 0; | |
3882 | dst_reg->umax_value = U64_MAX; | |
3883 | __update_reg_bounds(dst_reg); | |
3884 | break; | |
48461135 | 3885 | default: |
61bd5218 | 3886 | mark_reg_unknown(env, regs, insn->dst_reg); |
48461135 JB |
3887 | break; |
3888 | } | |
3889 | ||
468f6eaf JH |
3890 | if (BPF_CLASS(insn->code) != BPF_ALU64) { |
3891 | /* 32-bit ALU ops are (32,32)->32 */ | |
3892 | coerce_reg_to_size(dst_reg, 4); | |
468f6eaf JH |
3893 | } |
3894 | ||
b03c9f9f EC |
3895 | __reg_deduce_bounds(dst_reg); |
3896 | __reg_bound_offset(dst_reg); | |
f1174f77 EC |
3897 | return 0; |
3898 | } | |
3899 | ||
3900 | /* Handles ALU ops other than BPF_END, BPF_NEG and BPF_MOV: computes new min/max | |
3901 | * and var_off. | |
3902 | */ | |
3903 | static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, | |
3904 | struct bpf_insn *insn) | |
3905 | { | |
f4d7e40a AS |
3906 | struct bpf_verifier_state *vstate = env->cur_state; |
3907 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; | |
3908 | struct bpf_reg_state *regs = state->regs, *dst_reg, *src_reg; | |
f1174f77 EC |
3909 | struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; |
3910 | u8 opcode = BPF_OP(insn->code); | |
f1174f77 EC |
3911 | |
3912 | dst_reg = ®s[insn->dst_reg]; | |
f1174f77 EC |
3913 | src_reg = NULL; |
3914 | if (dst_reg->type != SCALAR_VALUE) | |
3915 | ptr_reg = dst_reg; | |
3916 | if (BPF_SRC(insn->code) == BPF_X) { | |
3917 | src_reg = ®s[insn->src_reg]; | |
f1174f77 EC |
3918 | if (src_reg->type != SCALAR_VALUE) { |
3919 | if (dst_reg->type != SCALAR_VALUE) { | |
3920 | /* Combining two pointers by any ALU op yields | |
82abbf8d AS |
3921 | * an arbitrary scalar. Disallow all math except |
3922 | * pointer subtraction | |
f1174f77 | 3923 | */ |
dd066823 | 3924 | if (opcode == BPF_SUB && env->allow_ptr_leaks) { |
82abbf8d AS |
3925 | mark_reg_unknown(env, regs, insn->dst_reg); |
3926 | return 0; | |
f1174f77 | 3927 | } |
82abbf8d AS |
3928 | verbose(env, "R%d pointer %s pointer prohibited\n", |
3929 | insn->dst_reg, | |
3930 | bpf_alu_string[opcode >> 4]); | |
3931 | return -EACCES; | |
f1174f77 EC |
3932 | } else { |
3933 | /* scalar += pointer | |
3934 | * This is legal, but we have to reverse our | |
3935 | * src/dest handling in computing the range | |
3936 | */ | |
82abbf8d AS |
3937 | return adjust_ptr_min_max_vals(env, insn, |
3938 | src_reg, dst_reg); | |
f1174f77 EC |
3939 | } |
3940 | } else if (ptr_reg) { | |
3941 | /* pointer += scalar */ | |
82abbf8d AS |
3942 | return adjust_ptr_min_max_vals(env, insn, |
3943 | dst_reg, src_reg); | |
f1174f77 EC |
3944 | } |
3945 | } else { | |
3946 | /* Pretend the src is a reg with a known value, since we only | |
3947 | * need to be able to read from this state. | |
3948 | */ | |
3949 | off_reg.type = SCALAR_VALUE; | |
b03c9f9f | 3950 | __mark_reg_known(&off_reg, insn->imm); |
f1174f77 | 3951 | src_reg = &off_reg; |
82abbf8d AS |
3952 | if (ptr_reg) /* pointer += K */ |
3953 | return adjust_ptr_min_max_vals(env, insn, | |
3954 | ptr_reg, src_reg); | |
f1174f77 EC |
3955 | } |
3956 | ||
3957 | /* Got here implies adding two SCALAR_VALUEs */ | |
3958 | if (WARN_ON_ONCE(ptr_reg)) { | |
f4d7e40a | 3959 | print_verifier_state(env, state); |
61bd5218 | 3960 | verbose(env, "verifier internal error: unexpected ptr_reg\n"); |
f1174f77 EC |
3961 | return -EINVAL; |
3962 | } | |
3963 | if (WARN_ON(!src_reg)) { | |
f4d7e40a | 3964 | print_verifier_state(env, state); |
61bd5218 | 3965 | verbose(env, "verifier internal error: no src_reg\n"); |
f1174f77 EC |
3966 | return -EINVAL; |
3967 | } | |
3968 | return adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); | |
48461135 JB |
3969 | } |
3970 | ||
17a52670 | 3971 | /* check validity of 32-bit and 64-bit arithmetic operations */ |
58e2af8b | 3972 | static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) |
17a52670 | 3973 | { |
638f5b90 | 3974 | struct bpf_reg_state *regs = cur_regs(env); |
17a52670 AS |
3975 | u8 opcode = BPF_OP(insn->code); |
3976 | int err; | |
3977 | ||
3978 | if (opcode == BPF_END || opcode == BPF_NEG) { | |
3979 | if (opcode == BPF_NEG) { | |
3980 | if (BPF_SRC(insn->code) != 0 || | |
3981 | insn->src_reg != BPF_REG_0 || | |
3982 | insn->off != 0 || insn->imm != 0) { | |
61bd5218 | 3983 | verbose(env, "BPF_NEG uses reserved fields\n"); |
17a52670 AS |
3984 | return -EINVAL; |
3985 | } | |
3986 | } else { | |
3987 | if (insn->src_reg != BPF_REG_0 || insn->off != 0 || | |
e67b8a68 EC |
3988 | (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || |
3989 | BPF_CLASS(insn->code) == BPF_ALU64) { | |
61bd5218 | 3990 | verbose(env, "BPF_END uses reserved fields\n"); |
17a52670 AS |
3991 | return -EINVAL; |
3992 | } | |
3993 | } | |
3994 | ||
3995 | /* check src operand */ | |
dc503a8a | 3996 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
3997 | if (err) |
3998 | return err; | |
3999 | ||
1be7f75d | 4000 | if (is_pointer_value(env, insn->dst_reg)) { |
61bd5218 | 4001 | verbose(env, "R%d pointer arithmetic prohibited\n", |
1be7f75d AS |
4002 | insn->dst_reg); |
4003 | return -EACCES; | |
4004 | } | |
4005 | ||
17a52670 | 4006 | /* check dest operand */ |
dc503a8a | 4007 | err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a52670 AS |
4008 | if (err) |
4009 | return err; | |
4010 | ||
4011 | } else if (opcode == BPF_MOV) { | |
4012 | ||
4013 | if (BPF_SRC(insn->code) == BPF_X) { | |
4014 | if (insn->imm != 0 || insn->off != 0) { | |
61bd5218 | 4015 | verbose(env, "BPF_MOV uses reserved fields\n"); |
17a52670 AS |
4016 | return -EINVAL; |
4017 | } | |
4018 | ||
4019 | /* check src operand */ | |
dc503a8a | 4020 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
4021 | if (err) |
4022 | return err; | |
4023 | } else { | |
4024 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { | |
61bd5218 | 4025 | verbose(env, "BPF_MOV uses reserved fields\n"); |
17a52670 AS |
4026 | return -EINVAL; |
4027 | } | |
4028 | } | |
4029 | ||
fbeb1603 AF |
4030 | /* check dest operand, mark as required later */ |
4031 | err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); | |
17a52670 AS |
4032 | if (err) |
4033 | return err; | |
4034 | ||
4035 | if (BPF_SRC(insn->code) == BPF_X) { | |
e434b8cd JW |
4036 | struct bpf_reg_state *src_reg = regs + insn->src_reg; |
4037 | struct bpf_reg_state *dst_reg = regs + insn->dst_reg; | |
4038 | ||
17a52670 AS |
4039 | if (BPF_CLASS(insn->code) == BPF_ALU64) { |
4040 | /* case: R1 = R2 | |
4041 | * copy register state to dest reg | |
4042 | */ | |
e434b8cd JW |
4043 | *dst_reg = *src_reg; |
4044 | dst_reg->live |= REG_LIVE_WRITTEN; | |
17a52670 | 4045 | } else { |
f1174f77 | 4046 | /* R1 = (u32) R2 */ |
1be7f75d | 4047 | if (is_pointer_value(env, insn->src_reg)) { |
61bd5218 JK |
4048 | verbose(env, |
4049 | "R%d partial copy of pointer\n", | |
1be7f75d AS |
4050 | insn->src_reg); |
4051 | return -EACCES; | |
e434b8cd JW |
4052 | } else if (src_reg->type == SCALAR_VALUE) { |
4053 | *dst_reg = *src_reg; | |
4054 | dst_reg->live |= REG_LIVE_WRITTEN; | |
4055 | } else { | |
4056 | mark_reg_unknown(env, regs, | |
4057 | insn->dst_reg); | |
1be7f75d | 4058 | } |
e434b8cd | 4059 | coerce_reg_to_size(dst_reg, 4); |
17a52670 AS |
4060 | } |
4061 | } else { | |
4062 | /* case: R = imm | |
4063 | * remember the value we stored into this reg | |
4064 | */ | |
fbeb1603 AF |
4065 | /* clear any state __mark_reg_known doesn't set */ |
4066 | mark_reg_unknown(env, regs, insn->dst_reg); | |
f1174f77 | 4067 | regs[insn->dst_reg].type = SCALAR_VALUE; |
95a762e2 JH |
4068 | if (BPF_CLASS(insn->code) == BPF_ALU64) { |
4069 | __mark_reg_known(regs + insn->dst_reg, | |
4070 | insn->imm); | |
4071 | } else { | |
4072 | __mark_reg_known(regs + insn->dst_reg, | |
4073 | (u32)insn->imm); | |
4074 | } | |
17a52670 AS |
4075 | } |
4076 | ||
4077 | } else if (opcode > BPF_END) { | |
61bd5218 | 4078 | verbose(env, "invalid BPF_ALU opcode %x\n", opcode); |
17a52670 AS |
4079 | return -EINVAL; |
4080 | ||
4081 | } else { /* all other ALU ops: and, sub, xor, add, ... */ | |
4082 | ||
17a52670 AS |
4083 | if (BPF_SRC(insn->code) == BPF_X) { |
4084 | if (insn->imm != 0 || insn->off != 0) { | |
61bd5218 | 4085 | verbose(env, "BPF_ALU uses reserved fields\n"); |
17a52670 AS |
4086 | return -EINVAL; |
4087 | } | |
4088 | /* check src1 operand */ | |
dc503a8a | 4089 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
4090 | if (err) |
4091 | return err; | |
4092 | } else { | |
4093 | if (insn->src_reg != BPF_REG_0 || insn->off != 0) { | |
61bd5218 | 4094 | verbose(env, "BPF_ALU uses reserved fields\n"); |
17a52670 AS |
4095 | return -EINVAL; |
4096 | } | |
4097 | } | |
4098 | ||
4099 | /* check src2 operand */ | |
dc503a8a | 4100 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
4101 | if (err) |
4102 | return err; | |
4103 | ||
4104 | if ((opcode == BPF_MOD || opcode == BPF_DIV) && | |
4105 | BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { | |
61bd5218 | 4106 | verbose(env, "div by zero\n"); |
17a52670 AS |
4107 | return -EINVAL; |
4108 | } | |
4109 | ||
229394e8 RV |
4110 | if ((opcode == BPF_LSH || opcode == BPF_RSH || |
4111 | opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { | |
4112 | int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; | |
4113 | ||
4114 | if (insn->imm < 0 || insn->imm >= size) { | |
61bd5218 | 4115 | verbose(env, "invalid shift %d\n", insn->imm); |
229394e8 RV |
4116 | return -EINVAL; |
4117 | } | |
4118 | } | |
4119 | ||
1a0dc1ac | 4120 | /* check dest operand */ |
dc503a8a | 4121 | err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); |
1a0dc1ac AS |
4122 | if (err) |
4123 | return err; | |
4124 | ||
f1174f77 | 4125 | return adjust_reg_min_max_vals(env, insn); |
17a52670 AS |
4126 | } |
4127 | ||
4128 | return 0; | |
4129 | } | |
4130 | ||
f4d7e40a | 4131 | static void find_good_pkt_pointers(struct bpf_verifier_state *vstate, |
de8f3a83 | 4132 | struct bpf_reg_state *dst_reg, |
f8ddadc4 | 4133 | enum bpf_reg_type type, |
fb2a311a | 4134 | bool range_right_open) |
969bf05e | 4135 | { |
f4d7e40a | 4136 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
58e2af8b | 4137 | struct bpf_reg_state *regs = state->regs, *reg; |
fb2a311a | 4138 | u16 new_range; |
f4d7e40a | 4139 | int i, j; |
2d2be8ca | 4140 | |
fb2a311a DB |
4141 | if (dst_reg->off < 0 || |
4142 | (dst_reg->off == 0 && range_right_open)) | |
f1174f77 EC |
4143 | /* This doesn't give us any range */ |
4144 | return; | |
4145 | ||
b03c9f9f EC |
4146 | if (dst_reg->umax_value > MAX_PACKET_OFF || |
4147 | dst_reg->umax_value + dst_reg->off > MAX_PACKET_OFF) | |
f1174f77 EC |
4148 | /* Risk of overflow. For instance, ptr + (1<<63) may be less |
4149 | * than pkt_end, but that's because it's also less than pkt. | |
4150 | */ | |
4151 | return; | |
4152 | ||
fb2a311a DB |
4153 | new_range = dst_reg->off; |
4154 | if (range_right_open) | |
4155 | new_range--; | |
4156 | ||
4157 | /* Examples for register markings: | |
2d2be8ca | 4158 | * |
fb2a311a | 4159 | * pkt_data in dst register: |
2d2be8ca DB |
4160 | * |
4161 | * r2 = r3; | |
4162 | * r2 += 8; | |
4163 | * if (r2 > pkt_end) goto <handle exception> | |
4164 | * <access okay> | |
4165 | * | |
b4e432f1 DB |
4166 | * r2 = r3; |
4167 | * r2 += 8; | |
4168 | * if (r2 < pkt_end) goto <access okay> | |
4169 | * <handle exception> | |
4170 | * | |
2d2be8ca DB |
4171 | * Where: |
4172 | * r2 == dst_reg, pkt_end == src_reg | |
4173 | * r2=pkt(id=n,off=8,r=0) | |
4174 | * r3=pkt(id=n,off=0,r=0) | |
4175 | * | |
fb2a311a | 4176 | * pkt_data in src register: |
2d2be8ca DB |
4177 | * |
4178 | * r2 = r3; | |
4179 | * r2 += 8; | |
4180 | * if (pkt_end >= r2) goto <access okay> | |
4181 | * <handle exception> | |
4182 | * | |
b4e432f1 DB |
4183 | * r2 = r3; |
4184 | * r2 += 8; | |
4185 | * if (pkt_end <= r2) goto <handle exception> | |
4186 | * <access okay> | |
4187 | * | |
2d2be8ca DB |
4188 | * Where: |
4189 | * pkt_end == dst_reg, r2 == src_reg | |
4190 | * r2=pkt(id=n,off=8,r=0) | |
4191 | * r3=pkt(id=n,off=0,r=0) | |
4192 | * | |
4193 | * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8) | |
fb2a311a DB |
4194 | * or r3=pkt(id=n,off=0,r=8-1), so that range of bytes [r3, r3 + 8) |
4195 | * and [r3, r3 + 8-1) respectively is safe to access depending on | |
4196 | * the check. | |
969bf05e | 4197 | */ |
2d2be8ca | 4198 | |
f1174f77 EC |
4199 | /* If our ids match, then we must have the same max_value. And we |
4200 | * don't care about the other reg's fixed offset, since if it's too big | |
4201 | * the range won't allow anything. | |
4202 | * dst_reg->off is known < MAX_PACKET_OFF, therefore it fits in a u16. | |
4203 | */ | |
969bf05e | 4204 | for (i = 0; i < MAX_BPF_REG; i++) |
de8f3a83 | 4205 | if (regs[i].type == type && regs[i].id == dst_reg->id) |
b1977682 | 4206 | /* keep the maximum range already checked */ |
fb2a311a | 4207 | regs[i].range = max(regs[i].range, new_range); |
969bf05e | 4208 | |
f4d7e40a AS |
4209 | for (j = 0; j <= vstate->curframe; j++) { |
4210 | state = vstate->frame[j]; | |
f3709f69 JS |
4211 | bpf_for_each_spilled_reg(i, state, reg) { |
4212 | if (!reg) | |
f4d7e40a | 4213 | continue; |
f4d7e40a AS |
4214 | if (reg->type == type && reg->id == dst_reg->id) |
4215 | reg->range = max(reg->range, new_range); | |
4216 | } | |
969bf05e AS |
4217 | } |
4218 | } | |
4219 | ||
4f7b3e82 AS |
4220 | /* compute branch direction of the expression "if (reg opcode val) goto target;" |
4221 | * and return: | |
4222 | * 1 - branch will be taken and "goto target" will be executed | |
4223 | * 0 - branch will not be taken and fall-through to next insn | |
4224 | * -1 - unknown. Example: "if (reg < 5)" is unknown when register value range [0,10] | |
4225 | */ | |
092ed096 JW |
4226 | static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode, |
4227 | bool is_jmp32) | |
4f7b3e82 | 4228 | { |
092ed096 | 4229 | struct bpf_reg_state reg_lo; |
a72dafaf JW |
4230 | s64 sval; |
4231 | ||
4f7b3e82 AS |
4232 | if (__is_pointer_value(false, reg)) |
4233 | return -1; | |
4234 | ||
092ed096 JW |
4235 | if (is_jmp32) { |
4236 | reg_lo = *reg; | |
4237 | reg = ®_lo; | |
4238 | /* For JMP32, only low 32 bits are compared, coerce_reg_to_size | |
4239 | * could truncate high bits and update umin/umax according to | |
4240 | * information of low bits. | |
4241 | */ | |
4242 | coerce_reg_to_size(reg, 4); | |
4243 | /* smin/smax need special handling. For example, after coerce, | |
4244 | * if smin_value is 0x00000000ffffffffLL, the value is -1 when | |
4245 | * used as operand to JMP32. It is a negative number from s32's | |
4246 | * point of view, while it is a positive number when seen as | |
4247 | * s64. The smin/smax are kept as s64, therefore, when used with | |
4248 | * JMP32, they need to be transformed into s32, then sign | |
4249 | * extended back to s64. | |
4250 | * | |
4251 | * Also, smin/smax were copied from umin/umax. If umin/umax has | |
4252 | * different sign bit, then min/max relationship doesn't | |
4253 | * maintain after casting into s32, for this case, set smin/smax | |
4254 | * to safest range. | |
4255 | */ | |
4256 | if ((reg->umax_value ^ reg->umin_value) & | |
4257 | (1ULL << 31)) { | |
4258 | reg->smin_value = S32_MIN; | |
4259 | reg->smax_value = S32_MAX; | |
4260 | } | |
4261 | reg->smin_value = (s64)(s32)reg->smin_value; | |
4262 | reg->smax_value = (s64)(s32)reg->smax_value; | |
4263 | ||
4264 | val = (u32)val; | |
4265 | sval = (s64)(s32)val; | |
4266 | } else { | |
4267 | sval = (s64)val; | |
4268 | } | |
a72dafaf | 4269 | |
4f7b3e82 AS |
4270 | switch (opcode) { |
4271 | case BPF_JEQ: | |
4272 | if (tnum_is_const(reg->var_off)) | |
4273 | return !!tnum_equals_const(reg->var_off, val); | |
4274 | break; | |
4275 | case BPF_JNE: | |
4276 | if (tnum_is_const(reg->var_off)) | |
4277 | return !tnum_equals_const(reg->var_off, val); | |
4278 | break; | |
960ea056 JK |
4279 | case BPF_JSET: |
4280 | if ((~reg->var_off.mask & reg->var_off.value) & val) | |
4281 | return 1; | |
4282 | if (!((reg->var_off.mask | reg->var_off.value) & val)) | |
4283 | return 0; | |
4284 | break; | |
4f7b3e82 AS |
4285 | case BPF_JGT: |
4286 | if (reg->umin_value > val) | |
4287 | return 1; | |
4288 | else if (reg->umax_value <= val) | |
4289 | return 0; | |
4290 | break; | |
4291 | case BPF_JSGT: | |
a72dafaf | 4292 | if (reg->smin_value > sval) |
4f7b3e82 | 4293 | return 1; |
a72dafaf | 4294 | else if (reg->smax_value < sval) |
4f7b3e82 AS |
4295 | return 0; |
4296 | break; | |
4297 | case BPF_JLT: | |
4298 | if (reg->umax_value < val) | |
4299 | return 1; | |
4300 | else if (reg->umin_value >= val) | |
4301 | return 0; | |
4302 | break; | |
4303 | case BPF_JSLT: | |
a72dafaf | 4304 | if (reg->smax_value < sval) |
4f7b3e82 | 4305 | return 1; |
a72dafaf | 4306 | else if (reg->smin_value >= sval) |
4f7b3e82 AS |
4307 | return 0; |
4308 | break; | |
4309 | case BPF_JGE: | |
4310 | if (reg->umin_value >= val) | |
4311 | return 1; | |
4312 | else if (reg->umax_value < val) | |
4313 | return 0; | |
4314 | break; | |
4315 | case BPF_JSGE: | |
a72dafaf | 4316 | if (reg->smin_value >= sval) |
4f7b3e82 | 4317 | return 1; |
a72dafaf | 4318 | else if (reg->smax_value < sval) |
4f7b3e82 AS |
4319 | return 0; |
4320 | break; | |
4321 | case BPF_JLE: | |
4322 | if (reg->umax_value <= val) | |
4323 | return 1; | |
4324 | else if (reg->umin_value > val) | |
4325 | return 0; | |
4326 | break; | |
4327 | case BPF_JSLE: | |
a72dafaf | 4328 | if (reg->smax_value <= sval) |
4f7b3e82 | 4329 | return 1; |
a72dafaf | 4330 | else if (reg->smin_value > sval) |
4f7b3e82 AS |
4331 | return 0; |
4332 | break; | |
4333 | } | |
4334 | ||
4335 | return -1; | |
4336 | } | |
4337 | ||
092ed096 JW |
4338 | /* Generate min value of the high 32-bit from TNUM info. */ |
4339 | static u64 gen_hi_min(struct tnum var) | |
4340 | { | |
4341 | return var.value & ~0xffffffffULL; | |
4342 | } | |
4343 | ||
4344 | /* Generate max value of the high 32-bit from TNUM info. */ | |
4345 | static u64 gen_hi_max(struct tnum var) | |
4346 | { | |
4347 | return (var.value | var.mask) & ~0xffffffffULL; | |
4348 | } | |
4349 | ||
4350 | /* Return true if VAL is compared with a s64 sign extended from s32, and they | |
4351 | * are with the same signedness. | |
4352 | */ | |
4353 | static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg) | |
4354 | { | |
4355 | return ((s32)sval >= 0 && | |
4356 | reg->smin_value >= 0 && reg->smax_value <= S32_MAX) || | |
4357 | ((s32)sval < 0 && | |
4358 | reg->smax_value <= 0 && reg->smin_value >= S32_MIN); | |
4359 | } | |
4360 | ||
48461135 JB |
4361 | /* Adjusts the register min/max values in the case that the dst_reg is the |
4362 | * variable register that we are working on, and src_reg is a constant or we're | |
4363 | * simply doing a BPF_K check. | |
f1174f77 | 4364 | * In JEQ/JNE cases we also adjust the var_off values. |
48461135 JB |
4365 | */ |
4366 | static void reg_set_min_max(struct bpf_reg_state *true_reg, | |
4367 | struct bpf_reg_state *false_reg, u64 val, | |
092ed096 | 4368 | u8 opcode, bool is_jmp32) |
48461135 | 4369 | { |
a72dafaf JW |
4370 | s64 sval; |
4371 | ||
f1174f77 EC |
4372 | /* If the dst_reg is a pointer, we can't learn anything about its |
4373 | * variable offset from the compare (unless src_reg were a pointer into | |
4374 | * the same object, but we don't bother with that. | |
4375 | * Since false_reg and true_reg have the same type by construction, we | |
4376 | * only need to check one of them for pointerness. | |
4377 | */ | |
4378 | if (__is_pointer_value(false, false_reg)) | |
4379 | return; | |
4cabc5b1 | 4380 | |
092ed096 JW |
4381 | val = is_jmp32 ? (u32)val : val; |
4382 | sval = is_jmp32 ? (s64)(s32)val : (s64)val; | |
a72dafaf | 4383 | |
48461135 JB |
4384 | switch (opcode) { |
4385 | case BPF_JEQ: | |
48461135 | 4386 | case BPF_JNE: |
a72dafaf JW |
4387 | { |
4388 | struct bpf_reg_state *reg = | |
4389 | opcode == BPF_JEQ ? true_reg : false_reg; | |
4390 | ||
4391 | /* For BPF_JEQ, if this is false we know nothing Jon Snow, but | |
4392 | * if it is true we know the value for sure. Likewise for | |
4393 | * BPF_JNE. | |
48461135 | 4394 | */ |
092ed096 JW |
4395 | if (is_jmp32) { |
4396 | u64 old_v = reg->var_off.value; | |
4397 | u64 hi_mask = ~0xffffffffULL; | |
4398 | ||
4399 | reg->var_off.value = (old_v & hi_mask) | val; | |
4400 | reg->var_off.mask &= hi_mask; | |
4401 | } else { | |
4402 | __mark_reg_known(reg, val); | |
4403 | } | |
48461135 | 4404 | break; |
a72dafaf | 4405 | } |
960ea056 JK |
4406 | case BPF_JSET: |
4407 | false_reg->var_off = tnum_and(false_reg->var_off, | |
4408 | tnum_const(~val)); | |
4409 | if (is_power_of_2(val)) | |
4410 | true_reg->var_off = tnum_or(true_reg->var_off, | |
4411 | tnum_const(val)); | |
4412 | break; | |
48461135 | 4413 | case BPF_JGE: |
a72dafaf JW |
4414 | case BPF_JGT: |
4415 | { | |
4416 | u64 false_umax = opcode == BPF_JGT ? val : val - 1; | |
4417 | u64 true_umin = opcode == BPF_JGT ? val + 1 : val; | |
4418 | ||
092ed096 JW |
4419 | if (is_jmp32) { |
4420 | false_umax += gen_hi_max(false_reg->var_off); | |
4421 | true_umin += gen_hi_min(true_reg->var_off); | |
4422 | } | |
a72dafaf JW |
4423 | false_reg->umax_value = min(false_reg->umax_value, false_umax); |
4424 | true_reg->umin_value = max(true_reg->umin_value, true_umin); | |
b03c9f9f | 4425 | break; |
a72dafaf | 4426 | } |
48461135 | 4427 | case BPF_JSGE: |
a72dafaf JW |
4428 | case BPF_JSGT: |
4429 | { | |
4430 | s64 false_smax = opcode == BPF_JSGT ? sval : sval - 1; | |
4431 | s64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval; | |
4432 | ||
092ed096 JW |
4433 | /* If the full s64 was not sign-extended from s32 then don't |
4434 | * deduct further info. | |
4435 | */ | |
4436 | if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg)) | |
4437 | break; | |
a72dafaf JW |
4438 | false_reg->smax_value = min(false_reg->smax_value, false_smax); |
4439 | true_reg->smin_value = max(true_reg->smin_value, true_smin); | |
48461135 | 4440 | break; |
a72dafaf | 4441 | } |
b4e432f1 | 4442 | case BPF_JLE: |
a72dafaf JW |
4443 | case BPF_JLT: |
4444 | { | |
4445 | u64 false_umin = opcode == BPF_JLT ? val : val + 1; | |
4446 | u64 true_umax = opcode == BPF_JLT ? val - 1 : val; | |
4447 | ||
092ed096 JW |
4448 | if (is_jmp32) { |
4449 | false_umin += gen_hi_min(false_reg->var_off); | |
4450 | true_umax += gen_hi_max(true_reg->var_off); | |
4451 | } | |
a72dafaf JW |
4452 | false_reg->umin_value = max(false_reg->umin_value, false_umin); |
4453 | true_reg->umax_value = min(true_reg->umax_value, true_umax); | |
b4e432f1 | 4454 | break; |
a72dafaf | 4455 | } |
b4e432f1 | 4456 | case BPF_JSLE: |
a72dafaf JW |
4457 | case BPF_JSLT: |
4458 | { | |
4459 | s64 false_smin = opcode == BPF_JSLT ? sval : sval + 1; | |
4460 | s64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval; | |
4461 | ||
092ed096 JW |
4462 | if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg)) |
4463 | break; | |
a72dafaf JW |
4464 | false_reg->smin_value = max(false_reg->smin_value, false_smin); |
4465 | true_reg->smax_value = min(true_reg->smax_value, true_smax); | |
b4e432f1 | 4466 | break; |
a72dafaf | 4467 | } |
48461135 JB |
4468 | default: |
4469 | break; | |
4470 | } | |
4471 | ||
b03c9f9f EC |
4472 | __reg_deduce_bounds(false_reg); |
4473 | __reg_deduce_bounds(true_reg); | |
4474 | /* We might have learned some bits from the bounds. */ | |
4475 | __reg_bound_offset(false_reg); | |
4476 | __reg_bound_offset(true_reg); | |
4477 | /* Intersecting with the old var_off might have improved our bounds | |
4478 | * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), | |
4479 | * then new var_off is (0; 0x7f...fc) which improves our umax. | |
4480 | */ | |
4481 | __update_reg_bounds(false_reg); | |
4482 | __update_reg_bounds(true_reg); | |
48461135 JB |
4483 | } |
4484 | ||
f1174f77 EC |
4485 | /* Same as above, but for the case that dst_reg holds a constant and src_reg is |
4486 | * the variable reg. | |
48461135 JB |
4487 | */ |
4488 | static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, | |
4489 | struct bpf_reg_state *false_reg, u64 val, | |
092ed096 | 4490 | u8 opcode, bool is_jmp32) |
48461135 | 4491 | { |
a72dafaf JW |
4492 | s64 sval; |
4493 | ||
f1174f77 EC |
4494 | if (__is_pointer_value(false, false_reg)) |
4495 | return; | |
4cabc5b1 | 4496 | |
092ed096 JW |
4497 | val = is_jmp32 ? (u32)val : val; |
4498 | sval = is_jmp32 ? (s64)(s32)val : (s64)val; | |
a72dafaf | 4499 | |
48461135 JB |
4500 | switch (opcode) { |
4501 | case BPF_JEQ: | |
48461135 | 4502 | case BPF_JNE: |
a72dafaf JW |
4503 | { |
4504 | struct bpf_reg_state *reg = | |
4505 | opcode == BPF_JEQ ? true_reg : false_reg; | |
4506 | ||
092ed096 JW |
4507 | if (is_jmp32) { |
4508 | u64 old_v = reg->var_off.value; | |
4509 | u64 hi_mask = ~0xffffffffULL; | |
4510 | ||
4511 | reg->var_off.value = (old_v & hi_mask) | val; | |
4512 | reg->var_off.mask &= hi_mask; | |
4513 | } else { | |
4514 | __mark_reg_known(reg, val); | |
4515 | } | |
48461135 | 4516 | break; |
a72dafaf | 4517 | } |
960ea056 JK |
4518 | case BPF_JSET: |
4519 | false_reg->var_off = tnum_and(false_reg->var_off, | |
4520 | tnum_const(~val)); | |
4521 | if (is_power_of_2(val)) | |
4522 | true_reg->var_off = tnum_or(true_reg->var_off, | |
4523 | tnum_const(val)); | |
4524 | break; | |
48461135 | 4525 | case BPF_JGE: |
a72dafaf JW |
4526 | case BPF_JGT: |
4527 | { | |
4528 | u64 false_umin = opcode == BPF_JGT ? val : val + 1; | |
4529 | u64 true_umax = opcode == BPF_JGT ? val - 1 : val; | |
4530 | ||
092ed096 JW |
4531 | if (is_jmp32) { |
4532 | false_umin += gen_hi_min(false_reg->var_off); | |
4533 | true_umax += gen_hi_max(true_reg->var_off); | |
4534 | } | |
a72dafaf JW |
4535 | false_reg->umin_value = max(false_reg->umin_value, false_umin); |
4536 | true_reg->umax_value = min(true_reg->umax_value, true_umax); | |
b03c9f9f | 4537 | break; |
a72dafaf | 4538 | } |
48461135 | 4539 | case BPF_JSGE: |
a72dafaf JW |
4540 | case BPF_JSGT: |
4541 | { | |
4542 | s64 false_smin = opcode == BPF_JSGT ? sval : sval + 1; | |
4543 | s64 true_smax = opcode == BPF_JSGT ? sval - 1 : sval; | |
4544 | ||
092ed096 JW |
4545 | if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg)) |
4546 | break; | |
a72dafaf JW |
4547 | false_reg->smin_value = max(false_reg->smin_value, false_smin); |
4548 | true_reg->smax_value = min(true_reg->smax_value, true_smax); | |
48461135 | 4549 | break; |
a72dafaf | 4550 | } |
b4e432f1 | 4551 | case BPF_JLE: |
a72dafaf JW |
4552 | case BPF_JLT: |
4553 | { | |
4554 | u64 false_umax = opcode == BPF_JLT ? val : val - 1; | |
4555 | u64 true_umin = opcode == BPF_JLT ? val + 1 : val; | |
4556 | ||
092ed096 JW |
4557 | if (is_jmp32) { |
4558 | false_umax += gen_hi_max(false_reg->var_off); | |
4559 | true_umin += gen_hi_min(true_reg->var_off); | |
4560 | } | |
a72dafaf JW |
4561 | false_reg->umax_value = min(false_reg->umax_value, false_umax); |
4562 | true_reg->umin_value = max(true_reg->umin_value, true_umin); | |
b4e432f1 | 4563 | break; |
a72dafaf | 4564 | } |
b4e432f1 | 4565 | case BPF_JSLE: |
a72dafaf JW |
4566 | case BPF_JSLT: |
4567 | { | |
4568 | s64 false_smax = opcode == BPF_JSLT ? sval : sval - 1; | |
4569 | s64 true_smin = opcode == BPF_JSLT ? sval + 1 : sval; | |
4570 | ||
092ed096 JW |
4571 | if (is_jmp32 && !cmp_val_with_extended_s64(sval, false_reg)) |
4572 | break; | |
a72dafaf JW |
4573 | false_reg->smax_value = min(false_reg->smax_value, false_smax); |
4574 | true_reg->smin_value = max(true_reg->smin_value, true_smin); | |
b4e432f1 | 4575 | break; |
a72dafaf | 4576 | } |
48461135 JB |
4577 | default: |
4578 | break; | |
4579 | } | |
4580 | ||
b03c9f9f EC |
4581 | __reg_deduce_bounds(false_reg); |
4582 | __reg_deduce_bounds(true_reg); | |
4583 | /* We might have learned some bits from the bounds. */ | |
4584 | __reg_bound_offset(false_reg); | |
4585 | __reg_bound_offset(true_reg); | |
4586 | /* Intersecting with the old var_off might have improved our bounds | |
4587 | * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), | |
4588 | * then new var_off is (0; 0x7f...fc) which improves our umax. | |
4589 | */ | |
4590 | __update_reg_bounds(false_reg); | |
4591 | __update_reg_bounds(true_reg); | |
f1174f77 EC |
4592 | } |
4593 | ||
4594 | /* Regs are known to be equal, so intersect their min/max/var_off */ | |
4595 | static void __reg_combine_min_max(struct bpf_reg_state *src_reg, | |
4596 | struct bpf_reg_state *dst_reg) | |
4597 | { | |
b03c9f9f EC |
4598 | src_reg->umin_value = dst_reg->umin_value = max(src_reg->umin_value, |
4599 | dst_reg->umin_value); | |
4600 | src_reg->umax_value = dst_reg->umax_value = min(src_reg->umax_value, | |
4601 | dst_reg->umax_value); | |
4602 | src_reg->smin_value = dst_reg->smin_value = max(src_reg->smin_value, | |
4603 | dst_reg->smin_value); | |
4604 | src_reg->smax_value = dst_reg->smax_value = min(src_reg->smax_value, | |
4605 | dst_reg->smax_value); | |
f1174f77 EC |
4606 | src_reg->var_off = dst_reg->var_off = tnum_intersect(src_reg->var_off, |
4607 | dst_reg->var_off); | |
b03c9f9f EC |
4608 | /* We might have learned new bounds from the var_off. */ |
4609 | __update_reg_bounds(src_reg); | |
4610 | __update_reg_bounds(dst_reg); | |
4611 | /* We might have learned something about the sign bit. */ | |
4612 | __reg_deduce_bounds(src_reg); | |
4613 | __reg_deduce_bounds(dst_reg); | |
4614 | /* We might have learned some bits from the bounds. */ | |
4615 | __reg_bound_offset(src_reg); | |
4616 | __reg_bound_offset(dst_reg); | |
4617 | /* Intersecting with the old var_off might have improved our bounds | |
4618 | * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), | |
4619 | * then new var_off is (0; 0x7f...fc) which improves our umax. | |
4620 | */ | |
4621 | __update_reg_bounds(src_reg); | |
4622 | __update_reg_bounds(dst_reg); | |
f1174f77 EC |
4623 | } |
4624 | ||
4625 | static void reg_combine_min_max(struct bpf_reg_state *true_src, | |
4626 | struct bpf_reg_state *true_dst, | |
4627 | struct bpf_reg_state *false_src, | |
4628 | struct bpf_reg_state *false_dst, | |
4629 | u8 opcode) | |
4630 | { | |
4631 | switch (opcode) { | |
4632 | case BPF_JEQ: | |
4633 | __reg_combine_min_max(true_src, true_dst); | |
4634 | break; | |
4635 | case BPF_JNE: | |
4636 | __reg_combine_min_max(false_src, false_dst); | |
b03c9f9f | 4637 | break; |
4cabc5b1 | 4638 | } |
48461135 JB |
4639 | } |
4640 | ||
fd978bf7 JS |
4641 | static void mark_ptr_or_null_reg(struct bpf_func_state *state, |
4642 | struct bpf_reg_state *reg, u32 id, | |
840b9615 | 4643 | bool is_null) |
57a09bf0 | 4644 | { |
840b9615 | 4645 | if (reg_type_may_be_null(reg->type) && reg->id == id) { |
f1174f77 EC |
4646 | /* Old offset (both fixed and variable parts) should |
4647 | * have been known-zero, because we don't allow pointer | |
4648 | * arithmetic on pointers that might be NULL. | |
4649 | */ | |
b03c9f9f EC |
4650 | if (WARN_ON_ONCE(reg->smin_value || reg->smax_value || |
4651 | !tnum_equals_const(reg->var_off, 0) || | |
f1174f77 | 4652 | reg->off)) { |
b03c9f9f EC |
4653 | __mark_reg_known_zero(reg); |
4654 | reg->off = 0; | |
f1174f77 EC |
4655 | } |
4656 | if (is_null) { | |
4657 | reg->type = SCALAR_VALUE; | |
840b9615 JS |
4658 | } else if (reg->type == PTR_TO_MAP_VALUE_OR_NULL) { |
4659 | if (reg->map_ptr->inner_map_meta) { | |
4660 | reg->type = CONST_PTR_TO_MAP; | |
4661 | reg->map_ptr = reg->map_ptr->inner_map_meta; | |
4662 | } else { | |
4663 | reg->type = PTR_TO_MAP_VALUE; | |
4664 | } | |
c64b7983 JS |
4665 | } else if (reg->type == PTR_TO_SOCKET_OR_NULL) { |
4666 | reg->type = PTR_TO_SOCKET; | |
46f8bc92 MKL |
4667 | } else if (reg->type == PTR_TO_SOCK_COMMON_OR_NULL) { |
4668 | reg->type = PTR_TO_SOCK_COMMON; | |
655a51e5 MKL |
4669 | } else if (reg->type == PTR_TO_TCP_SOCK_OR_NULL) { |
4670 | reg->type = PTR_TO_TCP_SOCK; | |
56f668df | 4671 | } |
1b986589 MKL |
4672 | if (is_null) { |
4673 | /* We don't need id and ref_obj_id from this point | |
4674 | * onwards anymore, thus we should better reset it, | |
4675 | * so that state pruning has chances to take effect. | |
4676 | */ | |
4677 | reg->id = 0; | |
4678 | reg->ref_obj_id = 0; | |
4679 | } else if (!reg_may_point_to_spin_lock(reg)) { | |
4680 | /* For not-NULL ptr, reg->ref_obj_id will be reset | |
4681 | * in release_reg_references(). | |
4682 | * | |
4683 | * reg->id is still used by spin_lock ptr. Other | |
4684 | * than spin_lock ptr type, reg->id can be reset. | |
fd978bf7 JS |
4685 | */ |
4686 | reg->id = 0; | |
56f668df | 4687 | } |
57a09bf0 TG |
4688 | } |
4689 | } | |
4690 | ||
4691 | /* The logic is similar to find_good_pkt_pointers(), both could eventually | |
4692 | * be folded together at some point. | |
4693 | */ | |
840b9615 JS |
4694 | static void mark_ptr_or_null_regs(struct bpf_verifier_state *vstate, u32 regno, |
4695 | bool is_null) | |
57a09bf0 | 4696 | { |
f4d7e40a | 4697 | struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
f3709f69 | 4698 | struct bpf_reg_state *reg, *regs = state->regs; |
1b986589 | 4699 | u32 ref_obj_id = regs[regno].ref_obj_id; |
a08dd0da | 4700 | u32 id = regs[regno].id; |
f4d7e40a | 4701 | int i, j; |
57a09bf0 | 4702 | |
1b986589 MKL |
4703 | if (ref_obj_id && ref_obj_id == id && is_null) |
4704 | /* regs[regno] is in the " == NULL" branch. | |
4705 | * No one could have freed the reference state before | |
4706 | * doing the NULL check. | |
4707 | */ | |
4708 | WARN_ON_ONCE(release_reference_state(state, id)); | |
fd978bf7 | 4709 | |
57a09bf0 | 4710 | for (i = 0; i < MAX_BPF_REG; i++) |
fd978bf7 | 4711 | mark_ptr_or_null_reg(state, ®s[i], id, is_null); |
57a09bf0 | 4712 | |
f4d7e40a AS |
4713 | for (j = 0; j <= vstate->curframe; j++) { |
4714 | state = vstate->frame[j]; | |
f3709f69 JS |
4715 | bpf_for_each_spilled_reg(i, state, reg) { |
4716 | if (!reg) | |
f4d7e40a | 4717 | continue; |
fd978bf7 | 4718 | mark_ptr_or_null_reg(state, reg, id, is_null); |
f4d7e40a | 4719 | } |
57a09bf0 TG |
4720 | } |
4721 | } | |
4722 | ||
5beca081 DB |
4723 | static bool try_match_pkt_pointers(const struct bpf_insn *insn, |
4724 | struct bpf_reg_state *dst_reg, | |
4725 | struct bpf_reg_state *src_reg, | |
4726 | struct bpf_verifier_state *this_branch, | |
4727 | struct bpf_verifier_state *other_branch) | |
4728 | { | |
4729 | if (BPF_SRC(insn->code) != BPF_X) | |
4730 | return false; | |
4731 | ||
092ed096 JW |
4732 | /* Pointers are always 64-bit. */ |
4733 | if (BPF_CLASS(insn->code) == BPF_JMP32) | |
4734 | return false; | |
4735 | ||
5beca081 DB |
4736 | switch (BPF_OP(insn->code)) { |
4737 | case BPF_JGT: | |
4738 | if ((dst_reg->type == PTR_TO_PACKET && | |
4739 | src_reg->type == PTR_TO_PACKET_END) || | |
4740 | (dst_reg->type == PTR_TO_PACKET_META && | |
4741 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4742 | /* pkt_data' > pkt_end, pkt_meta' > pkt_data */ | |
4743 | find_good_pkt_pointers(this_branch, dst_reg, | |
4744 | dst_reg->type, false); | |
4745 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4746 | src_reg->type == PTR_TO_PACKET) || | |
4747 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4748 | src_reg->type == PTR_TO_PACKET_META)) { | |
4749 | /* pkt_end > pkt_data', pkt_data > pkt_meta' */ | |
4750 | find_good_pkt_pointers(other_branch, src_reg, | |
4751 | src_reg->type, true); | |
4752 | } else { | |
4753 | return false; | |
4754 | } | |
4755 | break; | |
4756 | case BPF_JLT: | |
4757 | if ((dst_reg->type == PTR_TO_PACKET && | |
4758 | src_reg->type == PTR_TO_PACKET_END) || | |
4759 | (dst_reg->type == PTR_TO_PACKET_META && | |
4760 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4761 | /* pkt_data' < pkt_end, pkt_meta' < pkt_data */ | |
4762 | find_good_pkt_pointers(other_branch, dst_reg, | |
4763 | dst_reg->type, true); | |
4764 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4765 | src_reg->type == PTR_TO_PACKET) || | |
4766 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4767 | src_reg->type == PTR_TO_PACKET_META)) { | |
4768 | /* pkt_end < pkt_data', pkt_data > pkt_meta' */ | |
4769 | find_good_pkt_pointers(this_branch, src_reg, | |
4770 | src_reg->type, false); | |
4771 | } else { | |
4772 | return false; | |
4773 | } | |
4774 | break; | |
4775 | case BPF_JGE: | |
4776 | if ((dst_reg->type == PTR_TO_PACKET && | |
4777 | src_reg->type == PTR_TO_PACKET_END) || | |
4778 | (dst_reg->type == PTR_TO_PACKET_META && | |
4779 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4780 | /* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */ | |
4781 | find_good_pkt_pointers(this_branch, dst_reg, | |
4782 | dst_reg->type, true); | |
4783 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4784 | src_reg->type == PTR_TO_PACKET) || | |
4785 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4786 | src_reg->type == PTR_TO_PACKET_META)) { | |
4787 | /* pkt_end >= pkt_data', pkt_data >= pkt_meta' */ | |
4788 | find_good_pkt_pointers(other_branch, src_reg, | |
4789 | src_reg->type, false); | |
4790 | } else { | |
4791 | return false; | |
4792 | } | |
4793 | break; | |
4794 | case BPF_JLE: | |
4795 | if ((dst_reg->type == PTR_TO_PACKET && | |
4796 | src_reg->type == PTR_TO_PACKET_END) || | |
4797 | (dst_reg->type == PTR_TO_PACKET_META && | |
4798 | reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) { | |
4799 | /* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */ | |
4800 | find_good_pkt_pointers(other_branch, dst_reg, | |
4801 | dst_reg->type, false); | |
4802 | } else if ((dst_reg->type == PTR_TO_PACKET_END && | |
4803 | src_reg->type == PTR_TO_PACKET) || | |
4804 | (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) && | |
4805 | src_reg->type == PTR_TO_PACKET_META)) { | |
4806 | /* pkt_end <= pkt_data', pkt_data <= pkt_meta' */ | |
4807 | find_good_pkt_pointers(this_branch, src_reg, | |
4808 | src_reg->type, true); | |
4809 | } else { | |
4810 | return false; | |
4811 | } | |
4812 | break; | |
4813 | default: | |
4814 | return false; | |
4815 | } | |
4816 | ||
4817 | return true; | |
4818 | } | |
4819 | ||
58e2af8b | 4820 | static int check_cond_jmp_op(struct bpf_verifier_env *env, |
17a52670 AS |
4821 | struct bpf_insn *insn, int *insn_idx) |
4822 | { | |
f4d7e40a AS |
4823 | struct bpf_verifier_state *this_branch = env->cur_state; |
4824 | struct bpf_verifier_state *other_branch; | |
4825 | struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs; | |
4826 | struct bpf_reg_state *dst_reg, *other_branch_regs; | |
17a52670 | 4827 | u8 opcode = BPF_OP(insn->code); |
092ed096 | 4828 | bool is_jmp32; |
17a52670 AS |
4829 | int err; |
4830 | ||
092ed096 JW |
4831 | /* Only conditional jumps are expected to reach here. */ |
4832 | if (opcode == BPF_JA || opcode > BPF_JSLE) { | |
4833 | verbose(env, "invalid BPF_JMP/JMP32 opcode %x\n", opcode); | |
17a52670 AS |
4834 | return -EINVAL; |
4835 | } | |
4836 | ||
4837 | if (BPF_SRC(insn->code) == BPF_X) { | |
4838 | if (insn->imm != 0) { | |
092ed096 | 4839 | verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); |
17a52670 AS |
4840 | return -EINVAL; |
4841 | } | |
4842 | ||
4843 | /* check src1 operand */ | |
dc503a8a | 4844 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
4845 | if (err) |
4846 | return err; | |
1be7f75d AS |
4847 | |
4848 | if (is_pointer_value(env, insn->src_reg)) { | |
61bd5218 | 4849 | verbose(env, "R%d pointer comparison prohibited\n", |
1be7f75d AS |
4850 | insn->src_reg); |
4851 | return -EACCES; | |
4852 | } | |
17a52670 AS |
4853 | } else { |
4854 | if (insn->src_reg != BPF_REG_0) { | |
092ed096 | 4855 | verbose(env, "BPF_JMP/JMP32 uses reserved fields\n"); |
17a52670 AS |
4856 | return -EINVAL; |
4857 | } | |
4858 | } | |
4859 | ||
4860 | /* check src2 operand */ | |
dc503a8a | 4861 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
4862 | if (err) |
4863 | return err; | |
4864 | ||
1a0dc1ac | 4865 | dst_reg = ®s[insn->dst_reg]; |
092ed096 | 4866 | is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32; |
1a0dc1ac | 4867 | |
4f7b3e82 | 4868 | if (BPF_SRC(insn->code) == BPF_K) { |
092ed096 JW |
4869 | int pred = is_branch_taken(dst_reg, insn->imm, opcode, |
4870 | is_jmp32); | |
4f7b3e82 AS |
4871 | |
4872 | if (pred == 1) { | |
4873 | /* only follow the goto, ignore fall-through */ | |
17a52670 AS |
4874 | *insn_idx += insn->off; |
4875 | return 0; | |
4f7b3e82 AS |
4876 | } else if (pred == 0) { |
4877 | /* only follow fall-through branch, since | |
17a52670 AS |
4878 | * that's where the program will go |
4879 | */ | |
4880 | return 0; | |
4881 | } | |
4882 | } | |
4883 | ||
979d63d5 DB |
4884 | other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx, |
4885 | false); | |
17a52670 AS |
4886 | if (!other_branch) |
4887 | return -EFAULT; | |
f4d7e40a | 4888 | other_branch_regs = other_branch->frame[other_branch->curframe]->regs; |
17a52670 | 4889 | |
48461135 JB |
4890 | /* detect if we are comparing against a constant value so we can adjust |
4891 | * our min/max values for our dst register. | |
f1174f77 EC |
4892 | * this is only legit if both are scalars (or pointers to the same |
4893 | * object, I suppose, but we don't support that right now), because | |
4894 | * otherwise the different base pointers mean the offsets aren't | |
4895 | * comparable. | |
48461135 JB |
4896 | */ |
4897 | if (BPF_SRC(insn->code) == BPF_X) { | |
092ed096 JW |
4898 | struct bpf_reg_state *src_reg = ®s[insn->src_reg]; |
4899 | struct bpf_reg_state lo_reg0 = *dst_reg; | |
4900 | struct bpf_reg_state lo_reg1 = *src_reg; | |
4901 | struct bpf_reg_state *src_lo, *dst_lo; | |
4902 | ||
4903 | dst_lo = &lo_reg0; | |
4904 | src_lo = &lo_reg1; | |
4905 | coerce_reg_to_size(dst_lo, 4); | |
4906 | coerce_reg_to_size(src_lo, 4); | |
4907 | ||
f1174f77 | 4908 | if (dst_reg->type == SCALAR_VALUE && |
092ed096 JW |
4909 | src_reg->type == SCALAR_VALUE) { |
4910 | if (tnum_is_const(src_reg->var_off) || | |
4911 | (is_jmp32 && tnum_is_const(src_lo->var_off))) | |
f4d7e40a | 4912 | reg_set_min_max(&other_branch_regs[insn->dst_reg], |
092ed096 JW |
4913 | dst_reg, |
4914 | is_jmp32 | |
4915 | ? src_lo->var_off.value | |
4916 | : src_reg->var_off.value, | |
4917 | opcode, is_jmp32); | |
4918 | else if (tnum_is_const(dst_reg->var_off) || | |
4919 | (is_jmp32 && tnum_is_const(dst_lo->var_off))) | |
f4d7e40a | 4920 | reg_set_min_max_inv(&other_branch_regs[insn->src_reg], |
092ed096 JW |
4921 | src_reg, |
4922 | is_jmp32 | |
4923 | ? dst_lo->var_off.value | |
4924 | : dst_reg->var_off.value, | |
4925 | opcode, is_jmp32); | |
4926 | else if (!is_jmp32 && | |
4927 | (opcode == BPF_JEQ || opcode == BPF_JNE)) | |
f1174f77 | 4928 | /* Comparing for equality, we can combine knowledge */ |
f4d7e40a AS |
4929 | reg_combine_min_max(&other_branch_regs[insn->src_reg], |
4930 | &other_branch_regs[insn->dst_reg], | |
092ed096 | 4931 | src_reg, dst_reg, opcode); |
f1174f77 EC |
4932 | } |
4933 | } else if (dst_reg->type == SCALAR_VALUE) { | |
f4d7e40a | 4934 | reg_set_min_max(&other_branch_regs[insn->dst_reg], |
092ed096 | 4935 | dst_reg, insn->imm, opcode, is_jmp32); |
48461135 JB |
4936 | } |
4937 | ||
092ed096 JW |
4938 | /* detect if R == 0 where R is returned from bpf_map_lookup_elem(). |
4939 | * NOTE: these optimizations below are related with pointer comparison | |
4940 | * which will never be JMP32. | |
4941 | */ | |
4942 | if (!is_jmp32 && BPF_SRC(insn->code) == BPF_K && | |
1a0dc1ac | 4943 | insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) && |
840b9615 JS |
4944 | reg_type_may_be_null(dst_reg->type)) { |
4945 | /* Mark all identical registers in each branch as either | |
57a09bf0 TG |
4946 | * safe or unknown depending R == 0 or R != 0 conditional. |
4947 | */ | |
840b9615 JS |
4948 | mark_ptr_or_null_regs(this_branch, insn->dst_reg, |
4949 | opcode == BPF_JNE); | |
4950 | mark_ptr_or_null_regs(other_branch, insn->dst_reg, | |
4951 | opcode == BPF_JEQ); | |
5beca081 DB |
4952 | } else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg], |
4953 | this_branch, other_branch) && | |
4954 | is_pointer_value(env, insn->dst_reg)) { | |
61bd5218 JK |
4955 | verbose(env, "R%d pointer comparison prohibited\n", |
4956 | insn->dst_reg); | |
1be7f75d | 4957 | return -EACCES; |
17a52670 | 4958 | } |
61bd5218 | 4959 | if (env->log.level) |
f4d7e40a | 4960 | print_verifier_state(env, this_branch->frame[this_branch->curframe]); |
17a52670 AS |
4961 | return 0; |
4962 | } | |
4963 | ||
0246e64d AS |
4964 | /* return the map pointer stored inside BPF_LD_IMM64 instruction */ |
4965 | static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn) | |
4966 | { | |
4967 | u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32; | |
4968 | ||
4969 | return (struct bpf_map *) (unsigned long) imm64; | |
4970 | } | |
4971 | ||
17a52670 | 4972 | /* verify BPF_LD_IMM64 instruction */ |
58e2af8b | 4973 | static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) |
17a52670 | 4974 | { |
638f5b90 | 4975 | struct bpf_reg_state *regs = cur_regs(env); |
17a52670 AS |
4976 | int err; |
4977 | ||
4978 | if (BPF_SIZE(insn->code) != BPF_DW) { | |
61bd5218 | 4979 | verbose(env, "invalid BPF_LD_IMM insn\n"); |
17a52670 AS |
4980 | return -EINVAL; |
4981 | } | |
4982 | if (insn->off != 0) { | |
61bd5218 | 4983 | verbose(env, "BPF_LD_IMM64 uses reserved fields\n"); |
17a52670 AS |
4984 | return -EINVAL; |
4985 | } | |
4986 | ||
dc503a8a | 4987 | err = check_reg_arg(env, insn->dst_reg, DST_OP); |
17a52670 AS |
4988 | if (err) |
4989 | return err; | |
4990 | ||
6b173873 | 4991 | if (insn->src_reg == 0) { |
6b173873 JK |
4992 | u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; |
4993 | ||
f1174f77 | 4994 | regs[insn->dst_reg].type = SCALAR_VALUE; |
b03c9f9f | 4995 | __mark_reg_known(®s[insn->dst_reg], imm); |
17a52670 | 4996 | return 0; |
6b173873 | 4997 | } |
17a52670 AS |
4998 | |
4999 | /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */ | |
5000 | BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD); | |
5001 | ||
5002 | regs[insn->dst_reg].type = CONST_PTR_TO_MAP; | |
5003 | regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn); | |
5004 | return 0; | |
5005 | } | |
5006 | ||
96be4325 DB |
5007 | static bool may_access_skb(enum bpf_prog_type type) |
5008 | { | |
5009 | switch (type) { | |
5010 | case BPF_PROG_TYPE_SOCKET_FILTER: | |
5011 | case BPF_PROG_TYPE_SCHED_CLS: | |
94caee8c | 5012 | case BPF_PROG_TYPE_SCHED_ACT: |
96be4325 DB |
5013 | return true; |
5014 | default: | |
5015 | return false; | |
5016 | } | |
5017 | } | |
5018 | ||
ddd872bc AS |
5019 | /* verify safety of LD_ABS|LD_IND instructions: |
5020 | * - they can only appear in the programs where ctx == skb | |
5021 | * - since they are wrappers of function calls, they scratch R1-R5 registers, | |
5022 | * preserve R6-R9, and store return value into R0 | |
5023 | * | |
5024 | * Implicit input: | |
5025 | * ctx == skb == R6 == CTX | |
5026 | * | |
5027 | * Explicit input: | |
5028 | * SRC == any register | |
5029 | * IMM == 32-bit immediate | |
5030 | * | |
5031 | * Output: | |
5032 | * R0 - 8/16/32-bit skb data converted to cpu endianness | |
5033 | */ | |
58e2af8b | 5034 | static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) |
ddd872bc | 5035 | { |
638f5b90 | 5036 | struct bpf_reg_state *regs = cur_regs(env); |
ddd872bc | 5037 | u8 mode = BPF_MODE(insn->code); |
ddd872bc AS |
5038 | int i, err; |
5039 | ||
24701ece | 5040 | if (!may_access_skb(env->prog->type)) { |
61bd5218 | 5041 | verbose(env, "BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); |
ddd872bc AS |
5042 | return -EINVAL; |
5043 | } | |
5044 | ||
e0cea7ce DB |
5045 | if (!env->ops->gen_ld_abs) { |
5046 | verbose(env, "bpf verifier is misconfigured\n"); | |
5047 | return -EINVAL; | |
5048 | } | |
5049 | ||
f910cefa | 5050 | if (env->subprog_cnt > 1) { |
f4d7e40a AS |
5051 | /* when program has LD_ABS insn JITs and interpreter assume |
5052 | * that r1 == ctx == skb which is not the case for callees | |
5053 | * that can have arbitrary arguments. It's problematic | |
5054 | * for main prog as well since JITs would need to analyze | |
5055 | * all functions in order to make proper register save/restore | |
5056 | * decisions in the main prog. Hence disallow LD_ABS with calls | |
5057 | */ | |
5058 | verbose(env, "BPF_LD_[ABS|IND] instructions cannot be mixed with bpf-to-bpf calls\n"); | |
5059 | return -EINVAL; | |
5060 | } | |
5061 | ||
ddd872bc | 5062 | if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || |
d82bccc6 | 5063 | BPF_SIZE(insn->code) == BPF_DW || |
ddd872bc | 5064 | (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { |
61bd5218 | 5065 | verbose(env, "BPF_LD_[ABS|IND] uses reserved fields\n"); |
ddd872bc AS |
5066 | return -EINVAL; |
5067 | } | |
5068 | ||
5069 | /* check whether implicit source operand (register R6) is readable */ | |
dc503a8a | 5070 | err = check_reg_arg(env, BPF_REG_6, SRC_OP); |
ddd872bc AS |
5071 | if (err) |
5072 | return err; | |
5073 | ||
fd978bf7 JS |
5074 | /* Disallow usage of BPF_LD_[ABS|IND] with reference tracking, as |
5075 | * gen_ld_abs() may terminate the program at runtime, leading to | |
5076 | * reference leak. | |
5077 | */ | |
5078 | err = check_reference_leak(env); | |
5079 | if (err) { | |
5080 | verbose(env, "BPF_LD_[ABS|IND] cannot be mixed with socket references\n"); | |
5081 | return err; | |
5082 | } | |
5083 | ||
d83525ca AS |
5084 | if (env->cur_state->active_spin_lock) { |
5085 | verbose(env, "BPF_LD_[ABS|IND] cannot be used inside bpf_spin_lock-ed region\n"); | |
5086 | return -EINVAL; | |
5087 | } | |
5088 | ||
ddd872bc | 5089 | if (regs[BPF_REG_6].type != PTR_TO_CTX) { |
61bd5218 JK |
5090 | verbose(env, |
5091 | "at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); | |
ddd872bc AS |
5092 | return -EINVAL; |
5093 | } | |
5094 | ||
5095 | if (mode == BPF_IND) { | |
5096 | /* check explicit source operand */ | |
dc503a8a | 5097 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
ddd872bc AS |
5098 | if (err) |
5099 | return err; | |
5100 | } | |
5101 | ||
5102 | /* reset caller saved regs to unreadable */ | |
dc503a8a | 5103 | for (i = 0; i < CALLER_SAVED_REGS; i++) { |
61bd5218 | 5104 | mark_reg_not_init(env, regs, caller_saved[i]); |
dc503a8a EC |
5105 | check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
5106 | } | |
ddd872bc AS |
5107 | |
5108 | /* mark destination R0 register as readable, since it contains | |
dc503a8a EC |
5109 | * the value fetched from the packet. |
5110 | * Already marked as written above. | |
ddd872bc | 5111 | */ |
61bd5218 | 5112 | mark_reg_unknown(env, regs, BPF_REG_0); |
ddd872bc AS |
5113 | return 0; |
5114 | } | |
5115 | ||
390ee7e2 AS |
5116 | static int check_return_code(struct bpf_verifier_env *env) |
5117 | { | |
5118 | struct bpf_reg_state *reg; | |
5119 | struct tnum range = tnum_range(0, 1); | |
5120 | ||
5121 | switch (env->prog->type) { | |
5122 | case BPF_PROG_TYPE_CGROUP_SKB: | |
5123 | case BPF_PROG_TYPE_CGROUP_SOCK: | |
4fbac77d | 5124 | case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: |
390ee7e2 | 5125 | case BPF_PROG_TYPE_SOCK_OPS: |
ebc614f6 | 5126 | case BPF_PROG_TYPE_CGROUP_DEVICE: |
390ee7e2 AS |
5127 | break; |
5128 | default: | |
5129 | return 0; | |
5130 | } | |
5131 | ||
638f5b90 | 5132 | reg = cur_regs(env) + BPF_REG_0; |
390ee7e2 | 5133 | if (reg->type != SCALAR_VALUE) { |
61bd5218 | 5134 | verbose(env, "At program exit the register R0 is not a known value (%s)\n", |
390ee7e2 AS |
5135 | reg_type_str[reg->type]); |
5136 | return -EINVAL; | |
5137 | } | |
5138 | ||
5139 | if (!tnum_in(range, reg->var_off)) { | |
61bd5218 | 5140 | verbose(env, "At program exit the register R0 "); |
390ee7e2 AS |
5141 | if (!tnum_is_unknown(reg->var_off)) { |
5142 | char tn_buf[48]; | |
5143 | ||
5144 | tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); | |
61bd5218 | 5145 | verbose(env, "has value %s", tn_buf); |
390ee7e2 | 5146 | } else { |
61bd5218 | 5147 | verbose(env, "has unknown scalar value"); |
390ee7e2 | 5148 | } |
61bd5218 | 5149 | verbose(env, " should have been 0 or 1\n"); |
390ee7e2 AS |
5150 | return -EINVAL; |
5151 | } | |
5152 | return 0; | |
5153 | } | |
5154 | ||
475fb78f AS |
5155 | /* non-recursive DFS pseudo code |
5156 | * 1 procedure DFS-iterative(G,v): | |
5157 | * 2 label v as discovered | |
5158 | * 3 let S be a stack | |
5159 | * 4 S.push(v) | |
5160 | * 5 while S is not empty | |
5161 | * 6 t <- S.pop() | |
5162 | * 7 if t is what we're looking for: | |
5163 | * 8 return t | |
5164 | * 9 for all edges e in G.adjacentEdges(t) do | |
5165 | * 10 if edge e is already labelled | |
5166 | * 11 continue with the next edge | |
5167 | * 12 w <- G.adjacentVertex(t,e) | |
5168 | * 13 if vertex w is not discovered and not explored | |
5169 | * 14 label e as tree-edge | |
5170 | * 15 label w as discovered | |
5171 | * 16 S.push(w) | |
5172 | * 17 continue at 5 | |
5173 | * 18 else if vertex w is discovered | |
5174 | * 19 label e as back-edge | |
5175 | * 20 else | |
5176 | * 21 // vertex w is explored | |
5177 | * 22 label e as forward- or cross-edge | |
5178 | * 23 label t as explored | |
5179 | * 24 S.pop() | |
5180 | * | |
5181 | * convention: | |
5182 | * 0x10 - discovered | |
5183 | * 0x11 - discovered and fall-through edge labelled | |
5184 | * 0x12 - discovered and fall-through and branch edges labelled | |
5185 | * 0x20 - explored | |
5186 | */ | |
5187 | ||
5188 | enum { | |
5189 | DISCOVERED = 0x10, | |
5190 | EXPLORED = 0x20, | |
5191 | FALLTHROUGH = 1, | |
5192 | BRANCH = 2, | |
5193 | }; | |
5194 | ||
58e2af8b | 5195 | #define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L) |
f1bca824 | 5196 | |
475fb78f AS |
5197 | static int *insn_stack; /* stack of insns to process */ |
5198 | static int cur_stack; /* current stack index */ | |
5199 | static int *insn_state; | |
5200 | ||
5201 | /* t, w, e - match pseudo-code above: | |
5202 | * t - index of current instruction | |
5203 | * w - next instruction | |
5204 | * e - edge | |
5205 | */ | |
58e2af8b | 5206 | static int push_insn(int t, int w, int e, struct bpf_verifier_env *env) |
475fb78f AS |
5207 | { |
5208 | if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH)) | |
5209 | return 0; | |
5210 | ||
5211 | if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH)) | |
5212 | return 0; | |
5213 | ||
5214 | if (w < 0 || w >= env->prog->len) { | |
d9762e84 | 5215 | verbose_linfo(env, t, "%d: ", t); |
61bd5218 | 5216 | verbose(env, "jump out of range from insn %d to %d\n", t, w); |
475fb78f AS |
5217 | return -EINVAL; |
5218 | } | |
5219 | ||
f1bca824 AS |
5220 | if (e == BRANCH) |
5221 | /* mark branch target for state pruning */ | |
5222 | env->explored_states[w] = STATE_LIST_MARK; | |
5223 | ||
475fb78f AS |
5224 | if (insn_state[w] == 0) { |
5225 | /* tree-edge */ | |
5226 | insn_state[t] = DISCOVERED | e; | |
5227 | insn_state[w] = DISCOVERED; | |
5228 | if (cur_stack >= env->prog->len) | |
5229 | return -E2BIG; | |
5230 | insn_stack[cur_stack++] = w; | |
5231 | return 1; | |
5232 | } else if ((insn_state[w] & 0xF0) == DISCOVERED) { | |
d9762e84 MKL |
5233 | verbose_linfo(env, t, "%d: ", t); |
5234 | verbose_linfo(env, w, "%d: ", w); | |
61bd5218 | 5235 | verbose(env, "back-edge from insn %d to %d\n", t, w); |
475fb78f AS |
5236 | return -EINVAL; |
5237 | } else if (insn_state[w] == EXPLORED) { | |
5238 | /* forward- or cross-edge */ | |
5239 | insn_state[t] = DISCOVERED | e; | |
5240 | } else { | |
61bd5218 | 5241 | verbose(env, "insn state internal bug\n"); |
475fb78f AS |
5242 | return -EFAULT; |
5243 | } | |
5244 | return 0; | |
5245 | } | |
5246 | ||
5247 | /* non-recursive depth-first-search to detect loops in BPF program | |
5248 | * loop == back-edge in directed graph | |
5249 | */ | |
58e2af8b | 5250 | static int check_cfg(struct bpf_verifier_env *env) |
475fb78f AS |
5251 | { |
5252 | struct bpf_insn *insns = env->prog->insnsi; | |
5253 | int insn_cnt = env->prog->len; | |
5254 | int ret = 0; | |
5255 | int i, t; | |
5256 | ||
5257 | insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); | |
5258 | if (!insn_state) | |
5259 | return -ENOMEM; | |
5260 | ||
5261 | insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); | |
5262 | if (!insn_stack) { | |
5263 | kfree(insn_state); | |
5264 | return -ENOMEM; | |
5265 | } | |
5266 | ||
5267 | insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */ | |
5268 | insn_stack[0] = 0; /* 0 is the first instruction */ | |
5269 | cur_stack = 1; | |
5270 | ||
5271 | peek_stack: | |
5272 | if (cur_stack == 0) | |
5273 | goto check_state; | |
5274 | t = insn_stack[cur_stack - 1]; | |
5275 | ||
092ed096 JW |
5276 | if (BPF_CLASS(insns[t].code) == BPF_JMP || |
5277 | BPF_CLASS(insns[t].code) == BPF_JMP32) { | |
475fb78f AS |
5278 | u8 opcode = BPF_OP(insns[t].code); |
5279 | ||
5280 | if (opcode == BPF_EXIT) { | |
5281 | goto mark_explored; | |
5282 | } else if (opcode == BPF_CALL) { | |
5283 | ret = push_insn(t, t + 1, FALLTHROUGH, env); | |
5284 | if (ret == 1) | |
5285 | goto peek_stack; | |
5286 | else if (ret < 0) | |
5287 | goto err_free; | |
07016151 DB |
5288 | if (t + 1 < insn_cnt) |
5289 | env->explored_states[t + 1] = STATE_LIST_MARK; | |
cc8b0b92 AS |
5290 | if (insns[t].src_reg == BPF_PSEUDO_CALL) { |
5291 | env->explored_states[t] = STATE_LIST_MARK; | |
5292 | ret = push_insn(t, t + insns[t].imm + 1, BRANCH, env); | |
5293 | if (ret == 1) | |
5294 | goto peek_stack; | |
5295 | else if (ret < 0) | |
5296 | goto err_free; | |
5297 | } | |
475fb78f AS |
5298 | } else if (opcode == BPF_JA) { |
5299 | if (BPF_SRC(insns[t].code) != BPF_K) { | |
5300 | ret = -EINVAL; | |
5301 | goto err_free; | |
5302 | } | |
5303 | /* unconditional jump with single edge */ | |
5304 | ret = push_insn(t, t + insns[t].off + 1, | |
5305 | FALLTHROUGH, env); | |
5306 | if (ret == 1) | |
5307 | goto peek_stack; | |
5308 | else if (ret < 0) | |
5309 | goto err_free; | |
f1bca824 AS |
5310 | /* tell verifier to check for equivalent states |
5311 | * after every call and jump | |
5312 | */ | |
c3de6317 AS |
5313 | if (t + 1 < insn_cnt) |
5314 | env->explored_states[t + 1] = STATE_LIST_MARK; | |
475fb78f AS |
5315 | } else { |
5316 | /* conditional jump with two edges */ | |
3c2ce60b | 5317 | env->explored_states[t] = STATE_LIST_MARK; |
475fb78f AS |
5318 | ret = push_insn(t, t + 1, FALLTHROUGH, env); |
5319 | if (ret == 1) | |
5320 | goto peek_stack; | |
5321 | else if (ret < 0) | |
5322 | goto err_free; | |
5323 | ||
5324 | ret = push_insn(t, t + insns[t].off + 1, BRANCH, env); | |
5325 | if (ret == 1) | |
5326 | goto peek_stack; | |
5327 | else if (ret < 0) | |
5328 | goto err_free; | |
5329 | } | |
5330 | } else { | |
5331 | /* all other non-branch instructions with single | |
5332 | * fall-through edge | |
5333 | */ | |
5334 | ret = push_insn(t, t + 1, FALLTHROUGH, env); | |
5335 | if (ret == 1) | |
5336 | goto peek_stack; | |
5337 | else if (ret < 0) | |
5338 | goto err_free; | |
5339 | } | |
5340 | ||
5341 | mark_explored: | |
5342 | insn_state[t] = EXPLORED; | |
5343 | if (cur_stack-- <= 0) { | |
61bd5218 | 5344 | verbose(env, "pop stack internal bug\n"); |
475fb78f AS |
5345 | ret = -EFAULT; |
5346 | goto err_free; | |
5347 | } | |
5348 | goto peek_stack; | |
5349 | ||
5350 | check_state: | |
5351 | for (i = 0; i < insn_cnt; i++) { | |
5352 | if (insn_state[i] != EXPLORED) { | |
61bd5218 | 5353 | verbose(env, "unreachable insn %d\n", i); |
475fb78f AS |
5354 | ret = -EINVAL; |
5355 | goto err_free; | |
5356 | } | |
5357 | } | |
5358 | ret = 0; /* cfg looks good */ | |
5359 | ||
5360 | err_free: | |
5361 | kfree(insn_state); | |
5362 | kfree(insn_stack); | |
5363 | return ret; | |
5364 | } | |
5365 | ||
838e9690 YS |
5366 | /* The minimum supported BTF func info size */ |
5367 | #define MIN_BPF_FUNCINFO_SIZE 8 | |
5368 | #define MAX_FUNCINFO_REC_SIZE 252 | |
5369 | ||
c454a46b MKL |
5370 | static int check_btf_func(struct bpf_verifier_env *env, |
5371 | const union bpf_attr *attr, | |
5372 | union bpf_attr __user *uattr) | |
838e9690 | 5373 | { |
d0b2818e | 5374 | u32 i, nfuncs, urec_size, min_size; |
838e9690 | 5375 | u32 krec_size = sizeof(struct bpf_func_info); |
c454a46b | 5376 | struct bpf_func_info *krecord; |
838e9690 | 5377 | const struct btf_type *type; |
c454a46b MKL |
5378 | struct bpf_prog *prog; |
5379 | const struct btf *btf; | |
838e9690 | 5380 | void __user *urecord; |
d0b2818e | 5381 | u32 prev_offset = 0; |
838e9690 YS |
5382 | int ret = 0; |
5383 | ||
5384 | nfuncs = attr->func_info_cnt; | |
5385 | if (!nfuncs) | |
5386 | return 0; | |
5387 | ||
5388 | if (nfuncs != env->subprog_cnt) { | |
5389 | verbose(env, "number of funcs in func_info doesn't match number of subprogs\n"); | |
5390 | return -EINVAL; | |
5391 | } | |
5392 | ||
5393 | urec_size = attr->func_info_rec_size; | |
5394 | if (urec_size < MIN_BPF_FUNCINFO_SIZE || | |
5395 | urec_size > MAX_FUNCINFO_REC_SIZE || | |
5396 | urec_size % sizeof(u32)) { | |
5397 | verbose(env, "invalid func info rec size %u\n", urec_size); | |
5398 | return -EINVAL; | |
5399 | } | |
5400 | ||
c454a46b MKL |
5401 | prog = env->prog; |
5402 | btf = prog->aux->btf; | |
838e9690 YS |
5403 | |
5404 | urecord = u64_to_user_ptr(attr->func_info); | |
5405 | min_size = min_t(u32, krec_size, urec_size); | |
5406 | ||
ba64e7d8 | 5407 | krecord = kvcalloc(nfuncs, krec_size, GFP_KERNEL | __GFP_NOWARN); |
c454a46b MKL |
5408 | if (!krecord) |
5409 | return -ENOMEM; | |
ba64e7d8 | 5410 | |
838e9690 YS |
5411 | for (i = 0; i < nfuncs; i++) { |
5412 | ret = bpf_check_uarg_tail_zero(urecord, krec_size, urec_size); | |
5413 | if (ret) { | |
5414 | if (ret == -E2BIG) { | |
5415 | verbose(env, "nonzero tailing record in func info"); | |
5416 | /* set the size kernel expects so loader can zero | |
5417 | * out the rest of the record. | |
5418 | */ | |
5419 | if (put_user(min_size, &uattr->func_info_rec_size)) | |
5420 | ret = -EFAULT; | |
5421 | } | |
c454a46b | 5422 | goto err_free; |
838e9690 YS |
5423 | } |
5424 | ||
ba64e7d8 | 5425 | if (copy_from_user(&krecord[i], urecord, min_size)) { |
838e9690 | 5426 | ret = -EFAULT; |
c454a46b | 5427 | goto err_free; |
838e9690 YS |
5428 | } |
5429 | ||
d30d42e0 | 5430 | /* check insn_off */ |
838e9690 | 5431 | if (i == 0) { |
d30d42e0 | 5432 | if (krecord[i].insn_off) { |
838e9690 | 5433 | verbose(env, |
d30d42e0 MKL |
5434 | "nonzero insn_off %u for the first func info record", |
5435 | krecord[i].insn_off); | |
838e9690 | 5436 | ret = -EINVAL; |
c454a46b | 5437 | goto err_free; |
838e9690 | 5438 | } |
d30d42e0 | 5439 | } else if (krecord[i].insn_off <= prev_offset) { |
838e9690 YS |
5440 | verbose(env, |
5441 | "same or smaller insn offset (%u) than previous func info record (%u)", | |
d30d42e0 | 5442 | krecord[i].insn_off, prev_offset); |
838e9690 | 5443 | ret = -EINVAL; |
c454a46b | 5444 | goto err_free; |
838e9690 YS |
5445 | } |
5446 | ||
d30d42e0 | 5447 | if (env->subprog_info[i].start != krecord[i].insn_off) { |
838e9690 YS |
5448 | verbose(env, "func_info BTF section doesn't match subprog layout in BPF program\n"); |
5449 | ret = -EINVAL; | |
c454a46b | 5450 | goto err_free; |
838e9690 YS |
5451 | } |
5452 | ||
5453 | /* check type_id */ | |
ba64e7d8 | 5454 | type = btf_type_by_id(btf, krecord[i].type_id); |
838e9690 YS |
5455 | if (!type || BTF_INFO_KIND(type->info) != BTF_KIND_FUNC) { |
5456 | verbose(env, "invalid type id %d in func info", | |
ba64e7d8 | 5457 | krecord[i].type_id); |
838e9690 | 5458 | ret = -EINVAL; |
c454a46b | 5459 | goto err_free; |
838e9690 YS |
5460 | } |
5461 | ||
d30d42e0 | 5462 | prev_offset = krecord[i].insn_off; |
838e9690 YS |
5463 | urecord += urec_size; |
5464 | } | |
5465 | ||
ba64e7d8 YS |
5466 | prog->aux->func_info = krecord; |
5467 | prog->aux->func_info_cnt = nfuncs; | |
838e9690 YS |
5468 | return 0; |
5469 | ||
c454a46b | 5470 | err_free: |
ba64e7d8 | 5471 | kvfree(krecord); |
838e9690 YS |
5472 | return ret; |
5473 | } | |
5474 | ||
ba64e7d8 YS |
5475 | static void adjust_btf_func(struct bpf_verifier_env *env) |
5476 | { | |
5477 | int i; | |
5478 | ||
5479 | if (!env->prog->aux->func_info) | |
5480 | return; | |
5481 | ||
5482 | for (i = 0; i < env->subprog_cnt; i++) | |
d30d42e0 | 5483 | env->prog->aux->func_info[i].insn_off = env->subprog_info[i].start; |
ba64e7d8 YS |
5484 | } |
5485 | ||
c454a46b MKL |
5486 | #define MIN_BPF_LINEINFO_SIZE (offsetof(struct bpf_line_info, line_col) + \ |
5487 | sizeof(((struct bpf_line_info *)(0))->line_col)) | |
5488 | #define MAX_LINEINFO_REC_SIZE MAX_FUNCINFO_REC_SIZE | |
5489 | ||
5490 | static int check_btf_line(struct bpf_verifier_env *env, | |
5491 | const union bpf_attr *attr, | |
5492 | union bpf_attr __user *uattr) | |
5493 | { | |
5494 | u32 i, s, nr_linfo, ncopy, expected_size, rec_size, prev_offset = 0; | |
5495 | struct bpf_subprog_info *sub; | |
5496 | struct bpf_line_info *linfo; | |
5497 | struct bpf_prog *prog; | |
5498 | const struct btf *btf; | |
5499 | void __user *ulinfo; | |
5500 | int err; | |
5501 | ||
5502 | nr_linfo = attr->line_info_cnt; | |
5503 | if (!nr_linfo) | |
5504 | return 0; | |
5505 | ||
5506 | rec_size = attr->line_info_rec_size; | |
5507 | if (rec_size < MIN_BPF_LINEINFO_SIZE || | |
5508 | rec_size > MAX_LINEINFO_REC_SIZE || | |
5509 | rec_size & (sizeof(u32) - 1)) | |
5510 | return -EINVAL; | |
5511 | ||
5512 | /* Need to zero it in case the userspace may | |
5513 | * pass in a smaller bpf_line_info object. | |
5514 | */ | |
5515 | linfo = kvcalloc(nr_linfo, sizeof(struct bpf_line_info), | |
5516 | GFP_KERNEL | __GFP_NOWARN); | |
5517 | if (!linfo) | |
5518 | return -ENOMEM; | |
5519 | ||
5520 | prog = env->prog; | |
5521 | btf = prog->aux->btf; | |
5522 | ||
5523 | s = 0; | |
5524 | sub = env->subprog_info; | |
5525 | ulinfo = u64_to_user_ptr(attr->line_info); | |
5526 | expected_size = sizeof(struct bpf_line_info); | |
5527 | ncopy = min_t(u32, expected_size, rec_size); | |
5528 | for (i = 0; i < nr_linfo; i++) { | |
5529 | err = bpf_check_uarg_tail_zero(ulinfo, expected_size, rec_size); | |
5530 | if (err) { | |
5531 | if (err == -E2BIG) { | |
5532 | verbose(env, "nonzero tailing record in line_info"); | |
5533 | if (put_user(expected_size, | |
5534 | &uattr->line_info_rec_size)) | |
5535 | err = -EFAULT; | |
5536 | } | |
5537 | goto err_free; | |
5538 | } | |
5539 | ||
5540 | if (copy_from_user(&linfo[i], ulinfo, ncopy)) { | |
5541 | err = -EFAULT; | |
5542 | goto err_free; | |
5543 | } | |
5544 | ||
5545 | /* | |
5546 | * Check insn_off to ensure | |
5547 | * 1) strictly increasing AND | |
5548 | * 2) bounded by prog->len | |
5549 | * | |
5550 | * The linfo[0].insn_off == 0 check logically falls into | |
5551 | * the later "missing bpf_line_info for func..." case | |
5552 | * because the first linfo[0].insn_off must be the | |
5553 | * first sub also and the first sub must have | |
5554 | * subprog_info[0].start == 0. | |
5555 | */ | |
5556 | if ((i && linfo[i].insn_off <= prev_offset) || | |
5557 | linfo[i].insn_off >= prog->len) { | |
5558 | verbose(env, "Invalid line_info[%u].insn_off:%u (prev_offset:%u prog->len:%u)\n", | |
5559 | i, linfo[i].insn_off, prev_offset, | |
5560 | prog->len); | |
5561 | err = -EINVAL; | |
5562 | goto err_free; | |
5563 | } | |
5564 | ||
fdbaa0be MKL |
5565 | if (!prog->insnsi[linfo[i].insn_off].code) { |
5566 | verbose(env, | |
5567 | "Invalid insn code at line_info[%u].insn_off\n", | |
5568 | i); | |
5569 | err = -EINVAL; | |
5570 | goto err_free; | |
5571 | } | |
5572 | ||
23127b33 MKL |
5573 | if (!btf_name_by_offset(btf, linfo[i].line_off) || |
5574 | !btf_name_by_offset(btf, linfo[i].file_name_off)) { | |
c454a46b MKL |
5575 | verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i); |
5576 | err = -EINVAL; | |
5577 | goto err_free; | |
5578 | } | |
5579 | ||
5580 | if (s != env->subprog_cnt) { | |
5581 | if (linfo[i].insn_off == sub[s].start) { | |
5582 | sub[s].linfo_idx = i; | |
5583 | s++; | |
5584 | } else if (sub[s].start < linfo[i].insn_off) { | |
5585 | verbose(env, "missing bpf_line_info for func#%u\n", s); | |
5586 | err = -EINVAL; | |
5587 | goto err_free; | |
5588 | } | |
5589 | } | |
5590 | ||
5591 | prev_offset = linfo[i].insn_off; | |
5592 | ulinfo += rec_size; | |
5593 | } | |
5594 | ||
5595 | if (s != env->subprog_cnt) { | |
5596 | verbose(env, "missing bpf_line_info for %u funcs starting from func#%u\n", | |
5597 | env->subprog_cnt - s, s); | |
5598 | err = -EINVAL; | |
5599 | goto err_free; | |
5600 | } | |
5601 | ||
5602 | prog->aux->linfo = linfo; | |
5603 | prog->aux->nr_linfo = nr_linfo; | |
5604 | ||
5605 | return 0; | |
5606 | ||
5607 | err_free: | |
5608 | kvfree(linfo); | |
5609 | return err; | |
5610 | } | |
5611 | ||
5612 | static int check_btf_info(struct bpf_verifier_env *env, | |
5613 | const union bpf_attr *attr, | |
5614 | union bpf_attr __user *uattr) | |
5615 | { | |
5616 | struct btf *btf; | |
5617 | int err; | |
5618 | ||
5619 | if (!attr->func_info_cnt && !attr->line_info_cnt) | |
5620 | return 0; | |
5621 | ||
5622 | btf = btf_get_by_fd(attr->prog_btf_fd); | |
5623 | if (IS_ERR(btf)) | |
5624 | return PTR_ERR(btf); | |
5625 | env->prog->aux->btf = btf; | |
5626 | ||
5627 | err = check_btf_func(env, attr, uattr); | |
5628 | if (err) | |
5629 | return err; | |
5630 | ||
5631 | err = check_btf_line(env, attr, uattr); | |
5632 | if (err) | |
5633 | return err; | |
5634 | ||
5635 | return 0; | |
ba64e7d8 YS |
5636 | } |
5637 | ||
f1174f77 EC |
5638 | /* check %cur's range satisfies %old's */ |
5639 | static bool range_within(struct bpf_reg_state *old, | |
5640 | struct bpf_reg_state *cur) | |
5641 | { | |
b03c9f9f EC |
5642 | return old->umin_value <= cur->umin_value && |
5643 | old->umax_value >= cur->umax_value && | |
5644 | old->smin_value <= cur->smin_value && | |
5645 | old->smax_value >= cur->smax_value; | |
f1174f77 EC |
5646 | } |
5647 | ||
5648 | /* Maximum number of register states that can exist at once */ | |
5649 | #define ID_MAP_SIZE (MAX_BPF_REG + MAX_BPF_STACK / BPF_REG_SIZE) | |
5650 | struct idpair { | |
5651 | u32 old; | |
5652 | u32 cur; | |
5653 | }; | |
5654 | ||
5655 | /* If in the old state two registers had the same id, then they need to have | |
5656 | * the same id in the new state as well. But that id could be different from | |
5657 | * the old state, so we need to track the mapping from old to new ids. | |
5658 | * Once we have seen that, say, a reg with old id 5 had new id 9, any subsequent | |
5659 | * regs with old id 5 must also have new id 9 for the new state to be safe. But | |
5660 | * regs with a different old id could still have new id 9, we don't care about | |
5661 | * that. | |
5662 | * So we look through our idmap to see if this old id has been seen before. If | |
5663 | * so, we require the new id to match; otherwise, we add the id pair to the map. | |
969bf05e | 5664 | */ |
f1174f77 | 5665 | static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap) |
969bf05e | 5666 | { |
f1174f77 | 5667 | unsigned int i; |
969bf05e | 5668 | |
f1174f77 EC |
5669 | for (i = 0; i < ID_MAP_SIZE; i++) { |
5670 | if (!idmap[i].old) { | |
5671 | /* Reached an empty slot; haven't seen this id before */ | |
5672 | idmap[i].old = old_id; | |
5673 | idmap[i].cur = cur_id; | |
5674 | return true; | |
5675 | } | |
5676 | if (idmap[i].old == old_id) | |
5677 | return idmap[i].cur == cur_id; | |
5678 | } | |
5679 | /* We ran out of idmap slots, which should be impossible */ | |
5680 | WARN_ON_ONCE(1); | |
5681 | return false; | |
5682 | } | |
5683 | ||
9242b5f5 AS |
5684 | static void clean_func_state(struct bpf_verifier_env *env, |
5685 | struct bpf_func_state *st) | |
5686 | { | |
5687 | enum bpf_reg_liveness live; | |
5688 | int i, j; | |
5689 | ||
5690 | for (i = 0; i < BPF_REG_FP; i++) { | |
5691 | live = st->regs[i].live; | |
5692 | /* liveness must not touch this register anymore */ | |
5693 | st->regs[i].live |= REG_LIVE_DONE; | |
5694 | if (!(live & REG_LIVE_READ)) | |
5695 | /* since the register is unused, clear its state | |
5696 | * to make further comparison simpler | |
5697 | */ | |
5698 | __mark_reg_not_init(&st->regs[i]); | |
5699 | } | |
5700 | ||
5701 | for (i = 0; i < st->allocated_stack / BPF_REG_SIZE; i++) { | |
5702 | live = st->stack[i].spilled_ptr.live; | |
5703 | /* liveness must not touch this stack slot anymore */ | |
5704 | st->stack[i].spilled_ptr.live |= REG_LIVE_DONE; | |
5705 | if (!(live & REG_LIVE_READ)) { | |
5706 | __mark_reg_not_init(&st->stack[i].spilled_ptr); | |
5707 | for (j = 0; j < BPF_REG_SIZE; j++) | |
5708 | st->stack[i].slot_type[j] = STACK_INVALID; | |
5709 | } | |
5710 | } | |
5711 | } | |
5712 | ||
5713 | static void clean_verifier_state(struct bpf_verifier_env *env, | |
5714 | struct bpf_verifier_state *st) | |
5715 | { | |
5716 | int i; | |
5717 | ||
5718 | if (st->frame[0]->regs[0].live & REG_LIVE_DONE) | |
5719 | /* all regs in this state in all frames were already marked */ | |
5720 | return; | |
5721 | ||
5722 | for (i = 0; i <= st->curframe; i++) | |
5723 | clean_func_state(env, st->frame[i]); | |
5724 | } | |
5725 | ||
5726 | /* the parentage chains form a tree. | |
5727 | * the verifier states are added to state lists at given insn and | |
5728 | * pushed into state stack for future exploration. | |
5729 | * when the verifier reaches bpf_exit insn some of the verifer states | |
5730 | * stored in the state lists have their final liveness state already, | |
5731 | * but a lot of states will get revised from liveness point of view when | |
5732 | * the verifier explores other branches. | |
5733 | * Example: | |
5734 | * 1: r0 = 1 | |
5735 | * 2: if r1 == 100 goto pc+1 | |
5736 | * 3: r0 = 2 | |
5737 | * 4: exit | |
5738 | * when the verifier reaches exit insn the register r0 in the state list of | |
5739 | * insn 2 will be seen as !REG_LIVE_READ. Then the verifier pops the other_branch | |
5740 | * of insn 2 and goes exploring further. At the insn 4 it will walk the | |
5741 | * parentage chain from insn 4 into insn 2 and will mark r0 as REG_LIVE_READ. | |
5742 | * | |
5743 | * Since the verifier pushes the branch states as it sees them while exploring | |
5744 | * the program the condition of walking the branch instruction for the second | |
5745 | * time means that all states below this branch were already explored and | |
5746 | * their final liveness markes are already propagated. | |
5747 | * Hence when the verifier completes the search of state list in is_state_visited() | |
5748 | * we can call this clean_live_states() function to mark all liveness states | |
5749 | * as REG_LIVE_DONE to indicate that 'parent' pointers of 'struct bpf_reg_state' | |
5750 | * will not be used. | |
5751 | * This function also clears the registers and stack for states that !READ | |
5752 | * to simplify state merging. | |
5753 | * | |
5754 | * Important note here that walking the same branch instruction in the callee | |
5755 | * doesn't meant that the states are DONE. The verifier has to compare | |
5756 | * the callsites | |
5757 | */ | |
5758 | static void clean_live_states(struct bpf_verifier_env *env, int insn, | |
5759 | struct bpf_verifier_state *cur) | |
5760 | { | |
5761 | struct bpf_verifier_state_list *sl; | |
5762 | int i; | |
5763 | ||
5764 | sl = env->explored_states[insn]; | |
5765 | if (!sl) | |
5766 | return; | |
5767 | ||
5768 | while (sl != STATE_LIST_MARK) { | |
5769 | if (sl->state.curframe != cur->curframe) | |
5770 | goto next; | |
5771 | for (i = 0; i <= cur->curframe; i++) | |
5772 | if (sl->state.frame[i]->callsite != cur->frame[i]->callsite) | |
5773 | goto next; | |
5774 | clean_verifier_state(env, &sl->state); | |
5775 | next: | |
5776 | sl = sl->next; | |
5777 | } | |
5778 | } | |
5779 | ||
f1174f77 | 5780 | /* Returns true if (rold safe implies rcur safe) */ |
1b688a19 EC |
5781 | static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, |
5782 | struct idpair *idmap) | |
f1174f77 | 5783 | { |
f4d7e40a AS |
5784 | bool equal; |
5785 | ||
dc503a8a EC |
5786 | if (!(rold->live & REG_LIVE_READ)) |
5787 | /* explored state didn't use this */ | |
5788 | return true; | |
5789 | ||
679c782d | 5790 | equal = memcmp(rold, rcur, offsetof(struct bpf_reg_state, parent)) == 0; |
f4d7e40a AS |
5791 | |
5792 | if (rold->type == PTR_TO_STACK) | |
5793 | /* two stack pointers are equal only if they're pointing to | |
5794 | * the same stack frame, since fp-8 in foo != fp-8 in bar | |
5795 | */ | |
5796 | return equal && rold->frameno == rcur->frameno; | |
5797 | ||
5798 | if (equal) | |
969bf05e AS |
5799 | return true; |
5800 | ||
f1174f77 EC |
5801 | if (rold->type == NOT_INIT) |
5802 | /* explored state can't have used this */ | |
969bf05e | 5803 | return true; |
f1174f77 EC |
5804 | if (rcur->type == NOT_INIT) |
5805 | return false; | |
5806 | switch (rold->type) { | |
5807 | case SCALAR_VALUE: | |
5808 | if (rcur->type == SCALAR_VALUE) { | |
5809 | /* new val must satisfy old val knowledge */ | |
5810 | return range_within(rold, rcur) && | |
5811 | tnum_in(rold->var_off, rcur->var_off); | |
5812 | } else { | |
179d1c56 JH |
5813 | /* We're trying to use a pointer in place of a scalar. |
5814 | * Even if the scalar was unbounded, this could lead to | |
5815 | * pointer leaks because scalars are allowed to leak | |
5816 | * while pointers are not. We could make this safe in | |
5817 | * special cases if root is calling us, but it's | |
5818 | * probably not worth the hassle. | |
f1174f77 | 5819 | */ |
179d1c56 | 5820 | return false; |
f1174f77 EC |
5821 | } |
5822 | case PTR_TO_MAP_VALUE: | |
1b688a19 EC |
5823 | /* If the new min/max/var_off satisfy the old ones and |
5824 | * everything else matches, we are OK. | |
d83525ca AS |
5825 | * 'id' is not compared, since it's only used for maps with |
5826 | * bpf_spin_lock inside map element and in such cases if | |
5827 | * the rest of the prog is valid for one map element then | |
5828 | * it's valid for all map elements regardless of the key | |
5829 | * used in bpf_map_lookup() | |
1b688a19 EC |
5830 | */ |
5831 | return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 && | |
5832 | range_within(rold, rcur) && | |
5833 | tnum_in(rold->var_off, rcur->var_off); | |
f1174f77 EC |
5834 | case PTR_TO_MAP_VALUE_OR_NULL: |
5835 | /* a PTR_TO_MAP_VALUE could be safe to use as a | |
5836 | * PTR_TO_MAP_VALUE_OR_NULL into the same map. | |
5837 | * However, if the old PTR_TO_MAP_VALUE_OR_NULL then got NULL- | |
5838 | * checked, doing so could have affected others with the same | |
5839 | * id, and we can't check for that because we lost the id when | |
5840 | * we converted to a PTR_TO_MAP_VALUE. | |
5841 | */ | |
5842 | if (rcur->type != PTR_TO_MAP_VALUE_OR_NULL) | |
5843 | return false; | |
5844 | if (memcmp(rold, rcur, offsetof(struct bpf_reg_state, id))) | |
5845 | return false; | |
5846 | /* Check our ids match any regs they're supposed to */ | |
5847 | return check_ids(rold->id, rcur->id, idmap); | |
de8f3a83 | 5848 | case PTR_TO_PACKET_META: |
f1174f77 | 5849 | case PTR_TO_PACKET: |
de8f3a83 | 5850 | if (rcur->type != rold->type) |
f1174f77 EC |
5851 | return false; |
5852 | /* We must have at least as much range as the old ptr | |
5853 | * did, so that any accesses which were safe before are | |
5854 | * still safe. This is true even if old range < old off, | |
5855 | * since someone could have accessed through (ptr - k), or | |
5856 | * even done ptr -= k in a register, to get a safe access. | |
5857 | */ | |
5858 | if (rold->range > rcur->range) | |
5859 | return false; | |
5860 | /* If the offsets don't match, we can't trust our alignment; | |
5861 | * nor can we be sure that we won't fall out of range. | |
5862 | */ | |
5863 | if (rold->off != rcur->off) | |
5864 | return false; | |
5865 | /* id relations must be preserved */ | |
5866 | if (rold->id && !check_ids(rold->id, rcur->id, idmap)) | |
5867 | return false; | |
5868 | /* new val must satisfy old val knowledge */ | |
5869 | return range_within(rold, rcur) && | |
5870 | tnum_in(rold->var_off, rcur->var_off); | |
5871 | case PTR_TO_CTX: | |
5872 | case CONST_PTR_TO_MAP: | |
f1174f77 | 5873 | case PTR_TO_PACKET_END: |
d58e468b | 5874 | case PTR_TO_FLOW_KEYS: |
c64b7983 JS |
5875 | case PTR_TO_SOCKET: |
5876 | case PTR_TO_SOCKET_OR_NULL: | |
46f8bc92 MKL |
5877 | case PTR_TO_SOCK_COMMON: |
5878 | case PTR_TO_SOCK_COMMON_OR_NULL: | |
655a51e5 MKL |
5879 | case PTR_TO_TCP_SOCK: |
5880 | case PTR_TO_TCP_SOCK_OR_NULL: | |
f1174f77 EC |
5881 | /* Only valid matches are exact, which memcmp() above |
5882 | * would have accepted | |
5883 | */ | |
5884 | default: | |
5885 | /* Don't know what's going on, just say it's not safe */ | |
5886 | return false; | |
5887 | } | |
969bf05e | 5888 | |
f1174f77 EC |
5889 | /* Shouldn't get here; if we do, say it's not safe */ |
5890 | WARN_ON_ONCE(1); | |
969bf05e AS |
5891 | return false; |
5892 | } | |
5893 | ||
f4d7e40a AS |
5894 | static bool stacksafe(struct bpf_func_state *old, |
5895 | struct bpf_func_state *cur, | |
638f5b90 AS |
5896 | struct idpair *idmap) |
5897 | { | |
5898 | int i, spi; | |
5899 | ||
638f5b90 AS |
5900 | /* walk slots of the explored stack and ignore any additional |
5901 | * slots in the current stack, since explored(safe) state | |
5902 | * didn't use them | |
5903 | */ | |
5904 | for (i = 0; i < old->allocated_stack; i++) { | |
5905 | spi = i / BPF_REG_SIZE; | |
5906 | ||
b233920c AS |
5907 | if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)) { |
5908 | i += BPF_REG_SIZE - 1; | |
cc2b14d5 | 5909 | /* explored state didn't use this */ |
fd05e57b | 5910 | continue; |
b233920c | 5911 | } |
cc2b14d5 | 5912 | |
638f5b90 AS |
5913 | if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_INVALID) |
5914 | continue; | |
19e2dbb7 AS |
5915 | |
5916 | /* explored stack has more populated slots than current stack | |
5917 | * and these slots were used | |
5918 | */ | |
5919 | if (i >= cur->allocated_stack) | |
5920 | return false; | |
5921 | ||
cc2b14d5 AS |
5922 | /* if old state was safe with misc data in the stack |
5923 | * it will be safe with zero-initialized stack. | |
5924 | * The opposite is not true | |
5925 | */ | |
5926 | if (old->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_MISC && | |
5927 | cur->stack[spi].slot_type[i % BPF_REG_SIZE] == STACK_ZERO) | |
5928 | continue; | |
638f5b90 AS |
5929 | if (old->stack[spi].slot_type[i % BPF_REG_SIZE] != |
5930 | cur->stack[spi].slot_type[i % BPF_REG_SIZE]) | |
5931 | /* Ex: old explored (safe) state has STACK_SPILL in | |
5932 | * this stack slot, but current has has STACK_MISC -> | |
5933 | * this verifier states are not equivalent, | |
5934 | * return false to continue verification of this path | |
5935 | */ | |
5936 | return false; | |
5937 | if (i % BPF_REG_SIZE) | |
5938 | continue; | |
5939 | if (old->stack[spi].slot_type[0] != STACK_SPILL) | |
5940 | continue; | |
5941 | if (!regsafe(&old->stack[spi].spilled_ptr, | |
5942 | &cur->stack[spi].spilled_ptr, | |
5943 | idmap)) | |
5944 | /* when explored and current stack slot are both storing | |
5945 | * spilled registers, check that stored pointers types | |
5946 | * are the same as well. | |
5947 | * Ex: explored safe path could have stored | |
5948 | * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -8} | |
5949 | * but current path has stored: | |
5950 | * (bpf_reg_state) {.type = PTR_TO_STACK, .off = -16} | |
5951 | * such verifier states are not equivalent. | |
5952 | * return false to continue verification of this path | |
5953 | */ | |
5954 | return false; | |
5955 | } | |
5956 | return true; | |
5957 | } | |
5958 | ||
fd978bf7 JS |
5959 | static bool refsafe(struct bpf_func_state *old, struct bpf_func_state *cur) |
5960 | { | |
5961 | if (old->acquired_refs != cur->acquired_refs) | |
5962 | return false; | |
5963 | return !memcmp(old->refs, cur->refs, | |
5964 | sizeof(*old->refs) * old->acquired_refs); | |
5965 | } | |
5966 | ||
f1bca824 AS |
5967 | /* compare two verifier states |
5968 | * | |
5969 | * all states stored in state_list are known to be valid, since | |
5970 | * verifier reached 'bpf_exit' instruction through them | |
5971 | * | |
5972 | * this function is called when verifier exploring different branches of | |
5973 | * execution popped from the state stack. If it sees an old state that has | |
5974 | * more strict register state and more strict stack state then this execution | |
5975 | * branch doesn't need to be explored further, since verifier already | |
5976 | * concluded that more strict state leads to valid finish. | |
5977 | * | |
5978 | * Therefore two states are equivalent if register state is more conservative | |
5979 | * and explored stack state is more conservative than the current one. | |
5980 | * Example: | |
5981 | * explored current | |
5982 | * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC) | |
5983 | * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC) | |
5984 | * | |
5985 | * In other words if current stack state (one being explored) has more | |
5986 | * valid slots than old one that already passed validation, it means | |
5987 | * the verifier can stop exploring and conclude that current state is valid too | |
5988 | * | |
5989 | * Similarly with registers. If explored state has register type as invalid | |
5990 | * whereas register type in current state is meaningful, it means that | |
5991 | * the current state will reach 'bpf_exit' instruction safely | |
5992 | */ | |
f4d7e40a AS |
5993 | static bool func_states_equal(struct bpf_func_state *old, |
5994 | struct bpf_func_state *cur) | |
f1bca824 | 5995 | { |
f1174f77 EC |
5996 | struct idpair *idmap; |
5997 | bool ret = false; | |
f1bca824 AS |
5998 | int i; |
5999 | ||
f1174f77 EC |
6000 | idmap = kcalloc(ID_MAP_SIZE, sizeof(struct idpair), GFP_KERNEL); |
6001 | /* If we failed to allocate the idmap, just say it's not safe */ | |
6002 | if (!idmap) | |
1a0dc1ac | 6003 | return false; |
f1174f77 EC |
6004 | |
6005 | for (i = 0; i < MAX_BPF_REG; i++) { | |
1b688a19 | 6006 | if (!regsafe(&old->regs[i], &cur->regs[i], idmap)) |
f1174f77 | 6007 | goto out_free; |
f1bca824 AS |
6008 | } |
6009 | ||
638f5b90 AS |
6010 | if (!stacksafe(old, cur, idmap)) |
6011 | goto out_free; | |
fd978bf7 JS |
6012 | |
6013 | if (!refsafe(old, cur)) | |
6014 | goto out_free; | |
f1174f77 EC |
6015 | ret = true; |
6016 | out_free: | |
6017 | kfree(idmap); | |
6018 | return ret; | |
f1bca824 AS |
6019 | } |
6020 | ||
f4d7e40a AS |
6021 | static bool states_equal(struct bpf_verifier_env *env, |
6022 | struct bpf_verifier_state *old, | |
6023 | struct bpf_verifier_state *cur) | |
6024 | { | |
6025 | int i; | |
6026 | ||
6027 | if (old->curframe != cur->curframe) | |
6028 | return false; | |
6029 | ||
979d63d5 DB |
6030 | /* Verification state from speculative execution simulation |
6031 | * must never prune a non-speculative execution one. | |
6032 | */ | |
6033 | if (old->speculative && !cur->speculative) | |
6034 | return false; | |
6035 | ||
d83525ca AS |
6036 | if (old->active_spin_lock != cur->active_spin_lock) |
6037 | return false; | |
6038 | ||
f4d7e40a AS |
6039 | /* for states to be equal callsites have to be the same |
6040 | * and all frame states need to be equivalent | |
6041 | */ | |
6042 | for (i = 0; i <= old->curframe; i++) { | |
6043 | if (old->frame[i]->callsite != cur->frame[i]->callsite) | |
6044 | return false; | |
6045 | if (!func_states_equal(old->frame[i], cur->frame[i])) | |
6046 | return false; | |
6047 | } | |
6048 | return true; | |
6049 | } | |
6050 | ||
8e9cd9ce | 6051 | /* A write screens off any subsequent reads; but write marks come from the |
f4d7e40a AS |
6052 | * straight-line code between a state and its parent. When we arrive at an |
6053 | * equivalent state (jump target or such) we didn't arrive by the straight-line | |
6054 | * code, so read marks in the state must propagate to the parent regardless | |
6055 | * of the state's write marks. That's what 'parent == state->parent' comparison | |
679c782d | 6056 | * in mark_reg_read() is for. |
8e9cd9ce | 6057 | */ |
f4d7e40a AS |
6058 | static int propagate_liveness(struct bpf_verifier_env *env, |
6059 | const struct bpf_verifier_state *vstate, | |
6060 | struct bpf_verifier_state *vparent) | |
dc503a8a | 6061 | { |
f4d7e40a AS |
6062 | int i, frame, err = 0; |
6063 | struct bpf_func_state *state, *parent; | |
dc503a8a | 6064 | |
f4d7e40a AS |
6065 | if (vparent->curframe != vstate->curframe) { |
6066 | WARN(1, "propagate_live: parent frame %d current frame %d\n", | |
6067 | vparent->curframe, vstate->curframe); | |
6068 | return -EFAULT; | |
6069 | } | |
dc503a8a EC |
6070 | /* Propagate read liveness of registers... */ |
6071 | BUILD_BUG_ON(BPF_REG_FP + 1 != MAX_BPF_REG); | |
6072 | /* We don't need to worry about FP liveness because it's read-only */ | |
6073 | for (i = 0; i < BPF_REG_FP; i++) { | |
f4d7e40a | 6074 | if (vparent->frame[vparent->curframe]->regs[i].live & REG_LIVE_READ) |
63f45f84 | 6075 | continue; |
f4d7e40a | 6076 | if (vstate->frame[vstate->curframe]->regs[i].live & REG_LIVE_READ) { |
679c782d EC |
6077 | err = mark_reg_read(env, &vstate->frame[vstate->curframe]->regs[i], |
6078 | &vparent->frame[vstate->curframe]->regs[i]); | |
f4d7e40a AS |
6079 | if (err) |
6080 | return err; | |
dc503a8a EC |
6081 | } |
6082 | } | |
f4d7e40a | 6083 | |
dc503a8a | 6084 | /* ... and stack slots */ |
f4d7e40a AS |
6085 | for (frame = 0; frame <= vstate->curframe; frame++) { |
6086 | state = vstate->frame[frame]; | |
6087 | parent = vparent->frame[frame]; | |
6088 | for (i = 0; i < state->allocated_stack / BPF_REG_SIZE && | |
6089 | i < parent->allocated_stack / BPF_REG_SIZE; i++) { | |
f4d7e40a AS |
6090 | if (parent->stack[i].spilled_ptr.live & REG_LIVE_READ) |
6091 | continue; | |
6092 | if (state->stack[i].spilled_ptr.live & REG_LIVE_READ) | |
679c782d EC |
6093 | mark_reg_read(env, &state->stack[i].spilled_ptr, |
6094 | &parent->stack[i].spilled_ptr); | |
dc503a8a EC |
6095 | } |
6096 | } | |
f4d7e40a | 6097 | return err; |
dc503a8a EC |
6098 | } |
6099 | ||
58e2af8b | 6100 | static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) |
f1bca824 | 6101 | { |
58e2af8b JK |
6102 | struct bpf_verifier_state_list *new_sl; |
6103 | struct bpf_verifier_state_list *sl; | |
679c782d | 6104 | struct bpf_verifier_state *cur = env->cur_state, *new; |
ceefbc96 | 6105 | int i, j, err, states_cnt = 0; |
f1bca824 AS |
6106 | |
6107 | sl = env->explored_states[insn_idx]; | |
6108 | if (!sl) | |
6109 | /* this 'insn_idx' instruction wasn't marked, so we will not | |
6110 | * be doing state search here | |
6111 | */ | |
6112 | return 0; | |
6113 | ||
9242b5f5 AS |
6114 | clean_live_states(env, insn_idx, cur); |
6115 | ||
f1bca824 | 6116 | while (sl != STATE_LIST_MARK) { |
638f5b90 | 6117 | if (states_equal(env, &sl->state, cur)) { |
f1bca824 | 6118 | /* reached equivalent register/stack state, |
dc503a8a EC |
6119 | * prune the search. |
6120 | * Registers read by the continuation are read by us. | |
8e9cd9ce EC |
6121 | * If we have any write marks in env->cur_state, they |
6122 | * will prevent corresponding reads in the continuation | |
6123 | * from reaching our parent (an explored_state). Our | |
6124 | * own state will get the read marks recorded, but | |
6125 | * they'll be immediately forgotten as we're pruning | |
6126 | * this state and will pop a new one. | |
f1bca824 | 6127 | */ |
f4d7e40a AS |
6128 | err = propagate_liveness(env, &sl->state, cur); |
6129 | if (err) | |
6130 | return err; | |
f1bca824 | 6131 | return 1; |
dc503a8a | 6132 | } |
f1bca824 | 6133 | sl = sl->next; |
ceefbc96 | 6134 | states_cnt++; |
f1bca824 AS |
6135 | } |
6136 | ||
ceefbc96 AS |
6137 | if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES) |
6138 | return 0; | |
6139 | ||
f1bca824 AS |
6140 | /* there were no equivalent states, remember current one. |
6141 | * technically the current state is not proven to be safe yet, | |
f4d7e40a AS |
6142 | * but it will either reach outer most bpf_exit (which means it's safe) |
6143 | * or it will be rejected. Since there are no loops, we won't be | |
6144 | * seeing this tuple (frame[0].callsite, frame[1].callsite, .. insn_idx) | |
6145 | * again on the way to bpf_exit | |
f1bca824 | 6146 | */ |
638f5b90 | 6147 | new_sl = kzalloc(sizeof(struct bpf_verifier_state_list), GFP_KERNEL); |
f1bca824 AS |
6148 | if (!new_sl) |
6149 | return -ENOMEM; | |
6150 | ||
6151 | /* add new state to the head of linked list */ | |
679c782d EC |
6152 | new = &new_sl->state; |
6153 | err = copy_verifier_state(new, cur); | |
1969db47 | 6154 | if (err) { |
679c782d | 6155 | free_verifier_state(new, false); |
1969db47 AS |
6156 | kfree(new_sl); |
6157 | return err; | |
6158 | } | |
f1bca824 AS |
6159 | new_sl->next = env->explored_states[insn_idx]; |
6160 | env->explored_states[insn_idx] = new_sl; | |
7640ead9 JK |
6161 | /* connect new state to parentage chain. Current frame needs all |
6162 | * registers connected. Only r6 - r9 of the callers are alive (pushed | |
6163 | * to the stack implicitly by JITs) so in callers' frames connect just | |
6164 | * r6 - r9 as an optimization. Callers will have r1 - r5 connected to | |
6165 | * the state of the call instruction (with WRITTEN set), and r0 comes | |
6166 | * from callee with its full parentage chain, anyway. | |
6167 | */ | |
6168 | for (j = 0; j <= cur->curframe; j++) | |
6169 | for (i = j < cur->curframe ? BPF_REG_6 : 0; i < BPF_REG_FP; i++) | |
6170 | cur->frame[j]->regs[i].parent = &new->frame[j]->regs[i]; | |
8e9cd9ce EC |
6171 | /* clear write marks in current state: the writes we did are not writes |
6172 | * our child did, so they don't screen off its reads from us. | |
6173 | * (There are no read marks in current state, because reads always mark | |
6174 | * their parent and current state never has children yet. Only | |
6175 | * explored_states can get read marks.) | |
6176 | */ | |
dc503a8a | 6177 | for (i = 0; i < BPF_REG_FP; i++) |
f4d7e40a AS |
6178 | cur->frame[cur->curframe]->regs[i].live = REG_LIVE_NONE; |
6179 | ||
6180 | /* all stack frames are accessible from callee, clear them all */ | |
6181 | for (j = 0; j <= cur->curframe; j++) { | |
6182 | struct bpf_func_state *frame = cur->frame[j]; | |
679c782d | 6183 | struct bpf_func_state *newframe = new->frame[j]; |
f4d7e40a | 6184 | |
679c782d | 6185 | for (i = 0; i < frame->allocated_stack / BPF_REG_SIZE; i++) { |
cc2b14d5 | 6186 | frame->stack[i].spilled_ptr.live = REG_LIVE_NONE; |
679c782d EC |
6187 | frame->stack[i].spilled_ptr.parent = |
6188 | &newframe->stack[i].spilled_ptr; | |
6189 | } | |
f4d7e40a | 6190 | } |
f1bca824 AS |
6191 | return 0; |
6192 | } | |
6193 | ||
c64b7983 JS |
6194 | /* Return true if it's OK to have the same insn return a different type. */ |
6195 | static bool reg_type_mismatch_ok(enum bpf_reg_type type) | |
6196 | { | |
6197 | switch (type) { | |
6198 | case PTR_TO_CTX: | |
6199 | case PTR_TO_SOCKET: | |
6200 | case PTR_TO_SOCKET_OR_NULL: | |
46f8bc92 MKL |
6201 | case PTR_TO_SOCK_COMMON: |
6202 | case PTR_TO_SOCK_COMMON_OR_NULL: | |
655a51e5 MKL |
6203 | case PTR_TO_TCP_SOCK: |
6204 | case PTR_TO_TCP_SOCK_OR_NULL: | |
c64b7983 JS |
6205 | return false; |
6206 | default: | |
6207 | return true; | |
6208 | } | |
6209 | } | |
6210 | ||
6211 | /* If an instruction was previously used with particular pointer types, then we | |
6212 | * need to be careful to avoid cases such as the below, where it may be ok | |
6213 | * for one branch accessing the pointer, but not ok for the other branch: | |
6214 | * | |
6215 | * R1 = sock_ptr | |
6216 | * goto X; | |
6217 | * ... | |
6218 | * R1 = some_other_valid_ptr; | |
6219 | * goto X; | |
6220 | * ... | |
6221 | * R2 = *(u32 *)(R1 + 0); | |
6222 | */ | |
6223 | static bool reg_type_mismatch(enum bpf_reg_type src, enum bpf_reg_type prev) | |
6224 | { | |
6225 | return src != prev && (!reg_type_mismatch_ok(src) || | |
6226 | !reg_type_mismatch_ok(prev)); | |
6227 | } | |
6228 | ||
58e2af8b | 6229 | static int do_check(struct bpf_verifier_env *env) |
17a52670 | 6230 | { |
638f5b90 | 6231 | struct bpf_verifier_state *state; |
17a52670 | 6232 | struct bpf_insn *insns = env->prog->insnsi; |
638f5b90 | 6233 | struct bpf_reg_state *regs; |
f4d7e40a | 6234 | int insn_cnt = env->prog->len, i; |
17a52670 AS |
6235 | int insn_processed = 0; |
6236 | bool do_print_state = false; | |
6237 | ||
d9762e84 MKL |
6238 | env->prev_linfo = NULL; |
6239 | ||
638f5b90 AS |
6240 | state = kzalloc(sizeof(struct bpf_verifier_state), GFP_KERNEL); |
6241 | if (!state) | |
6242 | return -ENOMEM; | |
f4d7e40a | 6243 | state->curframe = 0; |
979d63d5 | 6244 | state->speculative = false; |
f4d7e40a AS |
6245 | state->frame[0] = kzalloc(sizeof(struct bpf_func_state), GFP_KERNEL); |
6246 | if (!state->frame[0]) { | |
6247 | kfree(state); | |
6248 | return -ENOMEM; | |
6249 | } | |
6250 | env->cur_state = state; | |
6251 | init_func_state(env, state->frame[0], | |
6252 | BPF_MAIN_FUNC /* callsite */, | |
6253 | 0 /* frameno */, | |
6254 | 0 /* subprogno, zero == main subprog */); | |
c08435ec | 6255 | |
17a52670 AS |
6256 | for (;;) { |
6257 | struct bpf_insn *insn; | |
6258 | u8 class; | |
6259 | int err; | |
6260 | ||
c08435ec | 6261 | if (env->insn_idx >= insn_cnt) { |
61bd5218 | 6262 | verbose(env, "invalid insn idx %d insn_cnt %d\n", |
c08435ec | 6263 | env->insn_idx, insn_cnt); |
17a52670 AS |
6264 | return -EFAULT; |
6265 | } | |
6266 | ||
c08435ec | 6267 | insn = &insns[env->insn_idx]; |
17a52670 AS |
6268 | class = BPF_CLASS(insn->code); |
6269 | ||
07016151 | 6270 | if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { |
61bd5218 JK |
6271 | verbose(env, |
6272 | "BPF program is too large. Processed %d insn\n", | |
17a52670 AS |
6273 | insn_processed); |
6274 | return -E2BIG; | |
6275 | } | |
6276 | ||
c08435ec | 6277 | err = is_state_visited(env, env->insn_idx); |
f1bca824 AS |
6278 | if (err < 0) |
6279 | return err; | |
6280 | if (err == 1) { | |
6281 | /* found equivalent state, can prune the search */ | |
61bd5218 | 6282 | if (env->log.level) { |
f1bca824 | 6283 | if (do_print_state) |
979d63d5 DB |
6284 | verbose(env, "\nfrom %d to %d%s: safe\n", |
6285 | env->prev_insn_idx, env->insn_idx, | |
6286 | env->cur_state->speculative ? | |
6287 | " (speculative execution)" : ""); | |
f1bca824 | 6288 | else |
c08435ec | 6289 | verbose(env, "%d: safe\n", env->insn_idx); |
f1bca824 AS |
6290 | } |
6291 | goto process_bpf_exit; | |
6292 | } | |
6293 | ||
c3494801 AS |
6294 | if (signal_pending(current)) |
6295 | return -EAGAIN; | |
6296 | ||
3c2ce60b DB |
6297 | if (need_resched()) |
6298 | cond_resched(); | |
6299 | ||
61bd5218 JK |
6300 | if (env->log.level > 1 || (env->log.level && do_print_state)) { |
6301 | if (env->log.level > 1) | |
c08435ec | 6302 | verbose(env, "%d:", env->insn_idx); |
c5fc9692 | 6303 | else |
979d63d5 DB |
6304 | verbose(env, "\nfrom %d to %d%s:", |
6305 | env->prev_insn_idx, env->insn_idx, | |
6306 | env->cur_state->speculative ? | |
6307 | " (speculative execution)" : ""); | |
f4d7e40a | 6308 | print_verifier_state(env, state->frame[state->curframe]); |
17a52670 AS |
6309 | do_print_state = false; |
6310 | } | |
6311 | ||
61bd5218 | 6312 | if (env->log.level) { |
7105e828 DB |
6313 | const struct bpf_insn_cbs cbs = { |
6314 | .cb_print = verbose, | |
abe08840 | 6315 | .private_data = env, |
7105e828 DB |
6316 | }; |
6317 | ||
c08435ec DB |
6318 | verbose_linfo(env, env->insn_idx, "; "); |
6319 | verbose(env, "%d: ", env->insn_idx); | |
abe08840 | 6320 | print_bpf_insn(&cbs, insn, env->allow_ptr_leaks); |
17a52670 AS |
6321 | } |
6322 | ||
cae1927c | 6323 | if (bpf_prog_is_dev_bound(env->prog->aux)) { |
c08435ec DB |
6324 | err = bpf_prog_offload_verify_insn(env, env->insn_idx, |
6325 | env->prev_insn_idx); | |
cae1927c JK |
6326 | if (err) |
6327 | return err; | |
6328 | } | |
13a27dfc | 6329 | |
638f5b90 | 6330 | regs = cur_regs(env); |
c08435ec | 6331 | env->insn_aux_data[env->insn_idx].seen = true; |
fd978bf7 | 6332 | |
17a52670 | 6333 | if (class == BPF_ALU || class == BPF_ALU64) { |
1be7f75d | 6334 | err = check_alu_op(env, insn); |
17a52670 AS |
6335 | if (err) |
6336 | return err; | |
6337 | ||
6338 | } else if (class == BPF_LDX) { | |
3df126f3 | 6339 | enum bpf_reg_type *prev_src_type, src_reg_type; |
9bac3d6d AS |
6340 | |
6341 | /* check for reserved fields is already done */ | |
6342 | ||
17a52670 | 6343 | /* check src operand */ |
dc503a8a | 6344 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
6345 | if (err) |
6346 | return err; | |
6347 | ||
dc503a8a | 6348 | err = check_reg_arg(env, insn->dst_reg, DST_OP_NO_MARK); |
17a52670 AS |
6349 | if (err) |
6350 | return err; | |
6351 | ||
725f9dcd AS |
6352 | src_reg_type = regs[insn->src_reg].type; |
6353 | ||
17a52670 AS |
6354 | /* check that memory (src_reg + off) is readable, |
6355 | * the state of dst_reg will be updated by this func | |
6356 | */ | |
c08435ec DB |
6357 | err = check_mem_access(env, env->insn_idx, insn->src_reg, |
6358 | insn->off, BPF_SIZE(insn->code), | |
6359 | BPF_READ, insn->dst_reg, false); | |
17a52670 AS |
6360 | if (err) |
6361 | return err; | |
6362 | ||
c08435ec | 6363 | prev_src_type = &env->insn_aux_data[env->insn_idx].ptr_type; |
3df126f3 JK |
6364 | |
6365 | if (*prev_src_type == NOT_INIT) { | |
9bac3d6d AS |
6366 | /* saw a valid insn |
6367 | * dst_reg = *(u32 *)(src_reg + off) | |
3df126f3 | 6368 | * save type to validate intersecting paths |
9bac3d6d | 6369 | */ |
3df126f3 | 6370 | *prev_src_type = src_reg_type; |
9bac3d6d | 6371 | |
c64b7983 | 6372 | } else if (reg_type_mismatch(src_reg_type, *prev_src_type)) { |
9bac3d6d AS |
6373 | /* ABuser program is trying to use the same insn |
6374 | * dst_reg = *(u32*) (src_reg + off) | |
6375 | * with different pointer types: | |
6376 | * src_reg == ctx in one branch and | |
6377 | * src_reg == stack|map in some other branch. | |
6378 | * Reject it. | |
6379 | */ | |
61bd5218 | 6380 | verbose(env, "same insn cannot be used with different pointers\n"); |
9bac3d6d AS |
6381 | return -EINVAL; |
6382 | } | |
6383 | ||
17a52670 | 6384 | } else if (class == BPF_STX) { |
3df126f3 | 6385 | enum bpf_reg_type *prev_dst_type, dst_reg_type; |
d691f9e8 | 6386 | |
17a52670 | 6387 | if (BPF_MODE(insn->code) == BPF_XADD) { |
c08435ec | 6388 | err = check_xadd(env, env->insn_idx, insn); |
17a52670 AS |
6389 | if (err) |
6390 | return err; | |
c08435ec | 6391 | env->insn_idx++; |
17a52670 AS |
6392 | continue; |
6393 | } | |
6394 | ||
17a52670 | 6395 | /* check src1 operand */ |
dc503a8a | 6396 | err = check_reg_arg(env, insn->src_reg, SRC_OP); |
17a52670 AS |
6397 | if (err) |
6398 | return err; | |
6399 | /* check src2 operand */ | |
dc503a8a | 6400 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
6401 | if (err) |
6402 | return err; | |
6403 | ||
d691f9e8 AS |
6404 | dst_reg_type = regs[insn->dst_reg].type; |
6405 | ||
17a52670 | 6406 | /* check that memory (dst_reg + off) is writeable */ |
c08435ec DB |
6407 | err = check_mem_access(env, env->insn_idx, insn->dst_reg, |
6408 | insn->off, BPF_SIZE(insn->code), | |
6409 | BPF_WRITE, insn->src_reg, false); | |
17a52670 AS |
6410 | if (err) |
6411 | return err; | |
6412 | ||
c08435ec | 6413 | prev_dst_type = &env->insn_aux_data[env->insn_idx].ptr_type; |
3df126f3 JK |
6414 | |
6415 | if (*prev_dst_type == NOT_INIT) { | |
6416 | *prev_dst_type = dst_reg_type; | |
c64b7983 | 6417 | } else if (reg_type_mismatch(dst_reg_type, *prev_dst_type)) { |
61bd5218 | 6418 | verbose(env, "same insn cannot be used with different pointers\n"); |
d691f9e8 AS |
6419 | return -EINVAL; |
6420 | } | |
6421 | ||
17a52670 AS |
6422 | } else if (class == BPF_ST) { |
6423 | if (BPF_MODE(insn->code) != BPF_MEM || | |
6424 | insn->src_reg != BPF_REG_0) { | |
61bd5218 | 6425 | verbose(env, "BPF_ST uses reserved fields\n"); |
17a52670 AS |
6426 | return -EINVAL; |
6427 | } | |
6428 | /* check src operand */ | |
dc503a8a | 6429 | err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
17a52670 AS |
6430 | if (err) |
6431 | return err; | |
6432 | ||
f37a8cb8 | 6433 | if (is_ctx_reg(env, insn->dst_reg)) { |
9d2be44a | 6434 | verbose(env, "BPF_ST stores into R%d %s is not allowed\n", |
2a159c6f DB |
6435 | insn->dst_reg, |
6436 | reg_type_str[reg_state(env, insn->dst_reg)->type]); | |
f37a8cb8 DB |
6437 | return -EACCES; |
6438 | } | |
6439 | ||
17a52670 | 6440 | /* check that memory (dst_reg + off) is writeable */ |
c08435ec DB |
6441 | err = check_mem_access(env, env->insn_idx, insn->dst_reg, |
6442 | insn->off, BPF_SIZE(insn->code), | |
6443 | BPF_WRITE, -1, false); | |
17a52670 AS |
6444 | if (err) |
6445 | return err; | |
6446 | ||
092ed096 | 6447 | } else if (class == BPF_JMP || class == BPF_JMP32) { |
17a52670 AS |
6448 | u8 opcode = BPF_OP(insn->code); |
6449 | ||
6450 | if (opcode == BPF_CALL) { | |
6451 | if (BPF_SRC(insn->code) != BPF_K || | |
6452 | insn->off != 0 || | |
f4d7e40a AS |
6453 | (insn->src_reg != BPF_REG_0 && |
6454 | insn->src_reg != BPF_PSEUDO_CALL) || | |
092ed096 JW |
6455 | insn->dst_reg != BPF_REG_0 || |
6456 | class == BPF_JMP32) { | |
61bd5218 | 6457 | verbose(env, "BPF_CALL uses reserved fields\n"); |
17a52670 AS |
6458 | return -EINVAL; |
6459 | } | |
6460 | ||
d83525ca AS |
6461 | if (env->cur_state->active_spin_lock && |
6462 | (insn->src_reg == BPF_PSEUDO_CALL || | |
6463 | insn->imm != BPF_FUNC_spin_unlock)) { | |
6464 | verbose(env, "function calls are not allowed while holding a lock\n"); | |
6465 | return -EINVAL; | |
6466 | } | |
f4d7e40a | 6467 | if (insn->src_reg == BPF_PSEUDO_CALL) |
c08435ec | 6468 | err = check_func_call(env, insn, &env->insn_idx); |
f4d7e40a | 6469 | else |
c08435ec | 6470 | err = check_helper_call(env, insn->imm, env->insn_idx); |
17a52670 AS |
6471 | if (err) |
6472 | return err; | |
6473 | ||
6474 | } else if (opcode == BPF_JA) { | |
6475 | if (BPF_SRC(insn->code) != BPF_K || | |
6476 | insn->imm != 0 || | |
6477 | insn->src_reg != BPF_REG_0 || | |
092ed096 JW |
6478 | insn->dst_reg != BPF_REG_0 || |
6479 | class == BPF_JMP32) { | |
61bd5218 | 6480 | verbose(env, "BPF_JA uses reserved fields\n"); |
17a52670 AS |
6481 | return -EINVAL; |
6482 | } | |
6483 | ||
c08435ec | 6484 | env->insn_idx += insn->off + 1; |
17a52670 AS |
6485 | continue; |
6486 | ||
6487 | } else if (opcode == BPF_EXIT) { | |
6488 | if (BPF_SRC(insn->code) != BPF_K || | |
6489 | insn->imm != 0 || | |
6490 | insn->src_reg != BPF_REG_0 || | |
092ed096 JW |
6491 | insn->dst_reg != BPF_REG_0 || |
6492 | class == BPF_JMP32) { | |
61bd5218 | 6493 | verbose(env, "BPF_EXIT uses reserved fields\n"); |
17a52670 AS |
6494 | return -EINVAL; |
6495 | } | |
6496 | ||
d83525ca AS |
6497 | if (env->cur_state->active_spin_lock) { |
6498 | verbose(env, "bpf_spin_unlock is missing\n"); | |
6499 | return -EINVAL; | |
6500 | } | |
6501 | ||
f4d7e40a AS |
6502 | if (state->curframe) { |
6503 | /* exit from nested function */ | |
c08435ec DB |
6504 | env->prev_insn_idx = env->insn_idx; |
6505 | err = prepare_func_exit(env, &env->insn_idx); | |
f4d7e40a AS |
6506 | if (err) |
6507 | return err; | |
6508 | do_print_state = true; | |
6509 | continue; | |
6510 | } | |
6511 | ||
fd978bf7 JS |
6512 | err = check_reference_leak(env); |
6513 | if (err) | |
6514 | return err; | |
6515 | ||
17a52670 AS |
6516 | /* eBPF calling convetion is such that R0 is used |
6517 | * to return the value from eBPF program. | |
6518 | * Make sure that it's readable at this time | |
6519 | * of bpf_exit, which means that program wrote | |
6520 | * something into it earlier | |
6521 | */ | |
dc503a8a | 6522 | err = check_reg_arg(env, BPF_REG_0, SRC_OP); |
17a52670 AS |
6523 | if (err) |
6524 | return err; | |
6525 | ||
1be7f75d | 6526 | if (is_pointer_value(env, BPF_REG_0)) { |
61bd5218 | 6527 | verbose(env, "R0 leaks addr as return value\n"); |
1be7f75d AS |
6528 | return -EACCES; |
6529 | } | |
6530 | ||
390ee7e2 AS |
6531 | err = check_return_code(env); |
6532 | if (err) | |
6533 | return err; | |
f1bca824 | 6534 | process_bpf_exit: |
c08435ec DB |
6535 | err = pop_stack(env, &env->prev_insn_idx, |
6536 | &env->insn_idx); | |
638f5b90 AS |
6537 | if (err < 0) { |
6538 | if (err != -ENOENT) | |
6539 | return err; | |
17a52670 AS |
6540 | break; |
6541 | } else { | |
6542 | do_print_state = true; | |
6543 | continue; | |
6544 | } | |
6545 | } else { | |
c08435ec | 6546 | err = check_cond_jmp_op(env, insn, &env->insn_idx); |
17a52670 AS |
6547 | if (err) |
6548 | return err; | |
6549 | } | |
6550 | } else if (class == BPF_LD) { | |
6551 | u8 mode = BPF_MODE(insn->code); | |
6552 | ||
6553 | if (mode == BPF_ABS || mode == BPF_IND) { | |
ddd872bc AS |
6554 | err = check_ld_abs(env, insn); |
6555 | if (err) | |
6556 | return err; | |
6557 | ||
17a52670 AS |
6558 | } else if (mode == BPF_IMM) { |
6559 | err = check_ld_imm(env, insn); | |
6560 | if (err) | |
6561 | return err; | |
6562 | ||
c08435ec DB |
6563 | env->insn_idx++; |
6564 | env->insn_aux_data[env->insn_idx].seen = true; | |
17a52670 | 6565 | } else { |
61bd5218 | 6566 | verbose(env, "invalid BPF_LD mode\n"); |
17a52670 AS |
6567 | return -EINVAL; |
6568 | } | |
6569 | } else { | |
61bd5218 | 6570 | verbose(env, "unknown insn class %d\n", class); |
17a52670 AS |
6571 | return -EINVAL; |
6572 | } | |
6573 | ||
c08435ec | 6574 | env->insn_idx++; |
17a52670 AS |
6575 | } |
6576 | ||
4bd95f4b DB |
6577 | verbose(env, "processed %d insns (limit %d), stack depth ", |
6578 | insn_processed, BPF_COMPLEXITY_LIMIT_INSNS); | |
f910cefa | 6579 | for (i = 0; i < env->subprog_cnt; i++) { |
9c8105bd | 6580 | u32 depth = env->subprog_info[i].stack_depth; |
f4d7e40a AS |
6581 | |
6582 | verbose(env, "%d", depth); | |
f910cefa | 6583 | if (i + 1 < env->subprog_cnt) |
f4d7e40a AS |
6584 | verbose(env, "+"); |
6585 | } | |
6586 | verbose(env, "\n"); | |
9c8105bd | 6587 | env->prog->aux->stack_depth = env->subprog_info[0].stack_depth; |
17a52670 AS |
6588 | return 0; |
6589 | } | |
6590 | ||
56f668df MKL |
6591 | static int check_map_prealloc(struct bpf_map *map) |
6592 | { | |
6593 | return (map->map_type != BPF_MAP_TYPE_HASH && | |
bcc6b1b7 MKL |
6594 | map->map_type != BPF_MAP_TYPE_PERCPU_HASH && |
6595 | map->map_type != BPF_MAP_TYPE_HASH_OF_MAPS) || | |
56f668df MKL |
6596 | !(map->map_flags & BPF_F_NO_PREALLOC); |
6597 | } | |
6598 | ||
d83525ca AS |
6599 | static bool is_tracing_prog_type(enum bpf_prog_type type) |
6600 | { | |
6601 | switch (type) { | |
6602 | case BPF_PROG_TYPE_KPROBE: | |
6603 | case BPF_PROG_TYPE_TRACEPOINT: | |
6604 | case BPF_PROG_TYPE_PERF_EVENT: | |
6605 | case BPF_PROG_TYPE_RAW_TRACEPOINT: | |
6606 | return true; | |
6607 | default: | |
6608 | return false; | |
6609 | } | |
6610 | } | |
6611 | ||
61bd5218 JK |
6612 | static int check_map_prog_compatibility(struct bpf_verifier_env *env, |
6613 | struct bpf_map *map, | |
fdc15d38 AS |
6614 | struct bpf_prog *prog) |
6615 | ||
6616 | { | |
56f668df MKL |
6617 | /* Make sure that BPF_PROG_TYPE_PERF_EVENT programs only use |
6618 | * preallocated hash maps, since doing memory allocation | |
6619 | * in overflow_handler can crash depending on where nmi got | |
6620 | * triggered. | |
6621 | */ | |
6622 | if (prog->type == BPF_PROG_TYPE_PERF_EVENT) { | |
6623 | if (!check_map_prealloc(map)) { | |
61bd5218 | 6624 | verbose(env, "perf_event programs can only use preallocated hash map\n"); |
56f668df MKL |
6625 | return -EINVAL; |
6626 | } | |
6627 | if (map->inner_map_meta && | |
6628 | !check_map_prealloc(map->inner_map_meta)) { | |
61bd5218 | 6629 | verbose(env, "perf_event programs can only use preallocated inner hash map\n"); |
56f668df MKL |
6630 | return -EINVAL; |
6631 | } | |
fdc15d38 | 6632 | } |
a3884572 | 6633 | |
d83525ca AS |
6634 | if ((is_tracing_prog_type(prog->type) || |
6635 | prog->type == BPF_PROG_TYPE_SOCKET_FILTER) && | |
6636 | map_value_has_spin_lock(map)) { | |
6637 | verbose(env, "tracing progs cannot use bpf_spin_lock yet\n"); | |
6638 | return -EINVAL; | |
6639 | } | |
6640 | ||
a3884572 | 6641 | if ((bpf_prog_is_dev_bound(prog->aux) || bpf_map_is_dev_bound(map)) && |
09728266 | 6642 | !bpf_offload_prog_map_match(prog, map)) { |
a3884572 JK |
6643 | verbose(env, "offload device mismatch between prog and map\n"); |
6644 | return -EINVAL; | |
6645 | } | |
6646 | ||
fdc15d38 AS |
6647 | return 0; |
6648 | } | |
6649 | ||
b741f163 RG |
6650 | static bool bpf_map_is_cgroup_storage(struct bpf_map *map) |
6651 | { | |
6652 | return (map->map_type == BPF_MAP_TYPE_CGROUP_STORAGE || | |
6653 | map->map_type == BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE); | |
6654 | } | |
6655 | ||
0246e64d AS |
6656 | /* look for pseudo eBPF instructions that access map FDs and |
6657 | * replace them with actual map pointers | |
6658 | */ | |
58e2af8b | 6659 | static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) |
0246e64d AS |
6660 | { |
6661 | struct bpf_insn *insn = env->prog->insnsi; | |
6662 | int insn_cnt = env->prog->len; | |
fdc15d38 | 6663 | int i, j, err; |
0246e64d | 6664 | |
f1f7714e | 6665 | err = bpf_prog_calc_tag(env->prog); |
aafe6ae9 DB |
6666 | if (err) |
6667 | return err; | |
6668 | ||
0246e64d | 6669 | for (i = 0; i < insn_cnt; i++, insn++) { |
9bac3d6d | 6670 | if (BPF_CLASS(insn->code) == BPF_LDX && |
d691f9e8 | 6671 | (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { |
61bd5218 | 6672 | verbose(env, "BPF_LDX uses reserved fields\n"); |
9bac3d6d AS |
6673 | return -EINVAL; |
6674 | } | |
6675 | ||
d691f9e8 AS |
6676 | if (BPF_CLASS(insn->code) == BPF_STX && |
6677 | ((BPF_MODE(insn->code) != BPF_MEM && | |
6678 | BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { | |
61bd5218 | 6679 | verbose(env, "BPF_STX uses reserved fields\n"); |
d691f9e8 AS |
6680 | return -EINVAL; |
6681 | } | |
6682 | ||
0246e64d AS |
6683 | if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) { |
6684 | struct bpf_map *map; | |
6685 | struct fd f; | |
6686 | ||
6687 | if (i == insn_cnt - 1 || insn[1].code != 0 || | |
6688 | insn[1].dst_reg != 0 || insn[1].src_reg != 0 || | |
6689 | insn[1].off != 0) { | |
61bd5218 | 6690 | verbose(env, "invalid bpf_ld_imm64 insn\n"); |
0246e64d AS |
6691 | return -EINVAL; |
6692 | } | |
6693 | ||
6694 | if (insn->src_reg == 0) | |
6695 | /* valid generic load 64-bit imm */ | |
6696 | goto next_insn; | |
6697 | ||
20182390 DB |
6698 | if (insn[0].src_reg != BPF_PSEUDO_MAP_FD || |
6699 | insn[1].imm != 0) { | |
6700 | verbose(env, "unrecognized bpf_ld_imm64 insn\n"); | |
0246e64d AS |
6701 | return -EINVAL; |
6702 | } | |
6703 | ||
20182390 | 6704 | f = fdget(insn[0].imm); |
c2101297 | 6705 | map = __bpf_map_get(f); |
0246e64d | 6706 | if (IS_ERR(map)) { |
61bd5218 | 6707 | verbose(env, "fd %d is not pointing to valid bpf_map\n", |
20182390 | 6708 | insn[0].imm); |
0246e64d AS |
6709 | return PTR_ERR(map); |
6710 | } | |
6711 | ||
61bd5218 | 6712 | err = check_map_prog_compatibility(env, map, env->prog); |
fdc15d38 AS |
6713 | if (err) { |
6714 | fdput(f); | |
6715 | return err; | |
6716 | } | |
6717 | ||
0246e64d AS |
6718 | /* store map pointer inside BPF_LD_IMM64 instruction */ |
6719 | insn[0].imm = (u32) (unsigned long) map; | |
6720 | insn[1].imm = ((u64) (unsigned long) map) >> 32; | |
6721 | ||
6722 | /* check whether we recorded this map already */ | |
6723 | for (j = 0; j < env->used_map_cnt; j++) | |
6724 | if (env->used_maps[j] == map) { | |
6725 | fdput(f); | |
6726 | goto next_insn; | |
6727 | } | |
6728 | ||
6729 | if (env->used_map_cnt >= MAX_USED_MAPS) { | |
6730 | fdput(f); | |
6731 | return -E2BIG; | |
6732 | } | |
6733 | ||
0246e64d AS |
6734 | /* hold the map. If the program is rejected by verifier, |
6735 | * the map will be released by release_maps() or it | |
6736 | * will be used by the valid program until it's unloaded | |
ab7f5bf0 | 6737 | * and all maps are released in free_used_maps() |
0246e64d | 6738 | */ |
92117d84 AS |
6739 | map = bpf_map_inc(map, false); |
6740 | if (IS_ERR(map)) { | |
6741 | fdput(f); | |
6742 | return PTR_ERR(map); | |
6743 | } | |
6744 | env->used_maps[env->used_map_cnt++] = map; | |
6745 | ||
b741f163 | 6746 | if (bpf_map_is_cgroup_storage(map) && |
de9cbbaa | 6747 | bpf_cgroup_storage_assign(env->prog, map)) { |
b741f163 | 6748 | verbose(env, "only one cgroup storage of each type is allowed\n"); |
de9cbbaa RG |
6749 | fdput(f); |
6750 | return -EBUSY; | |
6751 | } | |
6752 | ||
0246e64d AS |
6753 | fdput(f); |
6754 | next_insn: | |
6755 | insn++; | |
6756 | i++; | |
5e581dad DB |
6757 | continue; |
6758 | } | |
6759 | ||
6760 | /* Basic sanity check before we invest more work here. */ | |
6761 | if (!bpf_opcode_in_insntable(insn->code)) { | |
6762 | verbose(env, "unknown opcode %02x\n", insn->code); | |
6763 | return -EINVAL; | |
0246e64d AS |
6764 | } |
6765 | } | |
6766 | ||
6767 | /* now all pseudo BPF_LD_IMM64 instructions load valid | |
6768 | * 'struct bpf_map *' into a register instead of user map_fd. | |
6769 | * These pointers will be used later by verifier to validate map access. | |
6770 | */ | |
6771 | return 0; | |
6772 | } | |
6773 | ||
6774 | /* drop refcnt of maps used by the rejected program */ | |
58e2af8b | 6775 | static void release_maps(struct bpf_verifier_env *env) |
0246e64d | 6776 | { |
8bad74f9 | 6777 | enum bpf_cgroup_storage_type stype; |
0246e64d AS |
6778 | int i; |
6779 | ||
8bad74f9 RG |
6780 | for_each_cgroup_storage_type(stype) { |
6781 | if (!env->prog->aux->cgroup_storage[stype]) | |
6782 | continue; | |
de9cbbaa | 6783 | bpf_cgroup_storage_release(env->prog, |
8bad74f9 RG |
6784 | env->prog->aux->cgroup_storage[stype]); |
6785 | } | |
de9cbbaa | 6786 | |
0246e64d AS |
6787 | for (i = 0; i < env->used_map_cnt; i++) |
6788 | bpf_map_put(env->used_maps[i]); | |
6789 | } | |
6790 | ||
6791 | /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */ | |
58e2af8b | 6792 | static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env) |
0246e64d AS |
6793 | { |
6794 | struct bpf_insn *insn = env->prog->insnsi; | |
6795 | int insn_cnt = env->prog->len; | |
6796 | int i; | |
6797 | ||
6798 | for (i = 0; i < insn_cnt; i++, insn++) | |
6799 | if (insn->code == (BPF_LD | BPF_IMM | BPF_DW)) | |
6800 | insn->src_reg = 0; | |
6801 | } | |
6802 | ||
8041902d AS |
6803 | /* single env->prog->insni[off] instruction was replaced with the range |
6804 | * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying | |
6805 | * [0, off) and [off, end) to new locations, so the patched range stays zero | |
6806 | */ | |
6807 | static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, | |
6808 | u32 off, u32 cnt) | |
6809 | { | |
6810 | struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; | |
c131187d | 6811 | int i; |
8041902d AS |
6812 | |
6813 | if (cnt == 1) | |
6814 | return 0; | |
fad953ce KC |
6815 | new_data = vzalloc(array_size(prog_len, |
6816 | sizeof(struct bpf_insn_aux_data))); | |
8041902d AS |
6817 | if (!new_data) |
6818 | return -ENOMEM; | |
6819 | memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); | |
6820 | memcpy(new_data + off + cnt - 1, old_data + off, | |
6821 | sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); | |
c131187d AS |
6822 | for (i = off; i < off + cnt - 1; i++) |
6823 | new_data[i].seen = true; | |
8041902d AS |
6824 | env->insn_aux_data = new_data; |
6825 | vfree(old_data); | |
6826 | return 0; | |
6827 | } | |
6828 | ||
cc8b0b92 AS |
6829 | static void adjust_subprog_starts(struct bpf_verifier_env *env, u32 off, u32 len) |
6830 | { | |
6831 | int i; | |
6832 | ||
6833 | if (len == 1) | |
6834 | return; | |
4cb3d99c JW |
6835 | /* NOTE: fake 'exit' subprog should be updated as well. */ |
6836 | for (i = 0; i <= env->subprog_cnt; i++) { | |
afd59424 | 6837 | if (env->subprog_info[i].start <= off) |
cc8b0b92 | 6838 | continue; |
9c8105bd | 6839 | env->subprog_info[i].start += len - 1; |
cc8b0b92 AS |
6840 | } |
6841 | } | |
6842 | ||
8041902d AS |
6843 | static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off, |
6844 | const struct bpf_insn *patch, u32 len) | |
6845 | { | |
6846 | struct bpf_prog *new_prog; | |
6847 | ||
6848 | new_prog = bpf_patch_insn_single(env->prog, off, patch, len); | |
6849 | if (!new_prog) | |
6850 | return NULL; | |
6851 | if (adjust_insn_aux_data(env, new_prog->len, off, len)) | |
6852 | return NULL; | |
cc8b0b92 | 6853 | adjust_subprog_starts(env, off, len); |
8041902d AS |
6854 | return new_prog; |
6855 | } | |
6856 | ||
52875a04 JK |
6857 | static int adjust_subprog_starts_after_remove(struct bpf_verifier_env *env, |
6858 | u32 off, u32 cnt) | |
6859 | { | |
6860 | int i, j; | |
6861 | ||
6862 | /* find first prog starting at or after off (first to remove) */ | |
6863 | for (i = 0; i < env->subprog_cnt; i++) | |
6864 | if (env->subprog_info[i].start >= off) | |
6865 | break; | |
6866 | /* find first prog starting at or after off + cnt (first to stay) */ | |
6867 | for (j = i; j < env->subprog_cnt; j++) | |
6868 | if (env->subprog_info[j].start >= off + cnt) | |
6869 | break; | |
6870 | /* if j doesn't start exactly at off + cnt, we are just removing | |
6871 | * the front of previous prog | |
6872 | */ | |
6873 | if (env->subprog_info[j].start != off + cnt) | |
6874 | j--; | |
6875 | ||
6876 | if (j > i) { | |
6877 | struct bpf_prog_aux *aux = env->prog->aux; | |
6878 | int move; | |
6879 | ||
6880 | /* move fake 'exit' subprog as well */ | |
6881 | move = env->subprog_cnt + 1 - j; | |
6882 | ||
6883 | memmove(env->subprog_info + i, | |
6884 | env->subprog_info + j, | |
6885 | sizeof(*env->subprog_info) * move); | |
6886 | env->subprog_cnt -= j - i; | |
6887 | ||
6888 | /* remove func_info */ | |
6889 | if (aux->func_info) { | |
6890 | move = aux->func_info_cnt - j; | |
6891 | ||
6892 | memmove(aux->func_info + i, | |
6893 | aux->func_info + j, | |
6894 | sizeof(*aux->func_info) * move); | |
6895 | aux->func_info_cnt -= j - i; | |
6896 | /* func_info->insn_off is set after all code rewrites, | |
6897 | * in adjust_btf_func() - no need to adjust | |
6898 | */ | |
6899 | } | |
6900 | } else { | |
6901 | /* convert i from "first prog to remove" to "first to adjust" */ | |
6902 | if (env->subprog_info[i].start == off) | |
6903 | i++; | |
6904 | } | |
6905 | ||
6906 | /* update fake 'exit' subprog as well */ | |
6907 | for (; i <= env->subprog_cnt; i++) | |
6908 | env->subprog_info[i].start -= cnt; | |
6909 | ||
6910 | return 0; | |
6911 | } | |
6912 | ||
6913 | static int bpf_adj_linfo_after_remove(struct bpf_verifier_env *env, u32 off, | |
6914 | u32 cnt) | |
6915 | { | |
6916 | struct bpf_prog *prog = env->prog; | |
6917 | u32 i, l_off, l_cnt, nr_linfo; | |
6918 | struct bpf_line_info *linfo; | |
6919 | ||
6920 | nr_linfo = prog->aux->nr_linfo; | |
6921 | if (!nr_linfo) | |
6922 | return 0; | |
6923 | ||
6924 | linfo = prog->aux->linfo; | |
6925 | ||
6926 | /* find first line info to remove, count lines to be removed */ | |
6927 | for (i = 0; i < nr_linfo; i++) | |
6928 | if (linfo[i].insn_off >= off) | |
6929 | break; | |
6930 | ||
6931 | l_off = i; | |
6932 | l_cnt = 0; | |
6933 | for (; i < nr_linfo; i++) | |
6934 | if (linfo[i].insn_off < off + cnt) | |
6935 | l_cnt++; | |
6936 | else | |
6937 | break; | |
6938 | ||
6939 | /* First live insn doesn't match first live linfo, it needs to "inherit" | |
6940 | * last removed linfo. prog is already modified, so prog->len == off | |
6941 | * means no live instructions after (tail of the program was removed). | |
6942 | */ | |
6943 | if (prog->len != off && l_cnt && | |
6944 | (i == nr_linfo || linfo[i].insn_off != off + cnt)) { | |
6945 | l_cnt--; | |
6946 | linfo[--i].insn_off = off + cnt; | |
6947 | } | |
6948 | ||
6949 | /* remove the line info which refer to the removed instructions */ | |
6950 | if (l_cnt) { | |
6951 | memmove(linfo + l_off, linfo + i, | |
6952 | sizeof(*linfo) * (nr_linfo - i)); | |
6953 | ||
6954 | prog->aux->nr_linfo -= l_cnt; | |
6955 | nr_linfo = prog->aux->nr_linfo; | |
6956 | } | |
6957 | ||
6958 | /* pull all linfo[i].insn_off >= off + cnt in by cnt */ | |
6959 | for (i = l_off; i < nr_linfo; i++) | |
6960 | linfo[i].insn_off -= cnt; | |
6961 | ||
6962 | /* fix up all subprogs (incl. 'exit') which start >= off */ | |
6963 | for (i = 0; i <= env->subprog_cnt; i++) | |
6964 | if (env->subprog_info[i].linfo_idx > l_off) { | |
6965 | /* program may have started in the removed region but | |
6966 | * may not be fully removed | |
6967 | */ | |
6968 | if (env->subprog_info[i].linfo_idx >= l_off + l_cnt) | |
6969 | env->subprog_info[i].linfo_idx -= l_cnt; | |
6970 | else | |
6971 | env->subprog_info[i].linfo_idx = l_off; | |
6972 | } | |
6973 | ||
6974 | return 0; | |
6975 | } | |
6976 | ||
6977 | static int verifier_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt) | |
6978 | { | |
6979 | struct bpf_insn_aux_data *aux_data = env->insn_aux_data; | |
6980 | unsigned int orig_prog_len = env->prog->len; | |
6981 | int err; | |
6982 | ||
08ca90af JK |
6983 | if (bpf_prog_is_dev_bound(env->prog->aux)) |
6984 | bpf_prog_offload_remove_insns(env, off, cnt); | |
6985 | ||
52875a04 JK |
6986 | err = bpf_remove_insns(env->prog, off, cnt); |
6987 | if (err) | |
6988 | return err; | |
6989 | ||
6990 | err = adjust_subprog_starts_after_remove(env, off, cnt); | |
6991 | if (err) | |
6992 | return err; | |
6993 | ||
6994 | err = bpf_adj_linfo_after_remove(env, off, cnt); | |
6995 | if (err) | |
6996 | return err; | |
6997 | ||
6998 | memmove(aux_data + off, aux_data + off + cnt, | |
6999 | sizeof(*aux_data) * (orig_prog_len - off - cnt)); | |
7000 | ||
7001 | return 0; | |
7002 | } | |
7003 | ||
2a5418a1 DB |
7004 | /* The verifier does more data flow analysis than llvm and will not |
7005 | * explore branches that are dead at run time. Malicious programs can | |
7006 | * have dead code too. Therefore replace all dead at-run-time code | |
7007 | * with 'ja -1'. | |
7008 | * | |
7009 | * Just nops are not optimal, e.g. if they would sit at the end of the | |
7010 | * program and through another bug we would manage to jump there, then | |
7011 | * we'd execute beyond program memory otherwise. Returning exception | |
7012 | * code also wouldn't work since we can have subprogs where the dead | |
7013 | * code could be located. | |
c131187d AS |
7014 | */ |
7015 | static void sanitize_dead_code(struct bpf_verifier_env *env) | |
7016 | { | |
7017 | struct bpf_insn_aux_data *aux_data = env->insn_aux_data; | |
2a5418a1 | 7018 | struct bpf_insn trap = BPF_JMP_IMM(BPF_JA, 0, 0, -1); |
c131187d AS |
7019 | struct bpf_insn *insn = env->prog->insnsi; |
7020 | const int insn_cnt = env->prog->len; | |
7021 | int i; | |
7022 | ||
7023 | for (i = 0; i < insn_cnt; i++) { | |
7024 | if (aux_data[i].seen) | |
7025 | continue; | |
2a5418a1 | 7026 | memcpy(insn + i, &trap, sizeof(trap)); |
c131187d AS |
7027 | } |
7028 | } | |
7029 | ||
e2ae4ca2 JK |
7030 | static bool insn_is_cond_jump(u8 code) |
7031 | { | |
7032 | u8 op; | |
7033 | ||
092ed096 JW |
7034 | if (BPF_CLASS(code) == BPF_JMP32) |
7035 | return true; | |
7036 | ||
e2ae4ca2 JK |
7037 | if (BPF_CLASS(code) != BPF_JMP) |
7038 | return false; | |
7039 | ||
7040 | op = BPF_OP(code); | |
7041 | return op != BPF_JA && op != BPF_EXIT && op != BPF_CALL; | |
7042 | } | |
7043 | ||
7044 | static void opt_hard_wire_dead_code_branches(struct bpf_verifier_env *env) | |
7045 | { | |
7046 | struct bpf_insn_aux_data *aux_data = env->insn_aux_data; | |
7047 | struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0); | |
7048 | struct bpf_insn *insn = env->prog->insnsi; | |
7049 | const int insn_cnt = env->prog->len; | |
7050 | int i; | |
7051 | ||
7052 | for (i = 0; i < insn_cnt; i++, insn++) { | |
7053 | if (!insn_is_cond_jump(insn->code)) | |
7054 | continue; | |
7055 | ||
7056 | if (!aux_data[i + 1].seen) | |
7057 | ja.off = insn->off; | |
7058 | else if (!aux_data[i + 1 + insn->off].seen) | |
7059 | ja.off = 0; | |
7060 | else | |
7061 | continue; | |
7062 | ||
08ca90af JK |
7063 | if (bpf_prog_is_dev_bound(env->prog->aux)) |
7064 | bpf_prog_offload_replace_insn(env, i, &ja); | |
7065 | ||
e2ae4ca2 JK |
7066 | memcpy(insn, &ja, sizeof(ja)); |
7067 | } | |
7068 | } | |
7069 | ||
52875a04 JK |
7070 | static int opt_remove_dead_code(struct bpf_verifier_env *env) |
7071 | { | |
7072 | struct bpf_insn_aux_data *aux_data = env->insn_aux_data; | |
7073 | int insn_cnt = env->prog->len; | |
7074 | int i, err; | |
7075 | ||
7076 | for (i = 0; i < insn_cnt; i++) { | |
7077 | int j; | |
7078 | ||
7079 | j = 0; | |
7080 | while (i + j < insn_cnt && !aux_data[i + j].seen) | |
7081 | j++; | |
7082 | if (!j) | |
7083 | continue; | |
7084 | ||
7085 | err = verifier_remove_insns(env, i, j); | |
7086 | if (err) | |
7087 | return err; | |
7088 | insn_cnt = env->prog->len; | |
7089 | } | |
7090 | ||
7091 | return 0; | |
7092 | } | |
7093 | ||
a1b14abc JK |
7094 | static int opt_remove_nops(struct bpf_verifier_env *env) |
7095 | { | |
7096 | const struct bpf_insn ja = BPF_JMP_IMM(BPF_JA, 0, 0, 0); | |
7097 | struct bpf_insn *insn = env->prog->insnsi; | |
7098 | int insn_cnt = env->prog->len; | |
7099 | int i, err; | |
7100 | ||
7101 | for (i = 0; i < insn_cnt; i++) { | |
7102 | if (memcmp(&insn[i], &ja, sizeof(ja))) | |
7103 | continue; | |
7104 | ||
7105 | err = verifier_remove_insns(env, i, 1); | |
7106 | if (err) | |
7107 | return err; | |
7108 | insn_cnt--; | |
7109 | i--; | |
7110 | } | |
7111 | ||
7112 | return 0; | |
7113 | } | |
7114 | ||
c64b7983 JS |
7115 | /* convert load instructions that access fields of a context type into a |
7116 | * sequence of instructions that access fields of the underlying structure: | |
7117 | * struct __sk_buff -> struct sk_buff | |
7118 | * struct bpf_sock_ops -> struct sock | |
9bac3d6d | 7119 | */ |
58e2af8b | 7120 | static int convert_ctx_accesses(struct bpf_verifier_env *env) |
9bac3d6d | 7121 | { |
00176a34 | 7122 | const struct bpf_verifier_ops *ops = env->ops; |
f96da094 | 7123 | int i, cnt, size, ctx_field_size, delta = 0; |
3df126f3 | 7124 | const int insn_cnt = env->prog->len; |
36bbef52 | 7125 | struct bpf_insn insn_buf[16], *insn; |
46f53a65 | 7126 | u32 target_size, size_default, off; |
9bac3d6d | 7127 | struct bpf_prog *new_prog; |
d691f9e8 | 7128 | enum bpf_access_type type; |
f96da094 | 7129 | bool is_narrower_load; |
9bac3d6d | 7130 | |
b09928b9 DB |
7131 | if (ops->gen_prologue || env->seen_direct_write) { |
7132 | if (!ops->gen_prologue) { | |
7133 | verbose(env, "bpf verifier is misconfigured\n"); | |
7134 | return -EINVAL; | |
7135 | } | |
36bbef52 DB |
7136 | cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, |
7137 | env->prog); | |
7138 | if (cnt >= ARRAY_SIZE(insn_buf)) { | |
61bd5218 | 7139 | verbose(env, "bpf verifier is misconfigured\n"); |
36bbef52 DB |
7140 | return -EINVAL; |
7141 | } else if (cnt) { | |
8041902d | 7142 | new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); |
36bbef52 DB |
7143 | if (!new_prog) |
7144 | return -ENOMEM; | |
8041902d | 7145 | |
36bbef52 | 7146 | env->prog = new_prog; |
3df126f3 | 7147 | delta += cnt - 1; |
36bbef52 DB |
7148 | } |
7149 | } | |
7150 | ||
c64b7983 | 7151 | if (bpf_prog_is_dev_bound(env->prog->aux)) |
9bac3d6d AS |
7152 | return 0; |
7153 | ||
3df126f3 | 7154 | insn = env->prog->insnsi + delta; |
36bbef52 | 7155 | |
9bac3d6d | 7156 | for (i = 0; i < insn_cnt; i++, insn++) { |
c64b7983 JS |
7157 | bpf_convert_ctx_access_t convert_ctx_access; |
7158 | ||
62c7989b DB |
7159 | if (insn->code == (BPF_LDX | BPF_MEM | BPF_B) || |
7160 | insn->code == (BPF_LDX | BPF_MEM | BPF_H) || | |
7161 | insn->code == (BPF_LDX | BPF_MEM | BPF_W) || | |
ea2e7ce5 | 7162 | insn->code == (BPF_LDX | BPF_MEM | BPF_DW)) |
d691f9e8 | 7163 | type = BPF_READ; |
62c7989b DB |
7164 | else if (insn->code == (BPF_STX | BPF_MEM | BPF_B) || |
7165 | insn->code == (BPF_STX | BPF_MEM | BPF_H) || | |
7166 | insn->code == (BPF_STX | BPF_MEM | BPF_W) || | |
ea2e7ce5 | 7167 | insn->code == (BPF_STX | BPF_MEM | BPF_DW)) |
d691f9e8 AS |
7168 | type = BPF_WRITE; |
7169 | else | |
9bac3d6d AS |
7170 | continue; |
7171 | ||
af86ca4e AS |
7172 | if (type == BPF_WRITE && |
7173 | env->insn_aux_data[i + delta].sanitize_stack_off) { | |
7174 | struct bpf_insn patch[] = { | |
7175 | /* Sanitize suspicious stack slot with zero. | |
7176 | * There are no memory dependencies for this store, | |
7177 | * since it's only using frame pointer and immediate | |
7178 | * constant of zero | |
7179 | */ | |
7180 | BPF_ST_MEM(BPF_DW, BPF_REG_FP, | |
7181 | env->insn_aux_data[i + delta].sanitize_stack_off, | |
7182 | 0), | |
7183 | /* the original STX instruction will immediately | |
7184 | * overwrite the same stack slot with appropriate value | |
7185 | */ | |
7186 | *insn, | |
7187 | }; | |
7188 | ||
7189 | cnt = ARRAY_SIZE(patch); | |
7190 | new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt); | |
7191 | if (!new_prog) | |
7192 | return -ENOMEM; | |
7193 | ||
7194 | delta += cnt - 1; | |
7195 | env->prog = new_prog; | |
7196 | insn = new_prog->insnsi + i + delta; | |
7197 | continue; | |
7198 | } | |
7199 | ||
c64b7983 JS |
7200 | switch (env->insn_aux_data[i + delta].ptr_type) { |
7201 | case PTR_TO_CTX: | |
7202 | if (!ops->convert_ctx_access) | |
7203 | continue; | |
7204 | convert_ctx_access = ops->convert_ctx_access; | |
7205 | break; | |
7206 | case PTR_TO_SOCKET: | |
46f8bc92 | 7207 | case PTR_TO_SOCK_COMMON: |
c64b7983 JS |
7208 | convert_ctx_access = bpf_sock_convert_ctx_access; |
7209 | break; | |
655a51e5 MKL |
7210 | case PTR_TO_TCP_SOCK: |
7211 | convert_ctx_access = bpf_tcp_sock_convert_ctx_access; | |
7212 | break; | |
c64b7983 | 7213 | default: |
9bac3d6d | 7214 | continue; |
c64b7983 | 7215 | } |
9bac3d6d | 7216 | |
31fd8581 | 7217 | ctx_field_size = env->insn_aux_data[i + delta].ctx_field_size; |
f96da094 | 7218 | size = BPF_LDST_BYTES(insn); |
31fd8581 YS |
7219 | |
7220 | /* If the read access is a narrower load of the field, | |
7221 | * convert to a 4/8-byte load, to minimum program type specific | |
7222 | * convert_ctx_access changes. If conversion is successful, | |
7223 | * we will apply proper mask to the result. | |
7224 | */ | |
f96da094 | 7225 | is_narrower_load = size < ctx_field_size; |
46f53a65 AI |
7226 | size_default = bpf_ctx_off_adjust_machine(ctx_field_size); |
7227 | off = insn->off; | |
31fd8581 | 7228 | if (is_narrower_load) { |
f96da094 DB |
7229 | u8 size_code; |
7230 | ||
7231 | if (type == BPF_WRITE) { | |
61bd5218 | 7232 | verbose(env, "bpf verifier narrow ctx access misconfigured\n"); |
f96da094 DB |
7233 | return -EINVAL; |
7234 | } | |
31fd8581 | 7235 | |
f96da094 | 7236 | size_code = BPF_H; |
31fd8581 YS |
7237 | if (ctx_field_size == 4) |
7238 | size_code = BPF_W; | |
7239 | else if (ctx_field_size == 8) | |
7240 | size_code = BPF_DW; | |
f96da094 | 7241 | |
bc23105c | 7242 | insn->off = off & ~(size_default - 1); |
31fd8581 YS |
7243 | insn->code = BPF_LDX | BPF_MEM | size_code; |
7244 | } | |
f96da094 DB |
7245 | |
7246 | target_size = 0; | |
c64b7983 JS |
7247 | cnt = convert_ctx_access(type, insn, insn_buf, env->prog, |
7248 | &target_size); | |
f96da094 DB |
7249 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf) || |
7250 | (ctx_field_size && !target_size)) { | |
61bd5218 | 7251 | verbose(env, "bpf verifier is misconfigured\n"); |
9bac3d6d AS |
7252 | return -EINVAL; |
7253 | } | |
f96da094 DB |
7254 | |
7255 | if (is_narrower_load && size < target_size) { | |
46f53a65 AI |
7256 | u8 shift = (off & (size_default - 1)) * 8; |
7257 | ||
7258 | if (ctx_field_size <= 4) { | |
7259 | if (shift) | |
7260 | insn_buf[cnt++] = BPF_ALU32_IMM(BPF_RSH, | |
7261 | insn->dst_reg, | |
7262 | shift); | |
31fd8581 | 7263 | insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg, |
f96da094 | 7264 | (1 << size * 8) - 1); |
46f53a65 AI |
7265 | } else { |
7266 | if (shift) | |
7267 | insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH, | |
7268 | insn->dst_reg, | |
7269 | shift); | |
31fd8581 | 7270 | insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, |
f96da094 | 7271 | (1 << size * 8) - 1); |
46f53a65 | 7272 | } |
31fd8581 | 7273 | } |
9bac3d6d | 7274 | |
8041902d | 7275 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
9bac3d6d AS |
7276 | if (!new_prog) |
7277 | return -ENOMEM; | |
7278 | ||
3df126f3 | 7279 | delta += cnt - 1; |
9bac3d6d AS |
7280 | |
7281 | /* keep walking new program and skip insns we just inserted */ | |
7282 | env->prog = new_prog; | |
3df126f3 | 7283 | insn = new_prog->insnsi + i + delta; |
9bac3d6d AS |
7284 | } |
7285 | ||
7286 | return 0; | |
7287 | } | |
7288 | ||
1c2a088a AS |
7289 | static int jit_subprogs(struct bpf_verifier_env *env) |
7290 | { | |
7291 | struct bpf_prog *prog = env->prog, **func, *tmp; | |
7292 | int i, j, subprog_start, subprog_end = 0, len, subprog; | |
7105e828 | 7293 | struct bpf_insn *insn; |
1c2a088a | 7294 | void *old_bpf_func; |
c454a46b | 7295 | int err; |
1c2a088a | 7296 | |
f910cefa | 7297 | if (env->subprog_cnt <= 1) |
1c2a088a AS |
7298 | return 0; |
7299 | ||
7105e828 | 7300 | for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) { |
1c2a088a AS |
7301 | if (insn->code != (BPF_JMP | BPF_CALL) || |
7302 | insn->src_reg != BPF_PSEUDO_CALL) | |
7303 | continue; | |
c7a89784 DB |
7304 | /* Upon error here we cannot fall back to interpreter but |
7305 | * need a hard reject of the program. Thus -EFAULT is | |
7306 | * propagated in any case. | |
7307 | */ | |
1c2a088a AS |
7308 | subprog = find_subprog(env, i + insn->imm + 1); |
7309 | if (subprog < 0) { | |
7310 | WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", | |
7311 | i + insn->imm + 1); | |
7312 | return -EFAULT; | |
7313 | } | |
7314 | /* temporarily remember subprog id inside insn instead of | |
7315 | * aux_data, since next loop will split up all insns into funcs | |
7316 | */ | |
f910cefa | 7317 | insn->off = subprog; |
1c2a088a AS |
7318 | /* remember original imm in case JIT fails and fallback |
7319 | * to interpreter will be needed | |
7320 | */ | |
7321 | env->insn_aux_data[i].call_imm = insn->imm; | |
7322 | /* point imm to __bpf_call_base+1 from JITs point of view */ | |
7323 | insn->imm = 1; | |
7324 | } | |
7325 | ||
c454a46b MKL |
7326 | err = bpf_prog_alloc_jited_linfo(prog); |
7327 | if (err) | |
7328 | goto out_undo_insn; | |
7329 | ||
7330 | err = -ENOMEM; | |
6396bb22 | 7331 | func = kcalloc(env->subprog_cnt, sizeof(prog), GFP_KERNEL); |
1c2a088a | 7332 | if (!func) |
c7a89784 | 7333 | goto out_undo_insn; |
1c2a088a | 7334 | |
f910cefa | 7335 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a | 7336 | subprog_start = subprog_end; |
4cb3d99c | 7337 | subprog_end = env->subprog_info[i + 1].start; |
1c2a088a AS |
7338 | |
7339 | len = subprog_end - subprog_start; | |
492ecee8 AS |
7340 | /* BPF_PROG_RUN doesn't call subprogs directly, |
7341 | * hence main prog stats include the runtime of subprogs. | |
7342 | * subprogs don't have IDs and not reachable via prog_get_next_id | |
7343 | * func[i]->aux->stats will never be accessed and stays NULL | |
7344 | */ | |
7345 | func[i] = bpf_prog_alloc_no_stats(bpf_prog_size(len), GFP_USER); | |
1c2a088a AS |
7346 | if (!func[i]) |
7347 | goto out_free; | |
7348 | memcpy(func[i]->insnsi, &prog->insnsi[subprog_start], | |
7349 | len * sizeof(struct bpf_insn)); | |
4f74d809 | 7350 | func[i]->type = prog->type; |
1c2a088a | 7351 | func[i]->len = len; |
4f74d809 DB |
7352 | if (bpf_prog_calc_tag(func[i])) |
7353 | goto out_free; | |
1c2a088a | 7354 | func[i]->is_func = 1; |
ba64e7d8 YS |
7355 | func[i]->aux->func_idx = i; |
7356 | /* the btf and func_info will be freed only at prog->aux */ | |
7357 | func[i]->aux->btf = prog->aux->btf; | |
7358 | func[i]->aux->func_info = prog->aux->func_info; | |
7359 | ||
1c2a088a AS |
7360 | /* Use bpf_prog_F_tag to indicate functions in stack traces. |
7361 | * Long term would need debug info to populate names | |
7362 | */ | |
7363 | func[i]->aux->name[0] = 'F'; | |
9c8105bd | 7364 | func[i]->aux->stack_depth = env->subprog_info[i].stack_depth; |
1c2a088a | 7365 | func[i]->jit_requested = 1; |
c454a46b MKL |
7366 | func[i]->aux->linfo = prog->aux->linfo; |
7367 | func[i]->aux->nr_linfo = prog->aux->nr_linfo; | |
7368 | func[i]->aux->jited_linfo = prog->aux->jited_linfo; | |
7369 | func[i]->aux->linfo_idx = env->subprog_info[i].linfo_idx; | |
1c2a088a AS |
7370 | func[i] = bpf_int_jit_compile(func[i]); |
7371 | if (!func[i]->jited) { | |
7372 | err = -ENOTSUPP; | |
7373 | goto out_free; | |
7374 | } | |
7375 | cond_resched(); | |
7376 | } | |
7377 | /* at this point all bpf functions were successfully JITed | |
7378 | * now populate all bpf_calls with correct addresses and | |
7379 | * run last pass of JIT | |
7380 | */ | |
f910cefa | 7381 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a AS |
7382 | insn = func[i]->insnsi; |
7383 | for (j = 0; j < func[i]->len; j++, insn++) { | |
7384 | if (insn->code != (BPF_JMP | BPF_CALL) || | |
7385 | insn->src_reg != BPF_PSEUDO_CALL) | |
7386 | continue; | |
7387 | subprog = insn->off; | |
1c2a088a AS |
7388 | insn->imm = (u64 (*)(u64, u64, u64, u64, u64)) |
7389 | func[subprog]->bpf_func - | |
7390 | __bpf_call_base; | |
7391 | } | |
2162fed4 SD |
7392 | |
7393 | /* we use the aux data to keep a list of the start addresses | |
7394 | * of the JITed images for each function in the program | |
7395 | * | |
7396 | * for some architectures, such as powerpc64, the imm field | |
7397 | * might not be large enough to hold the offset of the start | |
7398 | * address of the callee's JITed image from __bpf_call_base | |
7399 | * | |
7400 | * in such cases, we can lookup the start address of a callee | |
7401 | * by using its subprog id, available from the off field of | |
7402 | * the call instruction, as an index for this list | |
7403 | */ | |
7404 | func[i]->aux->func = func; | |
7405 | func[i]->aux->func_cnt = env->subprog_cnt; | |
1c2a088a | 7406 | } |
f910cefa | 7407 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a AS |
7408 | old_bpf_func = func[i]->bpf_func; |
7409 | tmp = bpf_int_jit_compile(func[i]); | |
7410 | if (tmp != func[i] || func[i]->bpf_func != old_bpf_func) { | |
7411 | verbose(env, "JIT doesn't support bpf-to-bpf calls\n"); | |
c7a89784 | 7412 | err = -ENOTSUPP; |
1c2a088a AS |
7413 | goto out_free; |
7414 | } | |
7415 | cond_resched(); | |
7416 | } | |
7417 | ||
7418 | /* finally lock prog and jit images for all functions and | |
7419 | * populate kallsysm | |
7420 | */ | |
f910cefa | 7421 | for (i = 0; i < env->subprog_cnt; i++) { |
1c2a088a AS |
7422 | bpf_prog_lock_ro(func[i]); |
7423 | bpf_prog_kallsyms_add(func[i]); | |
7424 | } | |
7105e828 DB |
7425 | |
7426 | /* Last step: make now unused interpreter insns from main | |
7427 | * prog consistent for later dump requests, so they can | |
7428 | * later look the same as if they were interpreted only. | |
7429 | */ | |
7430 | for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) { | |
7105e828 DB |
7431 | if (insn->code != (BPF_JMP | BPF_CALL) || |
7432 | insn->src_reg != BPF_PSEUDO_CALL) | |
7433 | continue; | |
7434 | insn->off = env->insn_aux_data[i].call_imm; | |
7435 | subprog = find_subprog(env, i + insn->off + 1); | |
dbecd738 | 7436 | insn->imm = subprog; |
7105e828 DB |
7437 | } |
7438 | ||
1c2a088a AS |
7439 | prog->jited = 1; |
7440 | prog->bpf_func = func[0]->bpf_func; | |
7441 | prog->aux->func = func; | |
f910cefa | 7442 | prog->aux->func_cnt = env->subprog_cnt; |
c454a46b | 7443 | bpf_prog_free_unused_jited_linfo(prog); |
1c2a088a AS |
7444 | return 0; |
7445 | out_free: | |
f910cefa | 7446 | for (i = 0; i < env->subprog_cnt; i++) |
1c2a088a AS |
7447 | if (func[i]) |
7448 | bpf_jit_free(func[i]); | |
7449 | kfree(func); | |
c7a89784 | 7450 | out_undo_insn: |
1c2a088a AS |
7451 | /* cleanup main prog to be interpreted */ |
7452 | prog->jit_requested = 0; | |
7453 | for (i = 0, insn = prog->insnsi; i < prog->len; i++, insn++) { | |
7454 | if (insn->code != (BPF_JMP | BPF_CALL) || | |
7455 | insn->src_reg != BPF_PSEUDO_CALL) | |
7456 | continue; | |
7457 | insn->off = 0; | |
7458 | insn->imm = env->insn_aux_data[i].call_imm; | |
7459 | } | |
c454a46b | 7460 | bpf_prog_free_jited_linfo(prog); |
1c2a088a AS |
7461 | return err; |
7462 | } | |
7463 | ||
1ea47e01 AS |
7464 | static int fixup_call_args(struct bpf_verifier_env *env) |
7465 | { | |
19d28fbd | 7466 | #ifndef CONFIG_BPF_JIT_ALWAYS_ON |
1ea47e01 AS |
7467 | struct bpf_prog *prog = env->prog; |
7468 | struct bpf_insn *insn = prog->insnsi; | |
7469 | int i, depth; | |
19d28fbd | 7470 | #endif |
e4052d06 | 7471 | int err = 0; |
1ea47e01 | 7472 | |
e4052d06 QM |
7473 | if (env->prog->jit_requested && |
7474 | !bpf_prog_is_dev_bound(env->prog->aux)) { | |
19d28fbd DM |
7475 | err = jit_subprogs(env); |
7476 | if (err == 0) | |
1c2a088a | 7477 | return 0; |
c7a89784 DB |
7478 | if (err == -EFAULT) |
7479 | return err; | |
19d28fbd DM |
7480 | } |
7481 | #ifndef CONFIG_BPF_JIT_ALWAYS_ON | |
1ea47e01 AS |
7482 | for (i = 0; i < prog->len; i++, insn++) { |
7483 | if (insn->code != (BPF_JMP | BPF_CALL) || | |
7484 | insn->src_reg != BPF_PSEUDO_CALL) | |
7485 | continue; | |
7486 | depth = get_callee_stack_depth(env, insn, i); | |
7487 | if (depth < 0) | |
7488 | return depth; | |
7489 | bpf_patch_call_args(insn, depth); | |
7490 | } | |
19d28fbd DM |
7491 | err = 0; |
7492 | #endif | |
7493 | return err; | |
1ea47e01 AS |
7494 | } |
7495 | ||
79741b3b | 7496 | /* fixup insn->imm field of bpf_call instructions |
81ed18ab | 7497 | * and inline eligible helpers as explicit sequence of BPF instructions |
e245c5c6 AS |
7498 | * |
7499 | * this function is called after eBPF program passed verification | |
7500 | */ | |
79741b3b | 7501 | static int fixup_bpf_calls(struct bpf_verifier_env *env) |
e245c5c6 | 7502 | { |
79741b3b AS |
7503 | struct bpf_prog *prog = env->prog; |
7504 | struct bpf_insn *insn = prog->insnsi; | |
e245c5c6 | 7505 | const struct bpf_func_proto *fn; |
79741b3b | 7506 | const int insn_cnt = prog->len; |
09772d92 | 7507 | const struct bpf_map_ops *ops; |
c93552c4 | 7508 | struct bpf_insn_aux_data *aux; |
81ed18ab AS |
7509 | struct bpf_insn insn_buf[16]; |
7510 | struct bpf_prog *new_prog; | |
7511 | struct bpf_map *map_ptr; | |
7512 | int i, cnt, delta = 0; | |
e245c5c6 | 7513 | |
79741b3b | 7514 | for (i = 0; i < insn_cnt; i++, insn++) { |
f6b1b3bf DB |
7515 | if (insn->code == (BPF_ALU64 | BPF_MOD | BPF_X) || |
7516 | insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) || | |
7517 | insn->code == (BPF_ALU | BPF_MOD | BPF_X) || | |
68fda450 | 7518 | insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { |
f6b1b3bf DB |
7519 | bool is64 = BPF_CLASS(insn->code) == BPF_ALU64; |
7520 | struct bpf_insn mask_and_div[] = { | |
7521 | BPF_MOV32_REG(insn->src_reg, insn->src_reg), | |
7522 | /* Rx div 0 -> 0 */ | |
7523 | BPF_JMP_IMM(BPF_JNE, insn->src_reg, 0, 2), | |
7524 | BPF_ALU32_REG(BPF_XOR, insn->dst_reg, insn->dst_reg), | |
7525 | BPF_JMP_IMM(BPF_JA, 0, 0, 1), | |
7526 | *insn, | |
7527 | }; | |
7528 | struct bpf_insn mask_and_mod[] = { | |
7529 | BPF_MOV32_REG(insn->src_reg, insn->src_reg), | |
7530 | /* Rx mod 0 -> Rx */ | |
7531 | BPF_JMP_IMM(BPF_JEQ, insn->src_reg, 0, 1), | |
7532 | *insn, | |
7533 | }; | |
7534 | struct bpf_insn *patchlet; | |
7535 | ||
7536 | if (insn->code == (BPF_ALU64 | BPF_DIV | BPF_X) || | |
7537 | insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { | |
7538 | patchlet = mask_and_div + (is64 ? 1 : 0); | |
7539 | cnt = ARRAY_SIZE(mask_and_div) - (is64 ? 1 : 0); | |
7540 | } else { | |
7541 | patchlet = mask_and_mod + (is64 ? 1 : 0); | |
7542 | cnt = ARRAY_SIZE(mask_and_mod) - (is64 ? 1 : 0); | |
7543 | } | |
7544 | ||
7545 | new_prog = bpf_patch_insn_data(env, i + delta, patchlet, cnt); | |
68fda450 AS |
7546 | if (!new_prog) |
7547 | return -ENOMEM; | |
7548 | ||
7549 | delta += cnt - 1; | |
7550 | env->prog = prog = new_prog; | |
7551 | insn = new_prog->insnsi + i + delta; | |
7552 | continue; | |
7553 | } | |
7554 | ||
e0cea7ce DB |
7555 | if (BPF_CLASS(insn->code) == BPF_LD && |
7556 | (BPF_MODE(insn->code) == BPF_ABS || | |
7557 | BPF_MODE(insn->code) == BPF_IND)) { | |
7558 | cnt = env->ops->gen_ld_abs(insn, insn_buf); | |
7559 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { | |
7560 | verbose(env, "bpf verifier is misconfigured\n"); | |
7561 | return -EINVAL; | |
7562 | } | |
7563 | ||
7564 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); | |
7565 | if (!new_prog) | |
7566 | return -ENOMEM; | |
7567 | ||
7568 | delta += cnt - 1; | |
7569 | env->prog = prog = new_prog; | |
7570 | insn = new_prog->insnsi + i + delta; | |
7571 | continue; | |
7572 | } | |
7573 | ||
979d63d5 DB |
7574 | if (insn->code == (BPF_ALU64 | BPF_ADD | BPF_X) || |
7575 | insn->code == (BPF_ALU64 | BPF_SUB | BPF_X)) { | |
7576 | const u8 code_add = BPF_ALU64 | BPF_ADD | BPF_X; | |
7577 | const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X; | |
7578 | struct bpf_insn insn_buf[16]; | |
7579 | struct bpf_insn *patch = &insn_buf[0]; | |
7580 | bool issrc, isneg; | |
7581 | u32 off_reg; | |
7582 | ||
7583 | aux = &env->insn_aux_data[i + delta]; | |
3612af78 DB |
7584 | if (!aux->alu_state || |
7585 | aux->alu_state == BPF_ALU_NON_POINTER) | |
979d63d5 DB |
7586 | continue; |
7587 | ||
7588 | isneg = aux->alu_state & BPF_ALU_NEG_VALUE; | |
7589 | issrc = (aux->alu_state & BPF_ALU_SANITIZE) == | |
7590 | BPF_ALU_SANITIZE_SRC; | |
7591 | ||
7592 | off_reg = issrc ? insn->src_reg : insn->dst_reg; | |
7593 | if (isneg) | |
7594 | *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); | |
7595 | *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); | |
7596 | *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); | |
7597 | *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); | |
7598 | *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); | |
7599 | *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); | |
7600 | if (issrc) { | |
7601 | *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, | |
7602 | off_reg); | |
7603 | insn->src_reg = BPF_REG_AX; | |
7604 | } else { | |
7605 | *patch++ = BPF_ALU64_REG(BPF_AND, off_reg, | |
7606 | BPF_REG_AX); | |
7607 | } | |
7608 | if (isneg) | |
7609 | insn->code = insn->code == code_add ? | |
7610 | code_sub : code_add; | |
7611 | *patch++ = *insn; | |
7612 | if (issrc && isneg) | |
7613 | *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); | |
7614 | cnt = patch - insn_buf; | |
7615 | ||
7616 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); | |
7617 | if (!new_prog) | |
7618 | return -ENOMEM; | |
7619 | ||
7620 | delta += cnt - 1; | |
7621 | env->prog = prog = new_prog; | |
7622 | insn = new_prog->insnsi + i + delta; | |
7623 | continue; | |
7624 | } | |
7625 | ||
79741b3b AS |
7626 | if (insn->code != (BPF_JMP | BPF_CALL)) |
7627 | continue; | |
cc8b0b92 AS |
7628 | if (insn->src_reg == BPF_PSEUDO_CALL) |
7629 | continue; | |
e245c5c6 | 7630 | |
79741b3b AS |
7631 | if (insn->imm == BPF_FUNC_get_route_realm) |
7632 | prog->dst_needed = 1; | |
7633 | if (insn->imm == BPF_FUNC_get_prandom_u32) | |
7634 | bpf_user_rnd_init_once(); | |
9802d865 JB |
7635 | if (insn->imm == BPF_FUNC_override_return) |
7636 | prog->kprobe_override = 1; | |
79741b3b | 7637 | if (insn->imm == BPF_FUNC_tail_call) { |
7b9f6da1 DM |
7638 | /* If we tail call into other programs, we |
7639 | * cannot make any assumptions since they can | |
7640 | * be replaced dynamically during runtime in | |
7641 | * the program array. | |
7642 | */ | |
7643 | prog->cb_access = 1; | |
80a58d02 | 7644 | env->prog->aux->stack_depth = MAX_BPF_STACK; |
e647815a | 7645 | env->prog->aux->max_pkt_offset = MAX_PACKET_OFF; |
7b9f6da1 | 7646 | |
79741b3b AS |
7647 | /* mark bpf_tail_call as different opcode to avoid |
7648 | * conditional branch in the interpeter for every normal | |
7649 | * call and to prevent accidental JITing by JIT compiler | |
7650 | * that doesn't support bpf_tail_call yet | |
e245c5c6 | 7651 | */ |
79741b3b | 7652 | insn->imm = 0; |
71189fa9 | 7653 | insn->code = BPF_JMP | BPF_TAIL_CALL; |
b2157399 | 7654 | |
c93552c4 DB |
7655 | aux = &env->insn_aux_data[i + delta]; |
7656 | if (!bpf_map_ptr_unpriv(aux)) | |
7657 | continue; | |
7658 | ||
b2157399 AS |
7659 | /* instead of changing every JIT dealing with tail_call |
7660 | * emit two extra insns: | |
7661 | * if (index >= max_entries) goto out; | |
7662 | * index &= array->index_mask; | |
7663 | * to avoid out-of-bounds cpu speculation | |
7664 | */ | |
c93552c4 | 7665 | if (bpf_map_ptr_poisoned(aux)) { |
40950343 | 7666 | verbose(env, "tail_call abusing map_ptr\n"); |
b2157399 AS |
7667 | return -EINVAL; |
7668 | } | |
c93552c4 DB |
7669 | |
7670 | map_ptr = BPF_MAP_PTR(aux->map_state); | |
b2157399 AS |
7671 | insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3, |
7672 | map_ptr->max_entries, 2); | |
7673 | insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3, | |
7674 | container_of(map_ptr, | |
7675 | struct bpf_array, | |
7676 | map)->index_mask); | |
7677 | insn_buf[2] = *insn; | |
7678 | cnt = 3; | |
7679 | new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); | |
7680 | if (!new_prog) | |
7681 | return -ENOMEM; | |
7682 | ||
7683 | delta += cnt - 1; | |
7684 | env->prog = prog = new_prog; | |
7685 | insn = new_prog->insnsi + i + delta; | |
79741b3b AS |
7686 | continue; |
7687 | } | |
e245c5c6 | 7688 | |
89c63074 | 7689 | /* BPF_EMIT_CALL() assumptions in some of the map_gen_lookup |
09772d92 DB |
7690 | * and other inlining handlers are currently limited to 64 bit |
7691 | * only. | |
89c63074 | 7692 | */ |
60b58afc | 7693 | if (prog->jit_requested && BITS_PER_LONG == 64 && |
09772d92 DB |
7694 | (insn->imm == BPF_FUNC_map_lookup_elem || |
7695 | insn->imm == BPF_FUNC_map_update_elem || | |
84430d42 DB |
7696 | insn->imm == BPF_FUNC_map_delete_elem || |
7697 | insn->imm == BPF_FUNC_map_push_elem || | |
7698 | insn->imm == BPF_FUNC_map_pop_elem || | |
7699 | insn->imm == BPF_FUNC_map_peek_elem)) { | |
c93552c4 DB |
7700 | aux = &env->insn_aux_data[i + delta]; |
7701 | if (bpf_map_ptr_poisoned(aux)) | |
7702 | goto patch_call_imm; | |
7703 | ||
7704 | map_ptr = BPF_MAP_PTR(aux->map_state); | |
09772d92 DB |
7705 | ops = map_ptr->ops; |
7706 | if (insn->imm == BPF_FUNC_map_lookup_elem && | |
7707 | ops->map_gen_lookup) { | |
7708 | cnt = ops->map_gen_lookup(map_ptr, insn_buf); | |
7709 | if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { | |
7710 | verbose(env, "bpf verifier is misconfigured\n"); | |
7711 | return -EINVAL; | |
7712 | } | |
81ed18ab | 7713 | |
09772d92 DB |
7714 | new_prog = bpf_patch_insn_data(env, i + delta, |
7715 | insn_buf, cnt); | |
7716 | if (!new_prog) | |
7717 | return -ENOMEM; | |
81ed18ab | 7718 | |
09772d92 DB |
7719 | delta += cnt - 1; |
7720 | env->prog = prog = new_prog; | |
7721 | insn = new_prog->insnsi + i + delta; | |
7722 | continue; | |
7723 | } | |
81ed18ab | 7724 | |
09772d92 DB |
7725 | BUILD_BUG_ON(!__same_type(ops->map_lookup_elem, |
7726 | (void *(*)(struct bpf_map *map, void *key))NULL)); | |
7727 | BUILD_BUG_ON(!__same_type(ops->map_delete_elem, | |
7728 | (int (*)(struct bpf_map *map, void *key))NULL)); | |
7729 | BUILD_BUG_ON(!__same_type(ops->map_update_elem, | |
7730 | (int (*)(struct bpf_map *map, void *key, void *value, | |
7731 | u64 flags))NULL)); | |
84430d42 DB |
7732 | BUILD_BUG_ON(!__same_type(ops->map_push_elem, |
7733 | (int (*)(struct bpf_map *map, void *value, | |
7734 | u64 flags))NULL)); | |
7735 | BUILD_BUG_ON(!__same_type(ops->map_pop_elem, | |
7736 | (int (*)(struct bpf_map *map, void *value))NULL)); | |
7737 | BUILD_BUG_ON(!__same_type(ops->map_peek_elem, | |
7738 | (int (*)(struct bpf_map *map, void *value))NULL)); | |
7739 | ||
09772d92 DB |
7740 | switch (insn->imm) { |
7741 | case BPF_FUNC_map_lookup_elem: | |
7742 | insn->imm = BPF_CAST_CALL(ops->map_lookup_elem) - | |
7743 | __bpf_call_base; | |
7744 | continue; | |
7745 | case BPF_FUNC_map_update_elem: | |
7746 | insn->imm = BPF_CAST_CALL(ops->map_update_elem) - | |
7747 | __bpf_call_base; | |
7748 | continue; | |
7749 | case BPF_FUNC_map_delete_elem: | |
7750 | insn->imm = BPF_CAST_CALL(ops->map_delete_elem) - | |
7751 | __bpf_call_base; | |
7752 | continue; | |
84430d42 DB |
7753 | case BPF_FUNC_map_push_elem: |
7754 | insn->imm = BPF_CAST_CALL(ops->map_push_elem) - | |
7755 | __bpf_call_base; | |
7756 | continue; | |
7757 | case BPF_FUNC_map_pop_elem: | |
7758 | insn->imm = BPF_CAST_CALL(ops->map_pop_elem) - | |
7759 | __bpf_call_base; | |
7760 | continue; | |
7761 | case BPF_FUNC_map_peek_elem: | |
7762 | insn->imm = BPF_CAST_CALL(ops->map_peek_elem) - | |
7763 | __bpf_call_base; | |
7764 | continue; | |
09772d92 | 7765 | } |
81ed18ab | 7766 | |
09772d92 | 7767 | goto patch_call_imm; |
81ed18ab AS |
7768 | } |
7769 | ||
7770 | patch_call_imm: | |
5e43f899 | 7771 | fn = env->ops->get_func_proto(insn->imm, env->prog); |
79741b3b AS |
7772 | /* all functions that have prototype and verifier allowed |
7773 | * programs to call them, must be real in-kernel functions | |
7774 | */ | |
7775 | if (!fn->func) { | |
61bd5218 JK |
7776 | verbose(env, |
7777 | "kernel subsystem misconfigured func %s#%d\n", | |
79741b3b AS |
7778 | func_id_name(insn->imm), insn->imm); |
7779 | return -EFAULT; | |
e245c5c6 | 7780 | } |
79741b3b | 7781 | insn->imm = fn->func - __bpf_call_base; |
e245c5c6 | 7782 | } |
e245c5c6 | 7783 | |
79741b3b AS |
7784 | return 0; |
7785 | } | |
e245c5c6 | 7786 | |
58e2af8b | 7787 | static void free_states(struct bpf_verifier_env *env) |
f1bca824 | 7788 | { |
58e2af8b | 7789 | struct bpf_verifier_state_list *sl, *sln; |
f1bca824 AS |
7790 | int i; |
7791 | ||
7792 | if (!env->explored_states) | |
7793 | return; | |
7794 | ||
7795 | for (i = 0; i < env->prog->len; i++) { | |
7796 | sl = env->explored_states[i]; | |
7797 | ||
7798 | if (sl) | |
7799 | while (sl != STATE_LIST_MARK) { | |
7800 | sln = sl->next; | |
1969db47 | 7801 | free_verifier_state(&sl->state, false); |
f1bca824 AS |
7802 | kfree(sl); |
7803 | sl = sln; | |
7804 | } | |
7805 | } | |
7806 | ||
7807 | kfree(env->explored_states); | |
7808 | } | |
7809 | ||
838e9690 YS |
7810 | int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, |
7811 | union bpf_attr __user *uattr) | |
51580e79 | 7812 | { |
58e2af8b | 7813 | struct bpf_verifier_env *env; |
b9193c1b | 7814 | struct bpf_verifier_log *log; |
9e4c24e7 | 7815 | int i, len, ret = -EINVAL; |
e2ae4ca2 | 7816 | bool is_priv; |
51580e79 | 7817 | |
eba0c929 AB |
7818 | /* no program is valid */ |
7819 | if (ARRAY_SIZE(bpf_verifier_ops) == 0) | |
7820 | return -EINVAL; | |
7821 | ||
58e2af8b | 7822 | /* 'struct bpf_verifier_env' can be global, but since it's not small, |
cbd35700 AS |
7823 | * allocate/free it every time bpf_check() is called |
7824 | */ | |
58e2af8b | 7825 | env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); |
cbd35700 AS |
7826 | if (!env) |
7827 | return -ENOMEM; | |
61bd5218 | 7828 | log = &env->log; |
cbd35700 | 7829 | |
9e4c24e7 | 7830 | len = (*prog)->len; |
fad953ce | 7831 | env->insn_aux_data = |
9e4c24e7 | 7832 | vzalloc(array_size(sizeof(struct bpf_insn_aux_data), len)); |
3df126f3 JK |
7833 | ret = -ENOMEM; |
7834 | if (!env->insn_aux_data) | |
7835 | goto err_free_env; | |
9e4c24e7 JK |
7836 | for (i = 0; i < len; i++) |
7837 | env->insn_aux_data[i].orig_idx = i; | |
9bac3d6d | 7838 | env->prog = *prog; |
00176a34 | 7839 | env->ops = bpf_verifier_ops[env->prog->type]; |
0246e64d | 7840 | |
cbd35700 AS |
7841 | /* grab the mutex to protect few globals used by verifier */ |
7842 | mutex_lock(&bpf_verifier_lock); | |
7843 | ||
7844 | if (attr->log_level || attr->log_buf || attr->log_size) { | |
7845 | /* user requested verbose verifier output | |
7846 | * and supplied buffer to store the verification trace | |
7847 | */ | |
e7bf8249 JK |
7848 | log->level = attr->log_level; |
7849 | log->ubuf = (char __user *) (unsigned long) attr->log_buf; | |
7850 | log->len_total = attr->log_size; | |
cbd35700 AS |
7851 | |
7852 | ret = -EINVAL; | |
e7bf8249 JK |
7853 | /* log attributes have to be sane */ |
7854 | if (log->len_total < 128 || log->len_total > UINT_MAX >> 8 || | |
7855 | !log->level || !log->ubuf) | |
3df126f3 | 7856 | goto err_unlock; |
cbd35700 | 7857 | } |
1ad2f583 DB |
7858 | |
7859 | env->strict_alignment = !!(attr->prog_flags & BPF_F_STRICT_ALIGNMENT); | |
7860 | if (!IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) | |
e07b98d9 | 7861 | env->strict_alignment = true; |
e9ee9efc DM |
7862 | if (attr->prog_flags & BPF_F_ANY_ALIGNMENT) |
7863 | env->strict_alignment = false; | |
cbd35700 | 7864 | |
e2ae4ca2 JK |
7865 | is_priv = capable(CAP_SYS_ADMIN); |
7866 | env->allow_ptr_leaks = is_priv; | |
7867 | ||
f4e3ec0d JK |
7868 | ret = replace_map_fd_with_map_ptr(env); |
7869 | if (ret < 0) | |
7870 | goto skip_full_check; | |
7871 | ||
cae1927c | 7872 | if (bpf_prog_is_dev_bound(env->prog->aux)) { |
a40a2632 | 7873 | ret = bpf_prog_offload_verifier_prep(env->prog); |
ab3f0063 | 7874 | if (ret) |
f4e3ec0d | 7875 | goto skip_full_check; |
ab3f0063 JK |
7876 | } |
7877 | ||
9bac3d6d | 7878 | env->explored_states = kcalloc(env->prog->len, |
58e2af8b | 7879 | sizeof(struct bpf_verifier_state_list *), |
f1bca824 AS |
7880 | GFP_USER); |
7881 | ret = -ENOMEM; | |
7882 | if (!env->explored_states) | |
7883 | goto skip_full_check; | |
7884 | ||
d9762e84 | 7885 | ret = check_subprogs(env); |
475fb78f AS |
7886 | if (ret < 0) |
7887 | goto skip_full_check; | |
7888 | ||
c454a46b | 7889 | ret = check_btf_info(env, attr, uattr); |
838e9690 YS |
7890 | if (ret < 0) |
7891 | goto skip_full_check; | |
7892 | ||
d9762e84 MKL |
7893 | ret = check_cfg(env); |
7894 | if (ret < 0) | |
7895 | goto skip_full_check; | |
7896 | ||
17a52670 | 7897 | ret = do_check(env); |
8c01c4f8 CG |
7898 | if (env->cur_state) { |
7899 | free_verifier_state(env->cur_state, true); | |
7900 | env->cur_state = NULL; | |
7901 | } | |
cbd35700 | 7902 | |
c941ce9c QM |
7903 | if (ret == 0 && bpf_prog_is_dev_bound(env->prog->aux)) |
7904 | ret = bpf_prog_offload_finalize(env); | |
7905 | ||
0246e64d | 7906 | skip_full_check: |
638f5b90 | 7907 | while (!pop_stack(env, NULL, NULL)); |
f1bca824 | 7908 | free_states(env); |
0246e64d | 7909 | |
c131187d | 7910 | if (ret == 0) |
9b38c405 | 7911 | ret = check_max_stack_depth(env); |
c131187d | 7912 | |
9b38c405 | 7913 | /* instruction rewrites happen after this point */ |
e2ae4ca2 JK |
7914 | if (is_priv) { |
7915 | if (ret == 0) | |
7916 | opt_hard_wire_dead_code_branches(env); | |
52875a04 JK |
7917 | if (ret == 0) |
7918 | ret = opt_remove_dead_code(env); | |
a1b14abc JK |
7919 | if (ret == 0) |
7920 | ret = opt_remove_nops(env); | |
52875a04 JK |
7921 | } else { |
7922 | if (ret == 0) | |
7923 | sanitize_dead_code(env); | |
e2ae4ca2 JK |
7924 | } |
7925 | ||
9bac3d6d AS |
7926 | if (ret == 0) |
7927 | /* program is valid, convert *(u32*)(ctx + off) accesses */ | |
7928 | ret = convert_ctx_accesses(env); | |
7929 | ||
e245c5c6 | 7930 | if (ret == 0) |
79741b3b | 7931 | ret = fixup_bpf_calls(env); |
e245c5c6 | 7932 | |
1ea47e01 AS |
7933 | if (ret == 0) |
7934 | ret = fixup_call_args(env); | |
7935 | ||
a2a7d570 | 7936 | if (log->level && bpf_verifier_log_full(log)) |
cbd35700 | 7937 | ret = -ENOSPC; |
a2a7d570 | 7938 | if (log->level && !log->ubuf) { |
cbd35700 | 7939 | ret = -EFAULT; |
a2a7d570 | 7940 | goto err_release_maps; |
cbd35700 AS |
7941 | } |
7942 | ||
0246e64d AS |
7943 | if (ret == 0 && env->used_map_cnt) { |
7944 | /* if program passed verifier, update used_maps in bpf_prog_info */ | |
9bac3d6d AS |
7945 | env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt, |
7946 | sizeof(env->used_maps[0]), | |
7947 | GFP_KERNEL); | |
0246e64d | 7948 | |
9bac3d6d | 7949 | if (!env->prog->aux->used_maps) { |
0246e64d | 7950 | ret = -ENOMEM; |
a2a7d570 | 7951 | goto err_release_maps; |
0246e64d AS |
7952 | } |
7953 | ||
9bac3d6d | 7954 | memcpy(env->prog->aux->used_maps, env->used_maps, |
0246e64d | 7955 | sizeof(env->used_maps[0]) * env->used_map_cnt); |
9bac3d6d | 7956 | env->prog->aux->used_map_cnt = env->used_map_cnt; |
0246e64d AS |
7957 | |
7958 | /* program is valid. Convert pseudo bpf_ld_imm64 into generic | |
7959 | * bpf_ld_imm64 instructions | |
7960 | */ | |
7961 | convert_pseudo_ld_imm64(env); | |
7962 | } | |
cbd35700 | 7963 | |
ba64e7d8 YS |
7964 | if (ret == 0) |
7965 | adjust_btf_func(env); | |
7966 | ||
a2a7d570 | 7967 | err_release_maps: |
9bac3d6d | 7968 | if (!env->prog->aux->used_maps) |
0246e64d | 7969 | /* if we didn't copy map pointers into bpf_prog_info, release |
ab7f5bf0 | 7970 | * them now. Otherwise free_used_maps() will release them. |
0246e64d AS |
7971 | */ |
7972 | release_maps(env); | |
9bac3d6d | 7973 | *prog = env->prog; |
3df126f3 | 7974 | err_unlock: |
cbd35700 | 7975 | mutex_unlock(&bpf_verifier_lock); |
3df126f3 JK |
7976 | vfree(env->insn_aux_data); |
7977 | err_free_env: | |
7978 | kfree(env); | |
51580e79 AS |
7979 | return ret; |
7980 | } |