1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
2 * Copyright (c) 2016 Facebook
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
8 * This program is distributed in the hope that it will be useful, but
9 * WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11 * General Public License for more details.
13 #include <linux/kernel.h>
14 #include <linux/types.h>
15 #include <linux/slab.h>
16 #include <linux/bpf.h>
17 #include <linux/bpf_verifier.h>
18 #include <linux/filter.h>
19 #include <net/netlink.h>
20 #include <linux/file.h>
21 #include <linux/vmalloc.h>
23 /* bpf_check() is a static code analyzer that walks eBPF program
24 * instruction by instruction and updates register/stack state.
25 * All paths of conditional branches are analyzed until 'bpf_exit' insn.
27 * The first pass is depth-first-search to check that the program is a DAG.
28 * It rejects the following programs:
29 * - larger than BPF_MAXINSNS insns
30 * - if loop is present (detected via back-edge)
31 * - unreachable insns exist (shouldn't be a forest. program = one function)
32 * - out of bounds or malformed jumps
33 * The second pass is all possible path descent from the 1st insn.
34 * Since it's analyzing all pathes through the program, the length of the
35 * analysis is limited to 32k insn, which may be hit even if total number of
36 * insn is less then 4K, but there are too many branches that change stack/regs.
37 * Number of 'branches to be analyzed' is limited to 1k
39 * On entry to each instruction, each register has a type, and the instruction
40 * changes the types of the registers depending on instruction semantics.
41 * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is
44 * All registers are 64-bit.
45 * R0 - return register
46 * R1-R5 argument passing registers
47 * R6-R9 callee saved registers
48 * R10 - frame pointer read-only
50 * At the start of BPF program the register R1 contains a pointer to bpf_context
51 * and has type PTR_TO_CTX.
53 * Verifier tracks arithmetic operations on pointers in case:
54 * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
55 * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20),
56 * 1st insn copies R10 (which has FRAME_PTR) type into R1
57 * and 2nd arithmetic instruction is pattern matched to recognize
58 * that it wants to construct a pointer to some element within stack.
59 * So after 2nd insn, the register R1 has type PTR_TO_STACK
60 * (and -20 constant is saved for further stack bounds checking).
61 * Meaning that this reg is a pointer to stack plus known immediate constant.
63 * Most of the time the registers have UNKNOWN_VALUE type, which
64 * means the register has some value, but it's not a valid pointer.
65 * (like pointer plus pointer becomes UNKNOWN_VALUE type)
67 * When verifier sees load or store instructions the type of base register
68 * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, FRAME_PTR. These are three pointer
69 * types recognized by check_mem_access() function.
71 * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value'
72 * and the range of [ptr, ptr + map's value_size) is accessible.
74 * registers used to pass values to function calls are checked against
75 * function argument constraints.
77 * ARG_PTR_TO_MAP_KEY is one of such argument constraints.
78 * It means that the register type passed to this function must be
79 * PTR_TO_STACK and it will be used inside the function as
80 * 'pointer to map element key'
82 * For example the argument constraints for bpf_map_lookup_elem():
83 * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
84 * .arg1_type = ARG_CONST_MAP_PTR,
85 * .arg2_type = ARG_PTR_TO_MAP_KEY,
87 * ret_type says that this function returns 'pointer to map elem value or null'
88 * function expects 1st argument to be a const pointer to 'struct bpf_map' and
89 * 2nd argument should be a pointer to stack, which will be used inside
90 * the helper function as a pointer to map element key.
92 * On the kernel side the helper function looks like:
93 * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
95 * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1;
96 * void *key = (void *) (unsigned long) r2;
99 * here kernel can access 'key' and 'map' pointers safely, knowing that
100 * [key, key + map->key_size) bytes are valid and were initialized on
101 * the stack of eBPF program.
104 * Corresponding eBPF program may look like:
105 * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR
106 * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK
107 * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP
108 * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
109 * here verifier looks at prototype of map_lookup_elem() and sees:
110 * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok,
111 * Now verifier knows that this map has key of R1->map_ptr->key_size bytes
113 * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far,
114 * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
115 * and were initialized prior to this call.
116 * If it's ok, then verifier allows this BPF_CALL insn and looks at
117 * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets
118 * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function
119 * returns ether pointer to map value or NULL.
121 * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off'
122 * insn, the register holding that pointer in the true branch changes state to
123 * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false
124 * branch. See check_cond_jmp_op().
126 * After the call R0 is set to return type of the function and registers R1-R5
127 * are set to NOT_INIT to indicate that they are no longer readable.
130 /* verifier_state + insn_idx are pushed to stack when branch is encountered */
131 struct bpf_verifier_stack_elem
{
132 /* verifer state is 'st'
133 * before processing instruction 'insn_idx'
134 * and after processing instruction 'prev_insn_idx'
136 struct bpf_verifier_state st
;
139 struct bpf_verifier_stack_elem
*next
;
142 #define BPF_COMPLEXITY_LIMIT_INSNS 65536
143 #define BPF_COMPLEXITY_LIMIT_STACK 1024
145 struct bpf_call_arg_meta
{
146 struct bpf_map
*map_ptr
;
153 /* verbose verifier prints what it's seeing
154 * bpf_check() is called under lock, so no race to access these global vars
156 static u32 log_level
, log_size
, log_len
;
157 static char *log_buf
;
159 static DEFINE_MUTEX(bpf_verifier_lock
);
161 /* log_level controls verbosity level of eBPF verifier.
162 * verbose() is used to dump the verification trace to the log, so the user
163 * can figure out what's wrong with the program
165 static __printf(1, 2) void verbose(const char *fmt
, ...)
169 if (log_level
== 0 || log_len
>= log_size
- 1)
173 log_len
+= vscnprintf(log_buf
+ log_len
, log_size
- log_len
, fmt
, args
);
177 /* string representation of 'enum bpf_reg_type' */
178 static const char * const reg_type_str
[] = {
180 [UNKNOWN_VALUE
] = "inv",
181 [PTR_TO_CTX
] = "ctx",
182 [CONST_PTR_TO_MAP
] = "map_ptr",
183 [PTR_TO_MAP_VALUE
] = "map_value",
184 [PTR_TO_MAP_VALUE_OR_NULL
] = "map_value_or_null",
186 [PTR_TO_STACK
] = "fp",
188 [PTR_TO_PACKET
] = "pkt",
189 [PTR_TO_PACKET_END
] = "pkt_end",
192 static void print_verifier_state(struct bpf_verifier_state
*state
)
194 struct bpf_reg_state
*reg
;
198 for (i
= 0; i
< MAX_BPF_REG
; i
++) {
199 reg
= &state
->regs
[i
];
203 verbose(" R%d=%s", i
, reg_type_str
[t
]);
204 if (t
== CONST_IMM
|| t
== PTR_TO_STACK
)
205 verbose("%lld", reg
->imm
);
206 else if (t
== PTR_TO_PACKET
)
207 verbose("(id=%d,off=%d,r=%d)",
208 reg
->id
, reg
->off
, reg
->range
);
209 else if (t
== UNKNOWN_VALUE
&& reg
->imm
)
210 verbose("%lld", reg
->imm
);
211 else if (t
== CONST_PTR_TO_MAP
|| t
== PTR_TO_MAP_VALUE
||
212 t
== PTR_TO_MAP_VALUE_OR_NULL
)
213 verbose("(ks=%d,vs=%d)",
214 reg
->map_ptr
->key_size
,
215 reg
->map_ptr
->value_size
);
217 for (i
= 0; i
< MAX_BPF_STACK
; i
+= BPF_REG_SIZE
) {
218 if (state
->stack_slot_type
[i
] == STACK_SPILL
)
219 verbose(" fp%d=%s", -MAX_BPF_STACK
+ i
,
220 reg_type_str
[state
->spilled_regs
[i
/ BPF_REG_SIZE
].type
]);
225 static const char *const bpf_class_string
[] = {
233 [BPF_ALU64
] = "alu64",
236 static const char *const bpf_alu_string
[16] = {
237 [BPF_ADD
>> 4] = "+=",
238 [BPF_SUB
>> 4] = "-=",
239 [BPF_MUL
>> 4] = "*=",
240 [BPF_DIV
>> 4] = "/=",
241 [BPF_OR
>> 4] = "|=",
242 [BPF_AND
>> 4] = "&=",
243 [BPF_LSH
>> 4] = "<<=",
244 [BPF_RSH
>> 4] = ">>=",
245 [BPF_NEG
>> 4] = "neg",
246 [BPF_MOD
>> 4] = "%=",
247 [BPF_XOR
>> 4] = "^=",
248 [BPF_MOV
>> 4] = "=",
249 [BPF_ARSH
>> 4] = "s>>=",
250 [BPF_END
>> 4] = "endian",
253 static const char *const bpf_ldst_string
[] = {
254 [BPF_W
>> 3] = "u32",
255 [BPF_H
>> 3] = "u16",
257 [BPF_DW
>> 3] = "u64",
260 static const char *const bpf_jmp_string
[16] = {
261 [BPF_JA
>> 4] = "jmp",
262 [BPF_JEQ
>> 4] = "==",
263 [BPF_JGT
>> 4] = ">",
264 [BPF_JGE
>> 4] = ">=",
265 [BPF_JSET
>> 4] = "&",
266 [BPF_JNE
>> 4] = "!=",
267 [BPF_JSGT
>> 4] = "s>",
268 [BPF_JSGE
>> 4] = "s>=",
269 [BPF_CALL
>> 4] = "call",
270 [BPF_EXIT
>> 4] = "exit",
273 static void print_bpf_insn(struct bpf_insn
*insn
)
275 u8
class = BPF_CLASS(insn
->code
);
277 if (class == BPF_ALU
|| class == BPF_ALU64
) {
278 if (BPF_SRC(insn
->code
) == BPF_X
)
279 verbose("(%02x) %sr%d %s %sr%d\n",
280 insn
->code
, class == BPF_ALU
? "(u32) " : "",
282 bpf_alu_string
[BPF_OP(insn
->code
) >> 4],
283 class == BPF_ALU
? "(u32) " : "",
286 verbose("(%02x) %sr%d %s %s%d\n",
287 insn
->code
, class == BPF_ALU
? "(u32) " : "",
289 bpf_alu_string
[BPF_OP(insn
->code
) >> 4],
290 class == BPF_ALU
? "(u32) " : "",
292 } else if (class == BPF_STX
) {
293 if (BPF_MODE(insn
->code
) == BPF_MEM
)
294 verbose("(%02x) *(%s *)(r%d %+d) = r%d\n",
296 bpf_ldst_string
[BPF_SIZE(insn
->code
) >> 3],
298 insn
->off
, insn
->src_reg
);
299 else if (BPF_MODE(insn
->code
) == BPF_XADD
)
300 verbose("(%02x) lock *(%s *)(r%d %+d) += r%d\n",
302 bpf_ldst_string
[BPF_SIZE(insn
->code
) >> 3],
303 insn
->dst_reg
, insn
->off
,
306 verbose("BUG_%02x\n", insn
->code
);
307 } else if (class == BPF_ST
) {
308 if (BPF_MODE(insn
->code
) != BPF_MEM
) {
309 verbose("BUG_st_%02x\n", insn
->code
);
312 verbose("(%02x) *(%s *)(r%d %+d) = %d\n",
314 bpf_ldst_string
[BPF_SIZE(insn
->code
) >> 3],
316 insn
->off
, insn
->imm
);
317 } else if (class == BPF_LDX
) {
318 if (BPF_MODE(insn
->code
) != BPF_MEM
) {
319 verbose("BUG_ldx_%02x\n", insn
->code
);
322 verbose("(%02x) r%d = *(%s *)(r%d %+d)\n",
323 insn
->code
, insn
->dst_reg
,
324 bpf_ldst_string
[BPF_SIZE(insn
->code
) >> 3],
325 insn
->src_reg
, insn
->off
);
326 } else if (class == BPF_LD
) {
327 if (BPF_MODE(insn
->code
) == BPF_ABS
) {
328 verbose("(%02x) r0 = *(%s *)skb[%d]\n",
330 bpf_ldst_string
[BPF_SIZE(insn
->code
) >> 3],
332 } else if (BPF_MODE(insn
->code
) == BPF_IND
) {
333 verbose("(%02x) r0 = *(%s *)skb[r%d + %d]\n",
335 bpf_ldst_string
[BPF_SIZE(insn
->code
) >> 3],
336 insn
->src_reg
, insn
->imm
);
337 } else if (BPF_MODE(insn
->code
) == BPF_IMM
) {
338 verbose("(%02x) r%d = 0x%x\n",
339 insn
->code
, insn
->dst_reg
, insn
->imm
);
341 verbose("BUG_ld_%02x\n", insn
->code
);
344 } else if (class == BPF_JMP
) {
345 u8 opcode
= BPF_OP(insn
->code
);
347 if (opcode
== BPF_CALL
) {
348 verbose("(%02x) call %d\n", insn
->code
, insn
->imm
);
349 } else if (insn
->code
== (BPF_JMP
| BPF_JA
)) {
350 verbose("(%02x) goto pc%+d\n",
351 insn
->code
, insn
->off
);
352 } else if (insn
->code
== (BPF_JMP
| BPF_EXIT
)) {
353 verbose("(%02x) exit\n", insn
->code
);
354 } else if (BPF_SRC(insn
->code
) == BPF_X
) {
355 verbose("(%02x) if r%d %s r%d goto pc%+d\n",
356 insn
->code
, insn
->dst_reg
,
357 bpf_jmp_string
[BPF_OP(insn
->code
) >> 4],
358 insn
->src_reg
, insn
->off
);
360 verbose("(%02x) if r%d %s 0x%x goto pc%+d\n",
361 insn
->code
, insn
->dst_reg
,
362 bpf_jmp_string
[BPF_OP(insn
->code
) >> 4],
363 insn
->imm
, insn
->off
);
366 verbose("(%02x) %s\n", insn
->code
, bpf_class_string
[class]);
370 static int pop_stack(struct bpf_verifier_env
*env
, int *prev_insn_idx
)
372 struct bpf_verifier_stack_elem
*elem
;
375 if (env
->head
== NULL
)
378 memcpy(&env
->cur_state
, &env
->head
->st
, sizeof(env
->cur_state
));
379 insn_idx
= env
->head
->insn_idx
;
381 *prev_insn_idx
= env
->head
->prev_insn_idx
;
382 elem
= env
->head
->next
;
389 static struct bpf_verifier_state
*push_stack(struct bpf_verifier_env
*env
,
390 int insn_idx
, int prev_insn_idx
)
392 struct bpf_verifier_stack_elem
*elem
;
394 elem
= kmalloc(sizeof(struct bpf_verifier_stack_elem
), GFP_KERNEL
);
398 memcpy(&elem
->st
, &env
->cur_state
, sizeof(env
->cur_state
));
399 elem
->insn_idx
= insn_idx
;
400 elem
->prev_insn_idx
= prev_insn_idx
;
401 elem
->next
= env
->head
;
404 if (env
->stack_size
> BPF_COMPLEXITY_LIMIT_STACK
) {
405 verbose("BPF program is too complex\n");
410 /* pop all elements and return */
411 while (pop_stack(env
, NULL
) >= 0);
415 #define CALLER_SAVED_REGS 6
416 static const int caller_saved
[CALLER_SAVED_REGS
] = {
417 BPF_REG_0
, BPF_REG_1
, BPF_REG_2
, BPF_REG_3
, BPF_REG_4
, BPF_REG_5
420 static void init_reg_state(struct bpf_reg_state
*regs
)
424 for (i
= 0; i
< MAX_BPF_REG
; i
++) {
425 regs
[i
].type
= NOT_INIT
;
430 regs
[BPF_REG_FP
].type
= FRAME_PTR
;
432 /* 1st arg to a function */
433 regs
[BPF_REG_1
].type
= PTR_TO_CTX
;
436 static void mark_reg_unknown_value(struct bpf_reg_state
*regs
, u32 regno
)
438 BUG_ON(regno
>= MAX_BPF_REG
);
439 regs
[regno
].type
= UNKNOWN_VALUE
;
444 SRC_OP
, /* register is used as source operand */
445 DST_OP
, /* register is used as destination operand */
446 DST_OP_NO_MARK
/* same as above, check only, don't mark */
449 static int check_reg_arg(struct bpf_reg_state
*regs
, u32 regno
,
452 if (regno
>= MAX_BPF_REG
) {
453 verbose("R%d is invalid\n", regno
);
458 /* check whether register used as source operand can be read */
459 if (regs
[regno
].type
== NOT_INIT
) {
460 verbose("R%d !read_ok\n", regno
);
464 /* check whether register used as dest operand can be written to */
465 if (regno
== BPF_REG_FP
) {
466 verbose("frame pointer is read only\n");
470 mark_reg_unknown_value(regs
, regno
);
475 static int bpf_size_to_bytes(int bpf_size
)
477 if (bpf_size
== BPF_W
)
479 else if (bpf_size
== BPF_H
)
481 else if (bpf_size
== BPF_B
)
483 else if (bpf_size
== BPF_DW
)
489 static bool is_spillable_regtype(enum bpf_reg_type type
)
492 case PTR_TO_MAP_VALUE
:
493 case PTR_TO_MAP_VALUE_OR_NULL
:
497 case PTR_TO_PACKET_END
:
499 case CONST_PTR_TO_MAP
:
506 /* check_stack_read/write functions track spill/fill of registers,
507 * stack boundary and alignment are checked in check_mem_access()
509 static int check_stack_write(struct bpf_verifier_state
*state
, int off
,
510 int size
, int value_regno
)
513 /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
514 * so it's aligned access and [off, off + size) are within stack limits
517 if (value_regno
>= 0 &&
518 is_spillable_regtype(state
->regs
[value_regno
].type
)) {
520 /* register containing pointer is being spilled into stack */
521 if (size
!= BPF_REG_SIZE
) {
522 verbose("invalid size of register spill\n");
526 /* save register state */
527 state
->spilled_regs
[(MAX_BPF_STACK
+ off
) / BPF_REG_SIZE
] =
528 state
->regs
[value_regno
];
530 for (i
= 0; i
< BPF_REG_SIZE
; i
++)
531 state
->stack_slot_type
[MAX_BPF_STACK
+ off
+ i
] = STACK_SPILL
;
533 /* regular write of data into stack */
534 state
->spilled_regs
[(MAX_BPF_STACK
+ off
) / BPF_REG_SIZE
] =
535 (struct bpf_reg_state
) {};
537 for (i
= 0; i
< size
; i
++)
538 state
->stack_slot_type
[MAX_BPF_STACK
+ off
+ i
] = STACK_MISC
;
543 static int check_stack_read(struct bpf_verifier_state
*state
, int off
, int size
,
549 slot_type
= &state
->stack_slot_type
[MAX_BPF_STACK
+ off
];
551 if (slot_type
[0] == STACK_SPILL
) {
552 if (size
!= BPF_REG_SIZE
) {
553 verbose("invalid size of register spill\n");
556 for (i
= 1; i
< BPF_REG_SIZE
; i
++) {
557 if (slot_type
[i
] != STACK_SPILL
) {
558 verbose("corrupted spill memory\n");
563 if (value_regno
>= 0)
564 /* restore register state from stack */
565 state
->regs
[value_regno
] =
566 state
->spilled_regs
[(MAX_BPF_STACK
+ off
) / BPF_REG_SIZE
];
569 for (i
= 0; i
< size
; i
++) {
570 if (slot_type
[i
] != STACK_MISC
) {
571 verbose("invalid read from stack off %d+%d size %d\n",
576 if (value_regno
>= 0)
577 /* have read misc data from the stack */
578 mark_reg_unknown_value(state
->regs
, value_regno
);
583 /* check read/write into map element returned by bpf_map_lookup_elem() */
584 static int check_map_access(struct bpf_verifier_env
*env
, u32 regno
, int off
,
587 struct bpf_map
*map
= env
->cur_state
.regs
[regno
].map_ptr
;
589 if (off
< 0 || off
+ size
> map
->value_size
) {
590 verbose("invalid access to map value, value_size=%d off=%d size=%d\n",
591 map
->value_size
, off
, size
);
597 #define MAX_PACKET_OFF 0xffff
599 static bool may_access_direct_pkt_data(struct bpf_verifier_env
*env
,
600 const struct bpf_call_arg_meta
*meta
)
602 switch (env
->prog
->type
) {
603 case BPF_PROG_TYPE_SCHED_CLS
:
604 case BPF_PROG_TYPE_SCHED_ACT
:
605 case BPF_PROG_TYPE_XDP
:
607 return meta
->pkt_access
;
609 env
->seen_direct_write
= true;
616 static int check_packet_access(struct bpf_verifier_env
*env
, u32 regno
, int off
,
619 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
620 struct bpf_reg_state
*reg
= ®s
[regno
];
623 if (off
< 0 || size
<= 0 || off
+ size
> reg
->range
) {
624 verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n",
625 off
, size
, regno
, reg
->id
, reg
->off
, reg
->range
);
631 /* check access to 'struct bpf_context' fields */
632 static int check_ctx_access(struct bpf_verifier_env
*env
, int off
, int size
,
633 enum bpf_access_type t
, enum bpf_reg_type
*reg_type
)
635 /* for analyzer ctx accesses are already validated and converted */
636 if (env
->analyzer_ops
)
639 if (env
->prog
->aux
->ops
->is_valid_access
&&
640 env
->prog
->aux
->ops
->is_valid_access(off
, size
, t
, reg_type
)) {
641 /* remember the offset of last byte accessed in ctx */
642 if (env
->prog
->aux
->max_ctx_offset
< off
+ size
)
643 env
->prog
->aux
->max_ctx_offset
= off
+ size
;
647 verbose("invalid bpf_context access off=%d size=%d\n", off
, size
);
651 static bool is_pointer_value(struct bpf_verifier_env
*env
, int regno
)
653 if (env
->allow_ptr_leaks
)
656 switch (env
->cur_state
.regs
[regno
].type
) {
665 static int check_ptr_alignment(struct bpf_verifier_env
*env
,
666 struct bpf_reg_state
*reg
, int off
, int size
)
668 if (reg
->type
!= PTR_TO_PACKET
) {
669 if (off
% size
!= 0) {
670 verbose("misaligned access off %d size %d\n",
678 switch (env
->prog
->type
) {
679 case BPF_PROG_TYPE_SCHED_CLS
:
680 case BPF_PROG_TYPE_SCHED_ACT
:
681 case BPF_PROG_TYPE_XDP
:
684 verbose("verifier is misconfigured\n");
688 if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
))
689 /* misaligned access to packet is ok on x86,arm,arm64 */
692 if (reg
->id
&& size
!= 1) {
693 verbose("Unknown packet alignment. Only byte-sized access allowed\n");
697 /* skb->data is NET_IP_ALIGN-ed */
698 if ((NET_IP_ALIGN
+ reg
->off
+ off
) % size
!= 0) {
699 verbose("misaligned packet access off %d+%d+%d size %d\n",
700 NET_IP_ALIGN
, reg
->off
, off
, size
);
706 /* check whether memory at (regno + off) is accessible for t = (read | write)
707 * if t==write, value_regno is a register which value is stored into memory
708 * if t==read, value_regno is a register which will receive the value from memory
709 * if t==write && value_regno==-1, some unknown value is stored into memory
710 * if t==read && value_regno==-1, don't care what we read from memory
712 static int check_mem_access(struct bpf_verifier_env
*env
, u32 regno
, int off
,
713 int bpf_size
, enum bpf_access_type t
,
716 struct bpf_verifier_state
*state
= &env
->cur_state
;
717 struct bpf_reg_state
*reg
= &state
->regs
[regno
];
720 if (reg
->type
== PTR_TO_STACK
)
723 size
= bpf_size_to_bytes(bpf_size
);
727 err
= check_ptr_alignment(env
, reg
, off
, size
);
731 if (reg
->type
== PTR_TO_MAP_VALUE
) {
732 if (t
== BPF_WRITE
&& value_regno
>= 0 &&
733 is_pointer_value(env
, value_regno
)) {
734 verbose("R%d leaks addr into map\n", value_regno
);
737 err
= check_map_access(env
, regno
, off
, size
);
738 if (!err
&& t
== BPF_READ
&& value_regno
>= 0)
739 mark_reg_unknown_value(state
->regs
, value_regno
);
741 } else if (reg
->type
== PTR_TO_CTX
) {
742 enum bpf_reg_type reg_type
= UNKNOWN_VALUE
;
744 if (t
== BPF_WRITE
&& value_regno
>= 0 &&
745 is_pointer_value(env
, value_regno
)) {
746 verbose("R%d leaks addr into ctx\n", value_regno
);
749 err
= check_ctx_access(env
, off
, size
, t
, ®_type
);
750 if (!err
&& t
== BPF_READ
&& value_regno
>= 0) {
751 mark_reg_unknown_value(state
->regs
, value_regno
);
752 /* note that reg.[id|off|range] == 0 */
753 state
->regs
[value_regno
].type
= reg_type
;
756 } else if (reg
->type
== FRAME_PTR
|| reg
->type
== PTR_TO_STACK
) {
757 if (off
>= 0 || off
< -MAX_BPF_STACK
) {
758 verbose("invalid stack off=%d size=%d\n", off
, size
);
761 if (t
== BPF_WRITE
) {
762 if (!env
->allow_ptr_leaks
&&
763 state
->stack_slot_type
[MAX_BPF_STACK
+ off
] == STACK_SPILL
&&
764 size
!= BPF_REG_SIZE
) {
765 verbose("attempt to corrupt spilled pointer on stack\n");
768 err
= check_stack_write(state
, off
, size
, value_regno
);
770 err
= check_stack_read(state
, off
, size
, value_regno
);
772 } else if (state
->regs
[regno
].type
== PTR_TO_PACKET
) {
773 if (t
== BPF_WRITE
&& !may_access_direct_pkt_data(env
, NULL
)) {
774 verbose("cannot write into packet\n");
777 if (t
== BPF_WRITE
&& value_regno
>= 0 &&
778 is_pointer_value(env
, value_regno
)) {
779 verbose("R%d leaks addr into packet\n", value_regno
);
782 err
= check_packet_access(env
, regno
, off
, size
);
783 if (!err
&& t
== BPF_READ
&& value_regno
>= 0)
784 mark_reg_unknown_value(state
->regs
, value_regno
);
786 verbose("R%d invalid mem access '%s'\n",
787 regno
, reg_type_str
[reg
->type
]);
791 if (!err
&& size
<= 2 && value_regno
>= 0 && env
->allow_ptr_leaks
&&
792 state
->regs
[value_regno
].type
== UNKNOWN_VALUE
) {
793 /* 1 or 2 byte load zero-extends, determine the number of
794 * zero upper bits. Not doing it fo 4 byte load, since
795 * such values cannot be added to ptr_to_packet anyway.
797 state
->regs
[value_regno
].imm
= 64 - size
* 8;
802 static int check_xadd(struct bpf_verifier_env
*env
, struct bpf_insn
*insn
)
804 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
807 if ((BPF_SIZE(insn
->code
) != BPF_W
&& BPF_SIZE(insn
->code
) != BPF_DW
) ||
809 verbose("BPF_XADD uses reserved fields\n");
813 /* check src1 operand */
814 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
818 /* check src2 operand */
819 err
= check_reg_arg(regs
, insn
->dst_reg
, SRC_OP
);
823 /* check whether atomic_add can read the memory */
824 err
= check_mem_access(env
, insn
->dst_reg
, insn
->off
,
825 BPF_SIZE(insn
->code
), BPF_READ
, -1);
829 /* check whether atomic_add can write into the same memory */
830 return check_mem_access(env
, insn
->dst_reg
, insn
->off
,
831 BPF_SIZE(insn
->code
), BPF_WRITE
, -1);
834 /* when register 'regno' is passed into function that will read 'access_size'
835 * bytes from that pointer, make sure that it's within stack boundary
836 * and all elements of stack are initialized
838 static int check_stack_boundary(struct bpf_verifier_env
*env
, int regno
,
839 int access_size
, bool zero_size_allowed
,
840 struct bpf_call_arg_meta
*meta
)
842 struct bpf_verifier_state
*state
= &env
->cur_state
;
843 struct bpf_reg_state
*regs
= state
->regs
;
846 if (regs
[regno
].type
!= PTR_TO_STACK
) {
847 if (zero_size_allowed
&& access_size
== 0 &&
848 regs
[regno
].type
== CONST_IMM
&&
849 regs
[regno
].imm
== 0)
852 verbose("R%d type=%s expected=%s\n", regno
,
853 reg_type_str
[regs
[regno
].type
],
854 reg_type_str
[PTR_TO_STACK
]);
858 off
= regs
[regno
].imm
;
859 if (off
>= 0 || off
< -MAX_BPF_STACK
|| off
+ access_size
> 0 ||
861 verbose("invalid stack type R%d off=%d access_size=%d\n",
862 regno
, off
, access_size
);
866 if (meta
&& meta
->raw_mode
) {
867 meta
->access_size
= access_size
;
872 for (i
= 0; i
< access_size
; i
++) {
873 if (state
->stack_slot_type
[MAX_BPF_STACK
+ off
+ i
] != STACK_MISC
) {
874 verbose("invalid indirect read from stack off %d+%d size %d\n",
875 off
, i
, access_size
);
882 static int check_func_arg(struct bpf_verifier_env
*env
, u32 regno
,
883 enum bpf_arg_type arg_type
,
884 struct bpf_call_arg_meta
*meta
)
886 struct bpf_reg_state
*regs
= env
->cur_state
.regs
, *reg
= ®s
[regno
];
887 enum bpf_reg_type expected_type
, type
= reg
->type
;
890 if (arg_type
== ARG_DONTCARE
)
893 if (type
== NOT_INIT
) {
894 verbose("R%d !read_ok\n", regno
);
898 if (arg_type
== ARG_ANYTHING
) {
899 if (is_pointer_value(env
, regno
)) {
900 verbose("R%d leaks addr into helper function\n", regno
);
906 if (type
== PTR_TO_PACKET
&& !may_access_direct_pkt_data(env
, meta
)) {
907 verbose("helper access to the packet is not allowed\n");
911 if (arg_type
== ARG_PTR_TO_MAP_KEY
||
912 arg_type
== ARG_PTR_TO_MAP_VALUE
) {
913 expected_type
= PTR_TO_STACK
;
914 if (type
!= PTR_TO_PACKET
&& type
!= expected_type
)
916 } else if (arg_type
== ARG_CONST_STACK_SIZE
||
917 arg_type
== ARG_CONST_STACK_SIZE_OR_ZERO
) {
918 expected_type
= CONST_IMM
;
919 if (type
!= expected_type
)
921 } else if (arg_type
== ARG_CONST_MAP_PTR
) {
922 expected_type
= CONST_PTR_TO_MAP
;
923 if (type
!= expected_type
)
925 } else if (arg_type
== ARG_PTR_TO_CTX
) {
926 expected_type
= PTR_TO_CTX
;
927 if (type
!= expected_type
)
929 } else if (arg_type
== ARG_PTR_TO_STACK
||
930 arg_type
== ARG_PTR_TO_RAW_STACK
) {
931 expected_type
= PTR_TO_STACK
;
932 /* One exception here. In case function allows for NULL to be
933 * passed in as argument, it's a CONST_IMM type. Final test
934 * happens during stack boundary checking.
936 if (type
== CONST_IMM
&& reg
->imm
== 0)
937 /* final test in check_stack_boundary() */;
938 else if (type
!= PTR_TO_PACKET
&& type
!= expected_type
)
940 meta
->raw_mode
= arg_type
== ARG_PTR_TO_RAW_STACK
;
942 verbose("unsupported arg_type %d\n", arg_type
);
946 if (arg_type
== ARG_CONST_MAP_PTR
) {
947 /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
948 meta
->map_ptr
= reg
->map_ptr
;
949 } else if (arg_type
== ARG_PTR_TO_MAP_KEY
) {
950 /* bpf_map_xxx(..., map_ptr, ..., key) call:
951 * check that [key, key + map->key_size) are within
952 * stack limits and initialized
954 if (!meta
->map_ptr
) {
955 /* in function declaration map_ptr must come before
956 * map_key, so that it's verified and known before
957 * we have to check map_key here. Otherwise it means
958 * that kernel subsystem misconfigured verifier
960 verbose("invalid map_ptr to access map->key\n");
963 if (type
== PTR_TO_PACKET
)
964 err
= check_packet_access(env
, regno
, 0,
965 meta
->map_ptr
->key_size
);
967 err
= check_stack_boundary(env
, regno
,
968 meta
->map_ptr
->key_size
,
970 } else if (arg_type
== ARG_PTR_TO_MAP_VALUE
) {
971 /* bpf_map_xxx(..., map_ptr, ..., value) call:
972 * check [value, value + map->value_size) validity
974 if (!meta
->map_ptr
) {
975 /* kernel subsystem misconfigured verifier */
976 verbose("invalid map_ptr to access map->value\n");
979 if (type
== PTR_TO_PACKET
)
980 err
= check_packet_access(env
, regno
, 0,
981 meta
->map_ptr
->value_size
);
983 err
= check_stack_boundary(env
, regno
,
984 meta
->map_ptr
->value_size
,
986 } else if (arg_type
== ARG_CONST_STACK_SIZE
||
987 arg_type
== ARG_CONST_STACK_SIZE_OR_ZERO
) {
988 bool zero_size_allowed
= (arg_type
== ARG_CONST_STACK_SIZE_OR_ZERO
);
990 /* bpf_xxx(..., buf, len) call will access 'len' bytes
991 * from stack pointer 'buf'. Check it
992 * note: regno == len, regno - 1 == buf
995 /* kernel subsystem misconfigured verifier */
996 verbose("ARG_CONST_STACK_SIZE cannot be first argument\n");
999 if (regs
[regno
- 1].type
== PTR_TO_PACKET
)
1000 err
= check_packet_access(env
, regno
- 1, 0, reg
->imm
);
1002 err
= check_stack_boundary(env
, regno
- 1, reg
->imm
,
1003 zero_size_allowed
, meta
);
1008 verbose("R%d type=%s expected=%s\n", regno
,
1009 reg_type_str
[type
], reg_type_str
[expected_type
]);
1013 static int check_map_func_compatibility(struct bpf_map
*map
, int func_id
)
1018 /* We need a two way check, first is from map perspective ... */
1019 switch (map
->map_type
) {
1020 case BPF_MAP_TYPE_PROG_ARRAY
:
1021 if (func_id
!= BPF_FUNC_tail_call
)
1024 case BPF_MAP_TYPE_PERF_EVENT_ARRAY
:
1025 if (func_id
!= BPF_FUNC_perf_event_read
&&
1026 func_id
!= BPF_FUNC_perf_event_output
)
1029 case BPF_MAP_TYPE_STACK_TRACE
:
1030 if (func_id
!= BPF_FUNC_get_stackid
)
1033 case BPF_MAP_TYPE_CGROUP_ARRAY
:
1034 if (func_id
!= BPF_FUNC_skb_under_cgroup
&&
1035 func_id
!= BPF_FUNC_current_task_under_cgroup
)
1042 /* ... and second from the function itself. */
1044 case BPF_FUNC_tail_call
:
1045 if (map
->map_type
!= BPF_MAP_TYPE_PROG_ARRAY
)
1048 case BPF_FUNC_perf_event_read
:
1049 case BPF_FUNC_perf_event_output
:
1050 if (map
->map_type
!= BPF_MAP_TYPE_PERF_EVENT_ARRAY
)
1053 case BPF_FUNC_get_stackid
:
1054 if (map
->map_type
!= BPF_MAP_TYPE_STACK_TRACE
)
1057 case BPF_FUNC_current_task_under_cgroup
:
1058 case BPF_FUNC_skb_under_cgroup
:
1059 if (map
->map_type
!= BPF_MAP_TYPE_CGROUP_ARRAY
)
1068 verbose("cannot pass map_type %d into func %d\n",
1069 map
->map_type
, func_id
);
1073 static int check_raw_mode(const struct bpf_func_proto
*fn
)
1077 if (fn
->arg1_type
== ARG_PTR_TO_RAW_STACK
)
1079 if (fn
->arg2_type
== ARG_PTR_TO_RAW_STACK
)
1081 if (fn
->arg3_type
== ARG_PTR_TO_RAW_STACK
)
1083 if (fn
->arg4_type
== ARG_PTR_TO_RAW_STACK
)
1085 if (fn
->arg5_type
== ARG_PTR_TO_RAW_STACK
)
1088 return count
> 1 ? -EINVAL
: 0;
1091 static void clear_all_pkt_pointers(struct bpf_verifier_env
*env
)
1093 struct bpf_verifier_state
*state
= &env
->cur_state
;
1094 struct bpf_reg_state
*regs
= state
->regs
, *reg
;
1097 for (i
= 0; i
< MAX_BPF_REG
; i
++)
1098 if (regs
[i
].type
== PTR_TO_PACKET
||
1099 regs
[i
].type
== PTR_TO_PACKET_END
)
1100 mark_reg_unknown_value(regs
, i
);
1102 for (i
= 0; i
< MAX_BPF_STACK
; i
+= BPF_REG_SIZE
) {
1103 if (state
->stack_slot_type
[i
] != STACK_SPILL
)
1105 reg
= &state
->spilled_regs
[i
/ BPF_REG_SIZE
];
1106 if (reg
->type
!= PTR_TO_PACKET
&&
1107 reg
->type
!= PTR_TO_PACKET_END
)
1109 reg
->type
= UNKNOWN_VALUE
;
1114 static int check_call(struct bpf_verifier_env
*env
, int func_id
)
1116 struct bpf_verifier_state
*state
= &env
->cur_state
;
1117 const struct bpf_func_proto
*fn
= NULL
;
1118 struct bpf_reg_state
*regs
= state
->regs
;
1119 struct bpf_reg_state
*reg
;
1120 struct bpf_call_arg_meta meta
;
1124 /* find function prototype */
1125 if (func_id
< 0 || func_id
>= __BPF_FUNC_MAX_ID
) {
1126 verbose("invalid func %d\n", func_id
);
1130 if (env
->prog
->aux
->ops
->get_func_proto
)
1131 fn
= env
->prog
->aux
->ops
->get_func_proto(func_id
);
1134 verbose("unknown func %d\n", func_id
);
1138 /* eBPF programs must be GPL compatible to use GPL-ed functions */
1139 if (!env
->prog
->gpl_compatible
&& fn
->gpl_only
) {
1140 verbose("cannot call GPL only function from proprietary program\n");
1144 changes_data
= bpf_helper_changes_skb_data(fn
->func
);
1146 memset(&meta
, 0, sizeof(meta
));
1147 meta
.pkt_access
= fn
->pkt_access
;
1149 /* We only support one arg being in raw mode at the moment, which
1150 * is sufficient for the helper functions we have right now.
1152 err
= check_raw_mode(fn
);
1154 verbose("kernel subsystem misconfigured func %d\n", func_id
);
1159 err
= check_func_arg(env
, BPF_REG_1
, fn
->arg1_type
, &meta
);
1162 err
= check_func_arg(env
, BPF_REG_2
, fn
->arg2_type
, &meta
);
1165 err
= check_func_arg(env
, BPF_REG_3
, fn
->arg3_type
, &meta
);
1168 err
= check_func_arg(env
, BPF_REG_4
, fn
->arg4_type
, &meta
);
1171 err
= check_func_arg(env
, BPF_REG_5
, fn
->arg5_type
, &meta
);
1175 /* Mark slots with STACK_MISC in case of raw mode, stack offset
1176 * is inferred from register state.
1178 for (i
= 0; i
< meta
.access_size
; i
++) {
1179 err
= check_mem_access(env
, meta
.regno
, i
, BPF_B
, BPF_WRITE
, -1);
1184 /* reset caller saved regs */
1185 for (i
= 0; i
< CALLER_SAVED_REGS
; i
++) {
1186 reg
= regs
+ caller_saved
[i
];
1187 reg
->type
= NOT_INIT
;
1191 /* update return register */
1192 if (fn
->ret_type
== RET_INTEGER
) {
1193 regs
[BPF_REG_0
].type
= UNKNOWN_VALUE
;
1194 } else if (fn
->ret_type
== RET_VOID
) {
1195 regs
[BPF_REG_0
].type
= NOT_INIT
;
1196 } else if (fn
->ret_type
== RET_PTR_TO_MAP_VALUE_OR_NULL
) {
1197 regs
[BPF_REG_0
].type
= PTR_TO_MAP_VALUE_OR_NULL
;
1198 /* remember map_ptr, so that check_map_access()
1199 * can check 'value_size' boundary of memory access
1200 * to map element returned from bpf_map_lookup_elem()
1202 if (meta
.map_ptr
== NULL
) {
1203 verbose("kernel subsystem misconfigured verifier\n");
1206 regs
[BPF_REG_0
].map_ptr
= meta
.map_ptr
;
1208 verbose("unknown return type %d of func %d\n",
1209 fn
->ret_type
, func_id
);
1213 err
= check_map_func_compatibility(meta
.map_ptr
, func_id
);
1218 clear_all_pkt_pointers(env
);
1222 static int check_packet_ptr_add(struct bpf_verifier_env
*env
,
1223 struct bpf_insn
*insn
)
1225 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
1226 struct bpf_reg_state
*dst_reg
= ®s
[insn
->dst_reg
];
1227 struct bpf_reg_state
*src_reg
= ®s
[insn
->src_reg
];
1228 struct bpf_reg_state tmp_reg
;
1231 if (BPF_SRC(insn
->code
) == BPF_K
) {
1232 /* pkt_ptr += imm */
1237 verbose("addition of negative constant to packet pointer is not allowed\n");
1240 if (imm
>= MAX_PACKET_OFF
||
1241 imm
+ dst_reg
->off
>= MAX_PACKET_OFF
) {
1242 verbose("constant %d is too large to add to packet pointer\n",
1246 /* a constant was added to pkt_ptr.
1247 * Remember it while keeping the same 'id'
1249 dst_reg
->off
+= imm
;
1251 if (src_reg
->type
== PTR_TO_PACKET
) {
1252 /* R6=pkt(id=0,off=0,r=62) R7=imm22; r7 += r6 */
1253 tmp_reg
= *dst_reg
; /* save r7 state */
1254 *dst_reg
= *src_reg
; /* copy pkt_ptr state r6 into r7 */
1255 src_reg
= &tmp_reg
; /* pretend it's src_reg state */
1256 /* if the checks below reject it, the copy won't matter,
1257 * since we're rejecting the whole program. If all ok,
1258 * then imm22 state will be added to r7
1259 * and r7 will be pkt(id=0,off=22,r=62) while
1260 * r6 will stay as pkt(id=0,off=0,r=62)
1264 if (src_reg
->type
== CONST_IMM
) {
1265 /* pkt_ptr += reg where reg is known constant */
1269 /* disallow pkt_ptr += reg
1270 * if reg is not uknown_value with guaranteed zero upper bits
1271 * otherwise pkt_ptr may overflow and addition will become
1272 * subtraction which is not allowed
1274 if (src_reg
->type
!= UNKNOWN_VALUE
) {
1275 verbose("cannot add '%s' to ptr_to_packet\n",
1276 reg_type_str
[src_reg
->type
]);
1279 if (src_reg
->imm
< 48) {
1280 verbose("cannot add integer value with %lld upper zero bits to ptr_to_packet\n",
1284 /* dst_reg stays as pkt_ptr type and since some positive
1285 * integer value was added to the pointer, increment its 'id'
1287 dst_reg
->id
= ++env
->id_gen
;
1289 /* something was added to pkt_ptr, set range and off to zero */
1296 static int evaluate_reg_alu(struct bpf_verifier_env
*env
, struct bpf_insn
*insn
)
1298 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
1299 struct bpf_reg_state
*dst_reg
= ®s
[insn
->dst_reg
];
1300 u8 opcode
= BPF_OP(insn
->code
);
1303 /* for type == UNKNOWN_VALUE:
1304 * imm > 0 -> number of zero upper bits
1305 * imm == 0 -> don't track which is the same as all bits can be non-zero
1308 if (BPF_SRC(insn
->code
) == BPF_X
) {
1309 struct bpf_reg_state
*src_reg
= ®s
[insn
->src_reg
];
1311 if (src_reg
->type
== UNKNOWN_VALUE
&& src_reg
->imm
> 0 &&
1312 dst_reg
->imm
&& opcode
== BPF_ADD
) {
1314 * where both have zero upper bits. Adding them
1315 * can only result making one more bit non-zero
1316 * in the larger value.
1317 * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47)
1318 * 0xffff (imm=48) + 0xffff = 0x1fffe (imm=47)
1320 dst_reg
->imm
= min(dst_reg
->imm
, src_reg
->imm
);
1324 if (src_reg
->type
== CONST_IMM
&& src_reg
->imm
> 0 &&
1325 dst_reg
->imm
&& opcode
== BPF_ADD
) {
1327 * where dreg has zero upper bits and sreg is const.
1328 * Adding them can only result making one more bit
1329 * non-zero in the larger value.
1331 imm_log2
= __ilog2_u64((long long)src_reg
->imm
);
1332 dst_reg
->imm
= min(dst_reg
->imm
, 63 - imm_log2
);
1336 /* all other cases non supported yet, just mark dst_reg */
1341 /* sign extend 32-bit imm into 64-bit to make sure that
1342 * negative values occupy bit 63. Note ilog2() would have
1343 * been incorrect, since sizeof(insn->imm) == 4
1345 imm_log2
= __ilog2_u64((long long)insn
->imm
);
1347 if (dst_reg
->imm
&& opcode
== BPF_LSH
) {
1349 * if reg was a result of 2 byte load, then its imm == 48
1350 * which means that upper 48 bits are zero and shifting this reg
1351 * left by 4 would mean that upper 44 bits are still zero
1353 dst_reg
->imm
-= insn
->imm
;
1354 } else if (dst_reg
->imm
&& opcode
== BPF_MUL
) {
1356 * if multiplying by 14 subtract 4
1357 * This is conservative calculation of upper zero bits.
1358 * It's not trying to special case insn->imm == 1 or 0 cases
1360 dst_reg
->imm
-= imm_log2
+ 1;
1361 } else if (opcode
== BPF_AND
) {
1363 dst_reg
->imm
= 63 - imm_log2
;
1364 } else if (dst_reg
->imm
&& opcode
== BPF_ADD
) {
1366 dst_reg
->imm
= min(dst_reg
->imm
, 63 - imm_log2
);
1368 } else if (opcode
== BPF_RSH
) {
1370 * which means that after right shift, upper bits will be zero
1371 * note that verifier already checked that
1372 * 0 <= imm < 64 for shift insn
1374 dst_reg
->imm
+= insn
->imm
;
1375 if (unlikely(dst_reg
->imm
> 64))
1376 /* some dumb code did:
1379 * and all bits are zero now */
1382 /* all other alu ops, means that we don't know what will
1383 * happen to the value, mark it with unknown number of zero bits
1388 if (dst_reg
->imm
< 0) {
1389 /* all 64 bits of the register can contain non-zero bits
1390 * and such value cannot be added to ptr_to_packet, since it
1391 * may overflow, mark it as unknown to avoid further eval
1398 static int evaluate_reg_imm_alu(struct bpf_verifier_env
*env
,
1399 struct bpf_insn
*insn
)
1401 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
1402 struct bpf_reg_state
*dst_reg
= ®s
[insn
->dst_reg
];
1403 struct bpf_reg_state
*src_reg
= ®s
[insn
->src_reg
];
1404 u8 opcode
= BPF_OP(insn
->code
);
1406 /* dst_reg->type == CONST_IMM here, simulate execution of 'add' insn.
1407 * Don't care about overflow or negative values, just add them
1409 if (opcode
== BPF_ADD
&& BPF_SRC(insn
->code
) == BPF_K
)
1410 dst_reg
->imm
+= insn
->imm
;
1411 else if (opcode
== BPF_ADD
&& BPF_SRC(insn
->code
) == BPF_X
&&
1412 src_reg
->type
== CONST_IMM
)
1413 dst_reg
->imm
+= src_reg
->imm
;
1415 mark_reg_unknown_value(regs
, insn
->dst_reg
);
1419 /* check validity of 32-bit and 64-bit arithmetic operations */
1420 static int check_alu_op(struct bpf_verifier_env
*env
, struct bpf_insn
*insn
)
1422 struct bpf_reg_state
*regs
= env
->cur_state
.regs
, *dst_reg
;
1423 u8 opcode
= BPF_OP(insn
->code
);
1426 if (opcode
== BPF_END
|| opcode
== BPF_NEG
) {
1427 if (opcode
== BPF_NEG
) {
1428 if (BPF_SRC(insn
->code
) != 0 ||
1429 insn
->src_reg
!= BPF_REG_0
||
1430 insn
->off
!= 0 || insn
->imm
!= 0) {
1431 verbose("BPF_NEG uses reserved fields\n");
1435 if (insn
->src_reg
!= BPF_REG_0
|| insn
->off
!= 0 ||
1436 (insn
->imm
!= 16 && insn
->imm
!= 32 && insn
->imm
!= 64)) {
1437 verbose("BPF_END uses reserved fields\n");
1442 /* check src operand */
1443 err
= check_reg_arg(regs
, insn
->dst_reg
, SRC_OP
);
1447 if (is_pointer_value(env
, insn
->dst_reg
)) {
1448 verbose("R%d pointer arithmetic prohibited\n",
1453 /* check dest operand */
1454 err
= check_reg_arg(regs
, insn
->dst_reg
, DST_OP
);
1458 } else if (opcode
== BPF_MOV
) {
1460 if (BPF_SRC(insn
->code
) == BPF_X
) {
1461 if (insn
->imm
!= 0 || insn
->off
!= 0) {
1462 verbose("BPF_MOV uses reserved fields\n");
1466 /* check src operand */
1467 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
1471 if (insn
->src_reg
!= BPF_REG_0
|| insn
->off
!= 0) {
1472 verbose("BPF_MOV uses reserved fields\n");
1477 /* check dest operand */
1478 err
= check_reg_arg(regs
, insn
->dst_reg
, DST_OP
);
1482 if (BPF_SRC(insn
->code
) == BPF_X
) {
1483 if (BPF_CLASS(insn
->code
) == BPF_ALU64
) {
1485 * copy register state to dest reg
1487 regs
[insn
->dst_reg
] = regs
[insn
->src_reg
];
1489 if (is_pointer_value(env
, insn
->src_reg
)) {
1490 verbose("R%d partial copy of pointer\n",
1494 regs
[insn
->dst_reg
].type
= UNKNOWN_VALUE
;
1495 regs
[insn
->dst_reg
].map_ptr
= NULL
;
1499 * remember the value we stored into this reg
1501 regs
[insn
->dst_reg
].type
= CONST_IMM
;
1502 regs
[insn
->dst_reg
].imm
= insn
->imm
;
1505 } else if (opcode
> BPF_END
) {
1506 verbose("invalid BPF_ALU opcode %x\n", opcode
);
1509 } else { /* all other ALU ops: and, sub, xor, add, ... */
1511 if (BPF_SRC(insn
->code
) == BPF_X
) {
1512 if (insn
->imm
!= 0 || insn
->off
!= 0) {
1513 verbose("BPF_ALU uses reserved fields\n");
1516 /* check src1 operand */
1517 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
1521 if (insn
->src_reg
!= BPF_REG_0
|| insn
->off
!= 0) {
1522 verbose("BPF_ALU uses reserved fields\n");
1527 /* check src2 operand */
1528 err
= check_reg_arg(regs
, insn
->dst_reg
, SRC_OP
);
1532 if ((opcode
== BPF_MOD
|| opcode
== BPF_DIV
) &&
1533 BPF_SRC(insn
->code
) == BPF_K
&& insn
->imm
== 0) {
1534 verbose("div by zero\n");
1538 if ((opcode
== BPF_LSH
|| opcode
== BPF_RSH
||
1539 opcode
== BPF_ARSH
) && BPF_SRC(insn
->code
) == BPF_K
) {
1540 int size
= BPF_CLASS(insn
->code
) == BPF_ALU64
? 64 : 32;
1542 if (insn
->imm
< 0 || insn
->imm
>= size
) {
1543 verbose("invalid shift %d\n", insn
->imm
);
1548 /* check dest operand */
1549 err
= check_reg_arg(regs
, insn
->dst_reg
, DST_OP_NO_MARK
);
1553 dst_reg
= ®s
[insn
->dst_reg
];
1555 /* pattern match 'bpf_add Rx, imm' instruction */
1556 if (opcode
== BPF_ADD
&& BPF_CLASS(insn
->code
) == BPF_ALU64
&&
1557 dst_reg
->type
== FRAME_PTR
&& BPF_SRC(insn
->code
) == BPF_K
) {
1558 dst_reg
->type
= PTR_TO_STACK
;
1559 dst_reg
->imm
= insn
->imm
;
1561 } else if (opcode
== BPF_ADD
&&
1562 BPF_CLASS(insn
->code
) == BPF_ALU64
&&
1563 (dst_reg
->type
== PTR_TO_PACKET
||
1564 (BPF_SRC(insn
->code
) == BPF_X
&&
1565 regs
[insn
->src_reg
].type
== PTR_TO_PACKET
))) {
1566 /* ptr_to_packet += K|X */
1567 return check_packet_ptr_add(env
, insn
);
1568 } else if (BPF_CLASS(insn
->code
) == BPF_ALU64
&&
1569 dst_reg
->type
== UNKNOWN_VALUE
&&
1570 env
->allow_ptr_leaks
) {
1571 /* unknown += K|X */
1572 return evaluate_reg_alu(env
, insn
);
1573 } else if (BPF_CLASS(insn
->code
) == BPF_ALU64
&&
1574 dst_reg
->type
== CONST_IMM
&&
1575 env
->allow_ptr_leaks
) {
1576 /* reg_imm += K|X */
1577 return evaluate_reg_imm_alu(env
, insn
);
1578 } else if (is_pointer_value(env
, insn
->dst_reg
)) {
1579 verbose("R%d pointer arithmetic prohibited\n",
1582 } else if (BPF_SRC(insn
->code
) == BPF_X
&&
1583 is_pointer_value(env
, insn
->src_reg
)) {
1584 verbose("R%d pointer arithmetic prohibited\n",
1589 /* mark dest operand */
1590 mark_reg_unknown_value(regs
, insn
->dst_reg
);
1596 static void find_good_pkt_pointers(struct bpf_verifier_state
*state
,
1597 struct bpf_reg_state
*dst_reg
)
1599 struct bpf_reg_state
*regs
= state
->regs
, *reg
;
1602 /* LLVM can generate two kind of checks:
1608 * if (r2 > pkt_end) goto <handle exception>
1612 * r2 == dst_reg, pkt_end == src_reg
1613 * r2=pkt(id=n,off=8,r=0)
1614 * r3=pkt(id=n,off=0,r=0)
1620 * if (pkt_end >= r2) goto <access okay>
1621 * <handle exception>
1624 * pkt_end == dst_reg, r2 == src_reg
1625 * r2=pkt(id=n,off=8,r=0)
1626 * r3=pkt(id=n,off=0,r=0)
1628 * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)
1629 * so that range of bytes [r3, r3 + 8) is safe to access.
1632 for (i
= 0; i
< MAX_BPF_REG
; i
++)
1633 if (regs
[i
].type
== PTR_TO_PACKET
&& regs
[i
].id
== dst_reg
->id
)
1634 regs
[i
].range
= dst_reg
->off
;
1636 for (i
= 0; i
< MAX_BPF_STACK
; i
+= BPF_REG_SIZE
) {
1637 if (state
->stack_slot_type
[i
] != STACK_SPILL
)
1639 reg
= &state
->spilled_regs
[i
/ BPF_REG_SIZE
];
1640 if (reg
->type
== PTR_TO_PACKET
&& reg
->id
== dst_reg
->id
)
1641 reg
->range
= dst_reg
->off
;
1645 static int check_cond_jmp_op(struct bpf_verifier_env
*env
,
1646 struct bpf_insn
*insn
, int *insn_idx
)
1648 struct bpf_verifier_state
*other_branch
, *this_branch
= &env
->cur_state
;
1649 struct bpf_reg_state
*regs
= this_branch
->regs
, *dst_reg
;
1650 u8 opcode
= BPF_OP(insn
->code
);
1653 if (opcode
> BPF_EXIT
) {
1654 verbose("invalid BPF_JMP opcode %x\n", opcode
);
1658 if (BPF_SRC(insn
->code
) == BPF_X
) {
1659 if (insn
->imm
!= 0) {
1660 verbose("BPF_JMP uses reserved fields\n");
1664 /* check src1 operand */
1665 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
1669 if (is_pointer_value(env
, insn
->src_reg
)) {
1670 verbose("R%d pointer comparison prohibited\n",
1675 if (insn
->src_reg
!= BPF_REG_0
) {
1676 verbose("BPF_JMP uses reserved fields\n");
1681 /* check src2 operand */
1682 err
= check_reg_arg(regs
, insn
->dst_reg
, SRC_OP
);
1686 dst_reg
= ®s
[insn
->dst_reg
];
1688 /* detect if R == 0 where R was initialized to zero earlier */
1689 if (BPF_SRC(insn
->code
) == BPF_K
&&
1690 (opcode
== BPF_JEQ
|| opcode
== BPF_JNE
) &&
1691 dst_reg
->type
== CONST_IMM
&& dst_reg
->imm
== insn
->imm
) {
1692 if (opcode
== BPF_JEQ
) {
1693 /* if (imm == imm) goto pc+off;
1694 * only follow the goto, ignore fall-through
1696 *insn_idx
+= insn
->off
;
1699 /* if (imm != imm) goto pc+off;
1700 * only follow fall-through branch, since
1701 * that's where the program will go
1707 other_branch
= push_stack(env
, *insn_idx
+ insn
->off
+ 1, *insn_idx
);
1711 /* detect if R == 0 where R is returned from bpf_map_lookup_elem() */
1712 if (BPF_SRC(insn
->code
) == BPF_K
&&
1713 insn
->imm
== 0 && (opcode
== BPF_JEQ
|| opcode
== BPF_JNE
) &&
1714 dst_reg
->type
== PTR_TO_MAP_VALUE_OR_NULL
) {
1715 if (opcode
== BPF_JEQ
) {
1716 /* next fallthrough insn can access memory via
1719 regs
[insn
->dst_reg
].type
= PTR_TO_MAP_VALUE
;
1720 /* branch targer cannot access it, since reg == 0 */
1721 mark_reg_unknown_value(other_branch
->regs
,
1724 other_branch
->regs
[insn
->dst_reg
].type
= PTR_TO_MAP_VALUE
;
1725 mark_reg_unknown_value(regs
, insn
->dst_reg
);
1727 } else if (BPF_SRC(insn
->code
) == BPF_X
&& opcode
== BPF_JGT
&&
1728 dst_reg
->type
== PTR_TO_PACKET
&&
1729 regs
[insn
->src_reg
].type
== PTR_TO_PACKET_END
) {
1730 find_good_pkt_pointers(this_branch
, dst_reg
);
1731 } else if (BPF_SRC(insn
->code
) == BPF_X
&& opcode
== BPF_JGE
&&
1732 dst_reg
->type
== PTR_TO_PACKET_END
&&
1733 regs
[insn
->src_reg
].type
== PTR_TO_PACKET
) {
1734 find_good_pkt_pointers(other_branch
, ®s
[insn
->src_reg
]);
1735 } else if (is_pointer_value(env
, insn
->dst_reg
)) {
1736 verbose("R%d pointer comparison prohibited\n", insn
->dst_reg
);
1740 print_verifier_state(this_branch
);
1744 /* return the map pointer stored inside BPF_LD_IMM64 instruction */
1745 static struct bpf_map
*ld_imm64_to_map_ptr(struct bpf_insn
*insn
)
1747 u64 imm64
= ((u64
) (u32
) insn
[0].imm
) | ((u64
) (u32
) insn
[1].imm
) << 32;
1749 return (struct bpf_map
*) (unsigned long) imm64
;
1752 /* verify BPF_LD_IMM64 instruction */
1753 static int check_ld_imm(struct bpf_verifier_env
*env
, struct bpf_insn
*insn
)
1755 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
1758 if (BPF_SIZE(insn
->code
) != BPF_DW
) {
1759 verbose("invalid BPF_LD_IMM insn\n");
1762 if (insn
->off
!= 0) {
1763 verbose("BPF_LD_IMM64 uses reserved fields\n");
1767 err
= check_reg_arg(regs
, insn
->dst_reg
, DST_OP
);
1771 if (insn
->src_reg
== 0) {
1772 /* generic move 64-bit immediate into a register,
1773 * only analyzer needs to collect the ld_imm value.
1775 u64 imm
= ((u64
)(insn
+ 1)->imm
<< 32) | (u32
)insn
->imm
;
1777 if (!env
->analyzer_ops
)
1780 regs
[insn
->dst_reg
].type
= CONST_IMM
;
1781 regs
[insn
->dst_reg
].imm
= imm
;
1785 /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */
1786 BUG_ON(insn
->src_reg
!= BPF_PSEUDO_MAP_FD
);
1788 regs
[insn
->dst_reg
].type
= CONST_PTR_TO_MAP
;
1789 regs
[insn
->dst_reg
].map_ptr
= ld_imm64_to_map_ptr(insn
);
1793 static bool may_access_skb(enum bpf_prog_type type
)
1796 case BPF_PROG_TYPE_SOCKET_FILTER
:
1797 case BPF_PROG_TYPE_SCHED_CLS
:
1798 case BPF_PROG_TYPE_SCHED_ACT
:
1805 /* verify safety of LD_ABS|LD_IND instructions:
1806 * - they can only appear in the programs where ctx == skb
1807 * - since they are wrappers of function calls, they scratch R1-R5 registers,
1808 * preserve R6-R9, and store return value into R0
1811 * ctx == skb == R6 == CTX
1814 * SRC == any register
1815 * IMM == 32-bit immediate
1818 * R0 - 8/16/32-bit skb data converted to cpu endianness
1820 static int check_ld_abs(struct bpf_verifier_env
*env
, struct bpf_insn
*insn
)
1822 struct bpf_reg_state
*regs
= env
->cur_state
.regs
;
1823 u8 mode
= BPF_MODE(insn
->code
);
1824 struct bpf_reg_state
*reg
;
1827 if (!may_access_skb(env
->prog
->type
)) {
1828 verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type\n");
1832 if (insn
->dst_reg
!= BPF_REG_0
|| insn
->off
!= 0 ||
1833 BPF_SIZE(insn
->code
) == BPF_DW
||
1834 (mode
== BPF_ABS
&& insn
->src_reg
!= BPF_REG_0
)) {
1835 verbose("BPF_LD_[ABS|IND] uses reserved fields\n");
1839 /* check whether implicit source operand (register R6) is readable */
1840 err
= check_reg_arg(regs
, BPF_REG_6
, SRC_OP
);
1844 if (regs
[BPF_REG_6
].type
!= PTR_TO_CTX
) {
1845 verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
1849 if (mode
== BPF_IND
) {
1850 /* check explicit source operand */
1851 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
1856 /* reset caller saved regs to unreadable */
1857 for (i
= 0; i
< CALLER_SAVED_REGS
; i
++) {
1858 reg
= regs
+ caller_saved
[i
];
1859 reg
->type
= NOT_INIT
;
1863 /* mark destination R0 register as readable, since it contains
1864 * the value fetched from the packet
1866 regs
[BPF_REG_0
].type
= UNKNOWN_VALUE
;
1870 /* non-recursive DFS pseudo code
1871 * 1 procedure DFS-iterative(G,v):
1872 * 2 label v as discovered
1873 * 3 let S be a stack
1875 * 5 while S is not empty
1877 * 7 if t is what we're looking for:
1879 * 9 for all edges e in G.adjacentEdges(t) do
1880 * 10 if edge e is already labelled
1881 * 11 continue with the next edge
1882 * 12 w <- G.adjacentVertex(t,e)
1883 * 13 if vertex w is not discovered and not explored
1884 * 14 label e as tree-edge
1885 * 15 label w as discovered
1888 * 18 else if vertex w is discovered
1889 * 19 label e as back-edge
1891 * 21 // vertex w is explored
1892 * 22 label e as forward- or cross-edge
1893 * 23 label t as explored
1898 * 0x11 - discovered and fall-through edge labelled
1899 * 0x12 - discovered and fall-through and branch edges labelled
1910 #define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L)
1912 static int *insn_stack
; /* stack of insns to process */
1913 static int cur_stack
; /* current stack index */
1914 static int *insn_state
;
1916 /* t, w, e - match pseudo-code above:
1917 * t - index of current instruction
1918 * w - next instruction
1921 static int push_insn(int t
, int w
, int e
, struct bpf_verifier_env
*env
)
1923 if (e
== FALLTHROUGH
&& insn_state
[t
] >= (DISCOVERED
| FALLTHROUGH
))
1926 if (e
== BRANCH
&& insn_state
[t
] >= (DISCOVERED
| BRANCH
))
1929 if (w
< 0 || w
>= env
->prog
->len
) {
1930 verbose("jump out of range from insn %d to %d\n", t
, w
);
1935 /* mark branch target for state pruning */
1936 env
->explored_states
[w
] = STATE_LIST_MARK
;
1938 if (insn_state
[w
] == 0) {
1940 insn_state
[t
] = DISCOVERED
| e
;
1941 insn_state
[w
] = DISCOVERED
;
1942 if (cur_stack
>= env
->prog
->len
)
1944 insn_stack
[cur_stack
++] = w
;
1946 } else if ((insn_state
[w
] & 0xF0) == DISCOVERED
) {
1947 verbose("back-edge from insn %d to %d\n", t
, w
);
1949 } else if (insn_state
[w
] == EXPLORED
) {
1950 /* forward- or cross-edge */
1951 insn_state
[t
] = DISCOVERED
| e
;
1953 verbose("insn state internal bug\n");
1959 /* non-recursive depth-first-search to detect loops in BPF program
1960 * loop == back-edge in directed graph
1962 static int check_cfg(struct bpf_verifier_env
*env
)
1964 struct bpf_insn
*insns
= env
->prog
->insnsi
;
1965 int insn_cnt
= env
->prog
->len
;
1969 insn_state
= kcalloc(insn_cnt
, sizeof(int), GFP_KERNEL
);
1973 insn_stack
= kcalloc(insn_cnt
, sizeof(int), GFP_KERNEL
);
1979 insn_state
[0] = DISCOVERED
; /* mark 1st insn as discovered */
1980 insn_stack
[0] = 0; /* 0 is the first instruction */
1986 t
= insn_stack
[cur_stack
- 1];
1988 if (BPF_CLASS(insns
[t
].code
) == BPF_JMP
) {
1989 u8 opcode
= BPF_OP(insns
[t
].code
);
1991 if (opcode
== BPF_EXIT
) {
1993 } else if (opcode
== BPF_CALL
) {
1994 ret
= push_insn(t
, t
+ 1, FALLTHROUGH
, env
);
1999 if (t
+ 1 < insn_cnt
)
2000 env
->explored_states
[t
+ 1] = STATE_LIST_MARK
;
2001 } else if (opcode
== BPF_JA
) {
2002 if (BPF_SRC(insns
[t
].code
) != BPF_K
) {
2006 /* unconditional jump with single edge */
2007 ret
= push_insn(t
, t
+ insns
[t
].off
+ 1,
2013 /* tell verifier to check for equivalent states
2014 * after every call and jump
2016 if (t
+ 1 < insn_cnt
)
2017 env
->explored_states
[t
+ 1] = STATE_LIST_MARK
;
2019 /* conditional jump with two edges */
2020 ret
= push_insn(t
, t
+ 1, FALLTHROUGH
, env
);
2026 ret
= push_insn(t
, t
+ insns
[t
].off
+ 1, BRANCH
, env
);
2033 /* all other non-branch instructions with single
2036 ret
= push_insn(t
, t
+ 1, FALLTHROUGH
, env
);
2044 insn_state
[t
] = EXPLORED
;
2045 if (cur_stack
-- <= 0) {
2046 verbose("pop stack internal bug\n");
2053 for (i
= 0; i
< insn_cnt
; i
++) {
2054 if (insn_state
[i
] != EXPLORED
) {
2055 verbose("unreachable insn %d\n", i
);
2060 ret
= 0; /* cfg looks good */
2068 /* the following conditions reduce the number of explored insns
2069 * from ~140k to ~80k for ultra large programs that use a lot of ptr_to_packet
2071 static bool compare_ptrs_to_packet(struct bpf_reg_state
*old
,
2072 struct bpf_reg_state
*cur
)
2074 if (old
->id
!= cur
->id
)
2077 /* old ptr_to_packet is more conservative, since it allows smaller
2079 * old(off=0,r=10) is equal to cur(off=0,r=20), because
2080 * old(off=0,r=10) means that with range=10 the verifier proceeded
2081 * further and found no issues with the program. Now we're in the same
2082 * spot with cur(off=0,r=20), so we're safe too, since anything further
2083 * will only be looking at most 10 bytes after this pointer.
2085 if (old
->off
== cur
->off
&& old
->range
< cur
->range
)
2088 /* old(off=20,r=10) is equal to cur(off=22,re=22 or 5 or 0)
2089 * since both cannot be used for packet access and safe(old)
2090 * pointer has smaller off that could be used for further
2091 * 'if (ptr > data_end)' check
2093 * old(off=20,r=10) and cur(off=22,r=22) and cur(off=22,r=0) mean
2094 * that we cannot access the packet.
2095 * The safe range is:
2096 * [ptr, ptr + range - off)
2097 * so whenever off >=range, it means no safe bytes from this pointer.
2098 * When comparing old->off <= cur->off, it means that older code
2099 * went with smaller offset and that offset was later
2100 * used to figure out the safe range after 'if (ptr > data_end)' check
2101 * Say, 'old' state was explored like:
2102 * ... R3(off=0, r=0)
2104 * ... now R4(off=20,r=0) <-- here
2105 * if (R4 > data_end)
2106 * ... R4(off=20,r=20), R3(off=0,r=20) and R3 can be used to access.
2107 * ... the code further went all the way to bpf_exit.
2108 * Now the 'cur' state at the mark 'here' has R4(off=30,r=0).
2109 * old_R4(off=20,r=0) equal to cur_R4(off=30,r=0), since if the verifier
2110 * goes further, such cur_R4 will give larger safe packet range after
2111 * 'if (R4 > data_end)' and all further insn were already good with r=20,
2112 * so they will be good with r=30 and we can prune the search.
2114 if (old
->off
<= cur
->off
&&
2115 old
->off
>= old
->range
&& cur
->off
>= cur
->range
)
2121 /* compare two verifier states
2123 * all states stored in state_list are known to be valid, since
2124 * verifier reached 'bpf_exit' instruction through them
2126 * this function is called when verifier exploring different branches of
2127 * execution popped from the state stack. If it sees an old state that has
2128 * more strict register state and more strict stack state then this execution
2129 * branch doesn't need to be explored further, since verifier already
2130 * concluded that more strict state leads to valid finish.
2132 * Therefore two states are equivalent if register state is more conservative
2133 * and explored stack state is more conservative than the current one.
2136 * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC)
2137 * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC)
2139 * In other words if current stack state (one being explored) has more
2140 * valid slots than old one that already passed validation, it means
2141 * the verifier can stop exploring and conclude that current state is valid too
2143 * Similarly with registers. If explored state has register type as invalid
2144 * whereas register type in current state is meaningful, it means that
2145 * the current state will reach 'bpf_exit' instruction safely
2147 static bool states_equal(struct bpf_verifier_state
*old
,
2148 struct bpf_verifier_state
*cur
)
2150 struct bpf_reg_state
*rold
, *rcur
;
2153 for (i
= 0; i
< MAX_BPF_REG
; i
++) {
2154 rold
= &old
->regs
[i
];
2155 rcur
= &cur
->regs
[i
];
2157 if (memcmp(rold
, rcur
, sizeof(*rold
)) == 0)
2160 if (rold
->type
== NOT_INIT
||
2161 (rold
->type
== UNKNOWN_VALUE
&& rcur
->type
!= NOT_INIT
))
2164 if (rold
->type
== PTR_TO_PACKET
&& rcur
->type
== PTR_TO_PACKET
&&
2165 compare_ptrs_to_packet(rold
, rcur
))
2171 for (i
= 0; i
< MAX_BPF_STACK
; i
++) {
2172 if (old
->stack_slot_type
[i
] == STACK_INVALID
)
2174 if (old
->stack_slot_type
[i
] != cur
->stack_slot_type
[i
])
2175 /* Ex: old explored (safe) state has STACK_SPILL in
2176 * this stack slot, but current has has STACK_MISC ->
2177 * this verifier states are not equivalent,
2178 * return false to continue verification of this path
2181 if (i
% BPF_REG_SIZE
)
2183 if (memcmp(&old
->spilled_regs
[i
/ BPF_REG_SIZE
],
2184 &cur
->spilled_regs
[i
/ BPF_REG_SIZE
],
2185 sizeof(old
->spilled_regs
[0])))
2186 /* when explored and current stack slot types are
2187 * the same, check that stored pointers types
2188 * are the same as well.
2189 * Ex: explored safe path could have stored
2190 * (bpf_reg_state) {.type = PTR_TO_STACK, .imm = -8}
2191 * but current path has stored:
2192 * (bpf_reg_state) {.type = PTR_TO_STACK, .imm = -16}
2193 * such verifier states are not equivalent.
2194 * return false to continue verification of this path
2203 static int is_state_visited(struct bpf_verifier_env
*env
, int insn_idx
)
2205 struct bpf_verifier_state_list
*new_sl
;
2206 struct bpf_verifier_state_list
*sl
;
2208 sl
= env
->explored_states
[insn_idx
];
2210 /* this 'insn_idx' instruction wasn't marked, so we will not
2211 * be doing state search here
2215 while (sl
!= STATE_LIST_MARK
) {
2216 if (states_equal(&sl
->state
, &env
->cur_state
))
2217 /* reached equivalent register/stack state,
2224 /* there were no equivalent states, remember current one.
2225 * technically the current state is not proven to be safe yet,
2226 * but it will either reach bpf_exit (which means it's safe) or
2227 * it will be rejected. Since there are no loops, we won't be
2228 * seeing this 'insn_idx' instruction again on the way to bpf_exit
2230 new_sl
= kmalloc(sizeof(struct bpf_verifier_state_list
), GFP_USER
);
2234 /* add new state to the head of linked list */
2235 memcpy(&new_sl
->state
, &env
->cur_state
, sizeof(env
->cur_state
));
2236 new_sl
->next
= env
->explored_states
[insn_idx
];
2237 env
->explored_states
[insn_idx
] = new_sl
;
2241 static int ext_analyzer_insn_hook(struct bpf_verifier_env
*env
,
2242 int insn_idx
, int prev_insn_idx
)
2244 if (!env
->analyzer_ops
|| !env
->analyzer_ops
->insn_hook
)
2247 return env
->analyzer_ops
->insn_hook(env
, insn_idx
, prev_insn_idx
);
2250 static int do_check(struct bpf_verifier_env
*env
)
2252 struct bpf_verifier_state
*state
= &env
->cur_state
;
2253 struct bpf_insn
*insns
= env
->prog
->insnsi
;
2254 struct bpf_reg_state
*regs
= state
->regs
;
2255 int insn_cnt
= env
->prog
->len
;
2256 int insn_idx
, prev_insn_idx
= 0;
2257 int insn_processed
= 0;
2258 bool do_print_state
= false;
2260 init_reg_state(regs
);
2263 struct bpf_insn
*insn
;
2267 if (insn_idx
>= insn_cnt
) {
2268 verbose("invalid insn idx %d insn_cnt %d\n",
2269 insn_idx
, insn_cnt
);
2273 insn
= &insns
[insn_idx
];
2274 class = BPF_CLASS(insn
->code
);
2276 if (++insn_processed
> BPF_COMPLEXITY_LIMIT_INSNS
) {
2277 verbose("BPF program is too large. Proccessed %d insn\n",
2282 err
= is_state_visited(env
, insn_idx
);
2286 /* found equivalent state, can prune the search */
2289 verbose("\nfrom %d to %d: safe\n",
2290 prev_insn_idx
, insn_idx
);
2292 verbose("%d: safe\n", insn_idx
);
2294 goto process_bpf_exit
;
2297 if (log_level
&& do_print_state
) {
2298 verbose("\nfrom %d to %d:", prev_insn_idx
, insn_idx
);
2299 print_verifier_state(&env
->cur_state
);
2300 do_print_state
= false;
2304 verbose("%d: ", insn_idx
);
2305 print_bpf_insn(insn
);
2308 err
= ext_analyzer_insn_hook(env
, insn_idx
, prev_insn_idx
);
2312 if (class == BPF_ALU
|| class == BPF_ALU64
) {
2313 err
= check_alu_op(env
, insn
);
2317 } else if (class == BPF_LDX
) {
2318 enum bpf_reg_type
*prev_src_type
, src_reg_type
;
2320 /* check for reserved fields is already done */
2322 /* check src operand */
2323 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
2327 err
= check_reg_arg(regs
, insn
->dst_reg
, DST_OP_NO_MARK
);
2331 src_reg_type
= regs
[insn
->src_reg
].type
;
2333 /* check that memory (src_reg + off) is readable,
2334 * the state of dst_reg will be updated by this func
2336 err
= check_mem_access(env
, insn
->src_reg
, insn
->off
,
2337 BPF_SIZE(insn
->code
), BPF_READ
,
2342 if (BPF_SIZE(insn
->code
) != BPF_W
&&
2343 BPF_SIZE(insn
->code
) != BPF_DW
) {
2348 prev_src_type
= &env
->insn_aux_data
[insn_idx
].ptr_type
;
2350 if (*prev_src_type
== NOT_INIT
) {
2352 * dst_reg = *(u32 *)(src_reg + off)
2353 * save type to validate intersecting paths
2355 *prev_src_type
= src_reg_type
;
2357 } else if (src_reg_type
!= *prev_src_type
&&
2358 (src_reg_type
== PTR_TO_CTX
||
2359 *prev_src_type
== PTR_TO_CTX
)) {
2360 /* ABuser program is trying to use the same insn
2361 * dst_reg = *(u32*) (src_reg + off)
2362 * with different pointer types:
2363 * src_reg == ctx in one branch and
2364 * src_reg == stack|map in some other branch.
2367 verbose("same insn cannot be used with different pointers\n");
2371 } else if (class == BPF_STX
) {
2372 enum bpf_reg_type
*prev_dst_type
, dst_reg_type
;
2374 if (BPF_MODE(insn
->code
) == BPF_XADD
) {
2375 err
= check_xadd(env
, insn
);
2382 /* check src1 operand */
2383 err
= check_reg_arg(regs
, insn
->src_reg
, SRC_OP
);
2386 /* check src2 operand */
2387 err
= check_reg_arg(regs
, insn
->dst_reg
, SRC_OP
);
2391 dst_reg_type
= regs
[insn
->dst_reg
].type
;
2393 /* check that memory (dst_reg + off) is writeable */
2394 err
= check_mem_access(env
, insn
->dst_reg
, insn
->off
,
2395 BPF_SIZE(insn
->code
), BPF_WRITE
,
2400 prev_dst_type
= &env
->insn_aux_data
[insn_idx
].ptr_type
;
2402 if (*prev_dst_type
== NOT_INIT
) {
2403 *prev_dst_type
= dst_reg_type
;
2404 } else if (dst_reg_type
!= *prev_dst_type
&&
2405 (dst_reg_type
== PTR_TO_CTX
||
2406 *prev_dst_type
== PTR_TO_CTX
)) {
2407 verbose("same insn cannot be used with different pointers\n");
2411 } else if (class == BPF_ST
) {
2412 if (BPF_MODE(insn
->code
) != BPF_MEM
||
2413 insn
->src_reg
!= BPF_REG_0
) {
2414 verbose("BPF_ST uses reserved fields\n");
2417 /* check src operand */
2418 err
= check_reg_arg(regs
, insn
->dst_reg
, SRC_OP
);
2422 /* check that memory (dst_reg + off) is writeable */
2423 err
= check_mem_access(env
, insn
->dst_reg
, insn
->off
,
2424 BPF_SIZE(insn
->code
), BPF_WRITE
,
2429 } else if (class == BPF_JMP
) {
2430 u8 opcode
= BPF_OP(insn
->code
);
2432 if (opcode
== BPF_CALL
) {
2433 if (BPF_SRC(insn
->code
) != BPF_K
||
2435 insn
->src_reg
!= BPF_REG_0
||
2436 insn
->dst_reg
!= BPF_REG_0
) {
2437 verbose("BPF_CALL uses reserved fields\n");
2441 err
= check_call(env
, insn
->imm
);
2445 } else if (opcode
== BPF_JA
) {
2446 if (BPF_SRC(insn
->code
) != BPF_K
||
2448 insn
->src_reg
!= BPF_REG_0
||
2449 insn
->dst_reg
!= BPF_REG_0
) {
2450 verbose("BPF_JA uses reserved fields\n");
2454 insn_idx
+= insn
->off
+ 1;
2457 } else if (opcode
== BPF_EXIT
) {
2458 if (BPF_SRC(insn
->code
) != BPF_K
||
2460 insn
->src_reg
!= BPF_REG_0
||
2461 insn
->dst_reg
!= BPF_REG_0
) {
2462 verbose("BPF_EXIT uses reserved fields\n");
2466 /* eBPF calling convetion is such that R0 is used
2467 * to return the value from eBPF program.
2468 * Make sure that it's readable at this time
2469 * of bpf_exit, which means that program wrote
2470 * something into it earlier
2472 err
= check_reg_arg(regs
, BPF_REG_0
, SRC_OP
);
2476 if (is_pointer_value(env
, BPF_REG_0
)) {
2477 verbose("R0 leaks addr as return value\n");
2482 insn_idx
= pop_stack(env
, &prev_insn_idx
);
2486 do_print_state
= true;
2490 err
= check_cond_jmp_op(env
, insn
, &insn_idx
);
2494 } else if (class == BPF_LD
) {
2495 u8 mode
= BPF_MODE(insn
->code
);
2497 if (mode
== BPF_ABS
|| mode
== BPF_IND
) {
2498 err
= check_ld_abs(env
, insn
);
2502 } else if (mode
== BPF_IMM
) {
2503 err
= check_ld_imm(env
, insn
);
2509 verbose("invalid BPF_LD mode\n");
2513 verbose("unknown insn class %d\n", class);
2520 verbose("processed %d insns\n", insn_processed
);
2524 static int check_map_prog_compatibility(struct bpf_map
*map
,
2525 struct bpf_prog
*prog
)
2528 if (prog
->type
== BPF_PROG_TYPE_PERF_EVENT
&&
2529 (map
->map_type
== BPF_MAP_TYPE_HASH
||
2530 map
->map_type
== BPF_MAP_TYPE_PERCPU_HASH
) &&
2531 (map
->map_flags
& BPF_F_NO_PREALLOC
)) {
2532 verbose("perf_event programs can only use preallocated hash map\n");
2538 /* look for pseudo eBPF instructions that access map FDs and
2539 * replace them with actual map pointers
2541 static int replace_map_fd_with_map_ptr(struct bpf_verifier_env
*env
)
2543 struct bpf_insn
*insn
= env
->prog
->insnsi
;
2544 int insn_cnt
= env
->prog
->len
;
2547 for (i
= 0; i
< insn_cnt
; i
++, insn
++) {
2548 if (BPF_CLASS(insn
->code
) == BPF_LDX
&&
2549 (BPF_MODE(insn
->code
) != BPF_MEM
|| insn
->imm
!= 0)) {
2550 verbose("BPF_LDX uses reserved fields\n");
2554 if (BPF_CLASS(insn
->code
) == BPF_STX
&&
2555 ((BPF_MODE(insn
->code
) != BPF_MEM
&&
2556 BPF_MODE(insn
->code
) != BPF_XADD
) || insn
->imm
!= 0)) {
2557 verbose("BPF_STX uses reserved fields\n");
2561 if (insn
[0].code
== (BPF_LD
| BPF_IMM
| BPF_DW
)) {
2562 struct bpf_map
*map
;
2565 if (i
== insn_cnt
- 1 || insn
[1].code
!= 0 ||
2566 insn
[1].dst_reg
!= 0 || insn
[1].src_reg
!= 0 ||
2568 verbose("invalid bpf_ld_imm64 insn\n");
2572 if (insn
->src_reg
== 0)
2573 /* valid generic load 64-bit imm */
2576 if (insn
->src_reg
!= BPF_PSEUDO_MAP_FD
) {
2577 verbose("unrecognized bpf_ld_imm64 insn\n");
2581 f
= fdget(insn
->imm
);
2582 map
= __bpf_map_get(f
);
2584 verbose("fd %d is not pointing to valid bpf_map\n",
2586 return PTR_ERR(map
);
2589 err
= check_map_prog_compatibility(map
, env
->prog
);
2595 /* store map pointer inside BPF_LD_IMM64 instruction */
2596 insn
[0].imm
= (u32
) (unsigned long) map
;
2597 insn
[1].imm
= ((u64
) (unsigned long) map
) >> 32;
2599 /* check whether we recorded this map already */
2600 for (j
= 0; j
< env
->used_map_cnt
; j
++)
2601 if (env
->used_maps
[j
] == map
) {
2606 if (env
->used_map_cnt
>= MAX_USED_MAPS
) {
2611 /* hold the map. If the program is rejected by verifier,
2612 * the map will be released by release_maps() or it
2613 * will be used by the valid program until it's unloaded
2614 * and all maps are released in free_bpf_prog_info()
2616 map
= bpf_map_inc(map
, false);
2619 return PTR_ERR(map
);
2621 env
->used_maps
[env
->used_map_cnt
++] = map
;
2630 /* now all pseudo BPF_LD_IMM64 instructions load valid
2631 * 'struct bpf_map *' into a register instead of user map_fd.
2632 * These pointers will be used later by verifier to validate map access.
2637 /* drop refcnt of maps used by the rejected program */
2638 static void release_maps(struct bpf_verifier_env
*env
)
2642 for (i
= 0; i
< env
->used_map_cnt
; i
++)
2643 bpf_map_put(env
->used_maps
[i
]);
2646 /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */
2647 static void convert_pseudo_ld_imm64(struct bpf_verifier_env
*env
)
2649 struct bpf_insn
*insn
= env
->prog
->insnsi
;
2650 int insn_cnt
= env
->prog
->len
;
2653 for (i
= 0; i
< insn_cnt
; i
++, insn
++)
2654 if (insn
->code
== (BPF_LD
| BPF_IMM
| BPF_DW
))
2658 /* convert load instructions that access fields of 'struct __sk_buff'
2659 * into sequence of instructions that access fields of 'struct sk_buff'
2661 static int convert_ctx_accesses(struct bpf_verifier_env
*env
)
2663 const struct bpf_verifier_ops
*ops
= env
->prog
->aux
->ops
;
2664 const int insn_cnt
= env
->prog
->len
;
2665 struct bpf_insn insn_buf
[16], *insn
;
2666 struct bpf_prog
*new_prog
;
2667 enum bpf_access_type type
;
2668 int i
, cnt
, delta
= 0;
2670 if (ops
->gen_prologue
) {
2671 cnt
= ops
->gen_prologue(insn_buf
, env
->seen_direct_write
,
2673 if (cnt
>= ARRAY_SIZE(insn_buf
)) {
2674 verbose("bpf verifier is misconfigured\n");
2677 new_prog
= bpf_patch_insn_single(env
->prog
, 0,
2681 env
->prog
= new_prog
;
2686 if (!ops
->convert_ctx_access
)
2689 insn
= env
->prog
->insnsi
+ delta
;
2691 for (i
= 0; i
< insn_cnt
; i
++, insn
++) {
2692 if (insn
->code
== (BPF_LDX
| BPF_MEM
| BPF_W
) ||
2693 insn
->code
== (BPF_LDX
| BPF_MEM
| BPF_DW
))
2695 else if (insn
->code
== (BPF_STX
| BPF_MEM
| BPF_W
) ||
2696 insn
->code
== (BPF_STX
| BPF_MEM
| BPF_DW
))
2701 if (env
->insn_aux_data
[i
].ptr_type
!= PTR_TO_CTX
)
2704 cnt
= ops
->convert_ctx_access(type
, insn
->dst_reg
, insn
->src_reg
,
2705 insn
->off
, insn_buf
, env
->prog
);
2706 if (cnt
== 0 || cnt
>= ARRAY_SIZE(insn_buf
)) {
2707 verbose("bpf verifier is misconfigured\n");
2711 new_prog
= bpf_patch_insn_single(env
->prog
, i
+ delta
, insn_buf
,
2718 /* keep walking new program and skip insns we just inserted */
2719 env
->prog
= new_prog
;
2720 insn
= new_prog
->insnsi
+ i
+ delta
;
2726 static void free_states(struct bpf_verifier_env
*env
)
2728 struct bpf_verifier_state_list
*sl
, *sln
;
2731 if (!env
->explored_states
)
2734 for (i
= 0; i
< env
->prog
->len
; i
++) {
2735 sl
= env
->explored_states
[i
];
2738 while (sl
!= STATE_LIST_MARK
) {
2745 kfree(env
->explored_states
);
2748 int bpf_check(struct bpf_prog
**prog
, union bpf_attr
*attr
)
2750 char __user
*log_ubuf
= NULL
;
2751 struct bpf_verifier_env
*env
;
2754 if ((*prog
)->len
<= 0 || (*prog
)->len
> BPF_MAXINSNS
)
2757 /* 'struct bpf_verifier_env' can be global, but since it's not small,
2758 * allocate/free it every time bpf_check() is called
2760 env
= kzalloc(sizeof(struct bpf_verifier_env
), GFP_KERNEL
);
2764 env
->insn_aux_data
= vzalloc(sizeof(struct bpf_insn_aux_data
) *
2767 if (!env
->insn_aux_data
)
2771 /* grab the mutex to protect few globals used by verifier */
2772 mutex_lock(&bpf_verifier_lock
);
2774 if (attr
->log_level
|| attr
->log_buf
|| attr
->log_size
) {
2775 /* user requested verbose verifier output
2776 * and supplied buffer to store the verification trace
2778 log_level
= attr
->log_level
;
2779 log_ubuf
= (char __user
*) (unsigned long) attr
->log_buf
;
2780 log_size
= attr
->log_size
;
2784 /* log_* values have to be sane */
2785 if (log_size
< 128 || log_size
> UINT_MAX
>> 8 ||
2786 log_level
== 0 || log_ubuf
== NULL
)
2790 log_buf
= vmalloc(log_size
);
2797 ret
= replace_map_fd_with_map_ptr(env
);
2799 goto skip_full_check
;
2801 env
->explored_states
= kcalloc(env
->prog
->len
,
2802 sizeof(struct bpf_verifier_state_list
*),
2805 if (!env
->explored_states
)
2806 goto skip_full_check
;
2808 ret
= check_cfg(env
);
2810 goto skip_full_check
;
2812 env
->allow_ptr_leaks
= capable(CAP_SYS_ADMIN
);
2814 ret
= do_check(env
);
2817 while (pop_stack(env
, NULL
) >= 0);
2821 /* program is valid, convert *(u32*)(ctx + off) accesses */
2822 ret
= convert_ctx_accesses(env
);
2824 if (log_level
&& log_len
>= log_size
- 1) {
2825 BUG_ON(log_len
>= log_size
);
2826 /* verifier log exceeded user supplied buffer */
2828 /* fall through to return what was recorded */
2831 /* copy verifier log back to user space including trailing zero */
2832 if (log_level
&& copy_to_user(log_ubuf
, log_buf
, log_len
+ 1) != 0) {
2837 if (ret
== 0 && env
->used_map_cnt
) {
2838 /* if program passed verifier, update used_maps in bpf_prog_info */
2839 env
->prog
->aux
->used_maps
= kmalloc_array(env
->used_map_cnt
,
2840 sizeof(env
->used_maps
[0]),
2843 if (!env
->prog
->aux
->used_maps
) {
2848 memcpy(env
->prog
->aux
->used_maps
, env
->used_maps
,
2849 sizeof(env
->used_maps
[0]) * env
->used_map_cnt
);
2850 env
->prog
->aux
->used_map_cnt
= env
->used_map_cnt
;
2852 /* program is valid. Convert pseudo bpf_ld_imm64 into generic
2853 * bpf_ld_imm64 instructions
2855 convert_pseudo_ld_imm64(env
);
2861 if (!env
->prog
->aux
->used_maps
)
2862 /* if we didn't copy map pointers into bpf_prog_info, release
2863 * them now. Otherwise free_bpf_prog_info() will release them.
2868 mutex_unlock(&bpf_verifier_lock
);
2869 vfree(env
->insn_aux_data
);
2875 int bpf_analyzer(struct bpf_prog
*prog
, const struct bpf_ext_analyzer_ops
*ops
,
2878 struct bpf_verifier_env
*env
;
2881 env
= kzalloc(sizeof(struct bpf_verifier_env
), GFP_KERNEL
);
2885 env
->insn_aux_data
= vzalloc(sizeof(struct bpf_insn_aux_data
) *
2888 if (!env
->insn_aux_data
)
2891 env
->analyzer_ops
= ops
;
2892 env
->analyzer_priv
= priv
;
2894 /* grab the mutex to protect few globals used by verifier */
2895 mutex_lock(&bpf_verifier_lock
);
2899 env
->explored_states
= kcalloc(env
->prog
->len
,
2900 sizeof(struct bpf_verifier_state_list
*),
2903 if (!env
->explored_states
)
2904 goto skip_full_check
;
2906 ret
= check_cfg(env
);
2908 goto skip_full_check
;
2910 env
->allow_ptr_leaks
= capable(CAP_SYS_ADMIN
);
2912 ret
= do_check(env
);
2915 while (pop_stack(env
, NULL
) >= 0);
2918 mutex_unlock(&bpf_verifier_lock
);
2919 vfree(env
->insn_aux_data
);
2924 EXPORT_SYMBOL_GPL(bpf_analyzer
);