Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 74b200d5 authored by David S. Miller's avatar David S. Miller
Browse files

Merge branch 'BPF-range-marking-improvements-for-meta-data' 



Daniel Borkmann says:

====================
BPF range marking improvements for meta data

The set contains improvements for direct packet access range
markings related to data_meta pointer and test cases for all
such access patterns that the verifier matches on.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 1495dc9f 634eab11

kernel/bpf/verifier.c

+97 −70
Original line number Diff line number Diff line
@@ -2532,7 +2532,7 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *state, 
			continue;

		reg = &state->stack[i].spilled_ptr;

		if (reg->type == type && reg->id == dst_reg->id)

			reg->range = max_t(u16, reg->range, new_range);

			reg->range = max(reg->range, new_range);

	}

}
@@ -2787,6 +2787,99 @@ static void mark_map_regs(struct bpf_verifier_state *state, u32 regno, 
	}

}



static bool try_match_pkt_pointers(const struct bpf_insn *insn,

				   struct bpf_reg_state *dst_reg,

				   struct bpf_reg_state *src_reg,

				   struct bpf_verifier_state *this_branch,

				   struct bpf_verifier_state *other_branch)

{

	if (BPF_SRC(insn->code) != BPF_X)

		return false;



	switch (BPF_OP(insn->code)) {

	case BPF_JGT:

		if ((dst_reg->type == PTR_TO_PACKET &&

		     src_reg->type == PTR_TO_PACKET_END) ||

		    (dst_reg->type == PTR_TO_PACKET_META &&

		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {

			/* pkt_data' > pkt_end, pkt_meta' > pkt_data */

			find_good_pkt_pointers(this_branch, dst_reg,

					       dst_reg->type, false);

		} else if ((dst_reg->type == PTR_TO_PACKET_END &&

			    src_reg->type == PTR_TO_PACKET) ||

			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&

			    src_reg->type == PTR_TO_PACKET_META)) {

			/* pkt_end > pkt_data', pkt_data > pkt_meta' */

			find_good_pkt_pointers(other_branch, src_reg,

					       src_reg->type, true);

		} else {

			return false;

		}

		break;

	case BPF_JLT:

		if ((dst_reg->type == PTR_TO_PACKET &&

		     src_reg->type == PTR_TO_PACKET_END) ||

		    (dst_reg->type == PTR_TO_PACKET_META &&

		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {

			/* pkt_data' < pkt_end, pkt_meta' < pkt_data */

			find_good_pkt_pointers(other_branch, dst_reg,

					       dst_reg->type, true);

		} else if ((dst_reg->type == PTR_TO_PACKET_END &&

			    src_reg->type == PTR_TO_PACKET) ||

			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&

			    src_reg->type == PTR_TO_PACKET_META)) {

			/* pkt_end < pkt_data', pkt_data > pkt_meta' */

			find_good_pkt_pointers(this_branch, src_reg,

					       src_reg->type, false);

		} else {

			return false;

		}

		break;

	case BPF_JGE:

		if ((dst_reg->type == PTR_TO_PACKET &&

		     src_reg->type == PTR_TO_PACKET_END) ||

		    (dst_reg->type == PTR_TO_PACKET_META &&

		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {

			/* pkt_data' >= pkt_end, pkt_meta' >= pkt_data */

			find_good_pkt_pointers(this_branch, dst_reg,

					       dst_reg->type, true);

		} else if ((dst_reg->type == PTR_TO_PACKET_END &&

			    src_reg->type == PTR_TO_PACKET) ||

			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&

			    src_reg->type == PTR_TO_PACKET_META)) {

			/* pkt_end >= pkt_data', pkt_data >= pkt_meta' */

			find_good_pkt_pointers(other_branch, src_reg,

					       src_reg->type, false);

		} else {

			return false;

		}

		break;

	case BPF_JLE:

		if ((dst_reg->type == PTR_TO_PACKET &&

		     src_reg->type == PTR_TO_PACKET_END) ||

		    (dst_reg->type == PTR_TO_PACKET_META &&

		     reg_is_init_pkt_pointer(src_reg, PTR_TO_PACKET))) {

			/* pkt_data' <= pkt_end, pkt_meta' <= pkt_data */

			find_good_pkt_pointers(other_branch, dst_reg,

					       dst_reg->type, false);

		} else if ((dst_reg->type == PTR_TO_PACKET_END &&

			    src_reg->type == PTR_TO_PACKET) ||

			   (reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&

			    src_reg->type == PTR_TO_PACKET_META)) {

			/* pkt_end <= pkt_data', pkt_data <= pkt_meta' */

			find_good_pkt_pointers(this_branch, src_reg,

					       src_reg->type, true);

		} else {

			return false;

		}

		break;

	default:

		return false;

	}



	return true;

}



static int check_cond_jmp_op(struct bpf_verifier_env *env,

			     struct bpf_insn *insn, int *insn_idx)

{
@@ -2893,75 +2986,9 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, 
		 */

		mark_map_regs(this_branch, insn->dst_reg, opcode == BPF_JNE);

		mark_map_regs(other_branch, insn->dst_reg, opcode == BPF_JEQ);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT &&

		   dst_reg->type == PTR_TO_PACKET &&

		   regs[insn->src_reg].type == PTR_TO_PACKET_END) {

		/* pkt_data' > pkt_end */

		find_good_pkt_pointers(this_branch, dst_reg,

				       PTR_TO_PACKET, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT &&

		   dst_reg->type == PTR_TO_PACKET_END &&

		   regs[insn->src_reg].type == PTR_TO_PACKET) {

		/* pkt_end > pkt_data' */

		find_good_pkt_pointers(other_branch, &regs[insn->src_reg],

				       PTR_TO_PACKET, true);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLT &&

		   dst_reg->type == PTR_TO_PACKET &&

		   regs[insn->src_reg].type == PTR_TO_PACKET_END) {

		/* pkt_data' < pkt_end */

		find_good_pkt_pointers(other_branch, dst_reg, PTR_TO_PACKET,

				       true);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLT &&

		   dst_reg->type == PTR_TO_PACKET_END &&

		   regs[insn->src_reg].type == PTR_TO_PACKET) {

		/* pkt_end < pkt_data' */

		find_good_pkt_pointers(this_branch, &regs[insn->src_reg],

				       PTR_TO_PACKET, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE &&

		   dst_reg->type == PTR_TO_PACKET &&

		   regs[insn->src_reg].type == PTR_TO_PACKET_END) {

		/* pkt_data' >= pkt_end */

		find_good_pkt_pointers(this_branch, dst_reg,

				       PTR_TO_PACKET, true);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE &&

		   dst_reg->type == PTR_TO_PACKET_END &&

		   regs[insn->src_reg].type == PTR_TO_PACKET) {

		/* pkt_end >= pkt_data' */

		find_good_pkt_pointers(other_branch, &regs[insn->src_reg],

				       PTR_TO_PACKET, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLE &&

		   dst_reg->type == PTR_TO_PACKET &&

		   regs[insn->src_reg].type == PTR_TO_PACKET_END) {

		/* pkt_data' <= pkt_end */

		find_good_pkt_pointers(other_branch, dst_reg,

				       PTR_TO_PACKET, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLE &&

		   dst_reg->type == PTR_TO_PACKET_END &&

		   regs[insn->src_reg].type == PTR_TO_PACKET) {

		/* pkt_end <= pkt_data' */

		find_good_pkt_pointers(this_branch, &regs[insn->src_reg],

				       PTR_TO_PACKET, true);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT &&

		   dst_reg->type == PTR_TO_PACKET_META &&

		   reg_is_init_pkt_pointer(&regs[insn->src_reg], PTR_TO_PACKET)) {

		find_good_pkt_pointers(this_branch, dst_reg,

				       PTR_TO_PACKET_META, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLT &&

		   dst_reg->type == PTR_TO_PACKET_META &&

		   reg_is_init_pkt_pointer(&regs[insn->src_reg], PTR_TO_PACKET)) {

		find_good_pkt_pointers(other_branch, dst_reg,

				       PTR_TO_PACKET_META, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE &&

		   reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&

		   regs[insn->src_reg].type == PTR_TO_PACKET_META) {

		find_good_pkt_pointers(other_branch, &regs[insn->src_reg],

				       PTR_TO_PACKET_META, false);

	} else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JLE &&

		   reg_is_init_pkt_pointer(dst_reg, PTR_TO_PACKET) &&

		   regs[insn->src_reg].type == PTR_TO_PACKET_META) {

		find_good_pkt_pointers(this_branch, &regs[insn->src_reg],

				       PTR_TO_PACKET_META, false);

	} else if (is_pointer_value(env, insn->dst_reg)) {

	} else if (!try_match_pkt_pointers(insn, dst_reg, &regs[insn->src_reg],

					   this_branch, other_branch) &&

		   is_pointer_value(env, insn->dst_reg)) {

		verbose(env, "R%d pointer comparison prohibited\n",

			insn->dst_reg);

		return -EACCES;

tools/testing/selftests/bpf/test_verifier.c

+497 −55

File changed.

Preview size limit exceeded, changes collapsed.