git.baikalelectronics.ru Git - kernel.git/commit

author	Brendan Jackman <jackmanb@google.com>
	Tue, 2 Feb 2021 13:50:02 +0000 (13:50 +0000)
committer	Alexei Starovoitov <ast@kernel.org>
	Wed, 3 Feb 2021 02:23:29 +0000 (18:23 -0800)
commit	f33f93ce3900473dafb49bf5c2ae4da598973866
tree	39949b12b17a29dfcfe61ee2c560c3bc137030c6	tree \| snapshot
parent	da689cdc6f119cd5f80dfe5bfc3c2b9f9b765f5c	commit \| diff

bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH

When BPF_FETCH is set, atomic instructions load a value from memory
into a register. The current verifier code first checks via
check_mem_access whether we can access the memory, and then checks
via check_reg_arg whether we can write into the register.

For loads, check_reg_arg has the side-effect of marking the
register's value as unkonwn, and check_mem_access has the side effect
of propagating bounds from memory to the register. This currently only
takes effect for stack memory.

Therefore with the current order, bounds information is thrown away,
but by simply reversing the order of check_reg_arg
vs. check_mem_access, we can instead propagate bounds smartly.

A simple test is added with an infinite loop that can only be proved
unreachable if this propagation is present. This is implemented both
with C and directly in test_verifier using assembly.

Suggested-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Brendan Jackman <jackmanb@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20210202135002.4024825-1-jackmanb@google.com

kernel/bpf/verifier.c		diff \| blob \| history
tools/testing/selftests/bpf/prog_tests/atomic_bounds.c	[new file with mode: 0644]	blob
tools/testing/selftests/bpf/progs/atomic_bounds.c	[new file with mode: 0644]	blob
tools/testing/selftests/bpf/verifier/atomic_bounds.c	[new file with mode: 0644]	blob