bpf: enhance verifier to understand stack pointer arithmetic

BugLink: http://bugs.launchpad.net/bugs/1691369
[ Upstream commit 332270fdc8b6fba07d059a9ad44df9e1a2ad4529 ]

llvm 4.0 and above generates the code like below:
....
440: (b7) r1 = 15
441: (05) goto pc+73
515: (79) r6 = *(u64 *)(r10 -152)
516: (bf) r7 = r10
517: (07) r7 += -112
518: (bf) r2 = r7
519: (0f) r2 += r1
520: (71) r1 = *(u8 *)(r8 +0)
521: (73) *(u8 *)(r2 +45) = r1
....
and the verifier complains "R2 invalid mem access 'inv'" for insn #521.
This is because verifier marks register r2 as unknown value after #519
where r2 is a stack pointer and r1 holds a constant value.

Teach verifier to recognize "stack_ptr + imm" and
"stack_ptr + reg with const val" as valid stack_ptr with new offset.

Signed-off-by: Yonghong Song <yhs@fb.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f3c938ba87a2ef5d5f3afe0828e8b2203fcb6663..ce16f806159b2d15cb36d73f1e0dbc296c7061aa 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1777,6 +1777,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
                        dst_reg->type = PTR_TO_STACK;
                        dst_reg->imm = insn->imm;
                        return 0;
+               } else if (opcode == BPF_ADD &&
+                          BPF_CLASS(insn->code) == BPF_ALU64 &&
+                          dst_reg->type == PTR_TO_STACK &&
+                          ((BPF_SRC(insn->code) == BPF_X &&
+                            regs[insn->src_reg].type == CONST_IMM) ||
+                           BPF_SRC(insn->code) == BPF_K)) {
+                       if (BPF_SRC(insn->code) == BPF_X)
+                               dst_reg->imm += regs[insn->src_reg].imm;
+                       else
+                               dst_reg->imm += insn->imm;
+                       return 0;
                } else if (opcode == BPF_ADD &&
                           BPF_CLASS(insn->code) == BPF_ALU64 &&
                           (dst_reg->type == PTR_TO_PACKET ||

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index e1aea9e60f33325cf6a7106bf2836a5feba47714..35e9f50e40b4b73e34dde597d259ee32eb6ccadc 100644 (file)
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -1357,16 +1357,22 @@ static struct bpf_test tests[] = {
                .result = ACCEPT,
        },
        {
-               "unpriv: obfuscate stack pointer",
+               "stack pointer arithmetic",
                .insns = {
-                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
-                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
-                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                       BPF_MOV64_IMM(BPF_REG_1, 4),
+                       BPF_JMP_IMM(BPF_JA, 0, 0, 0),
+                       BPF_MOV64_REG(BPF_REG_7, BPF_REG_10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_7, -10),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
+                       BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_1),
+                       BPF_ST_MEM(0, BPF_REG_2, 4, 0),
+                       BPF_MOV64_REG(BPF_REG_2, BPF_REG_7),
+                       BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, 8),
+                       BPF_ST_MEM(0, BPF_REG_2, 4, 0),
                        BPF_MOV64_IMM(BPF_REG_0, 0),
                        BPF_EXIT_INSN(),
                },
-               .errstr_unpriv = "R2 pointer arithmetic",
-               .result_unpriv = REJECT,
                .result = ACCEPT,
        },
        {