From: Eduard Zingerman <eddyz87@gmail.com>
To: Kui-Feng Lee <thinker.li@gmail.com>,
bpf@vger.kernel.org, ast@kernel.org, martin.lau@linux.dev,
song@kernel.org, kernel-team@meta.com, andrii@kernel.org
Cc: sinquersw@gmail.com, kuifeng@meta.com
Subject: Re: [PATCH bpf-next 04/11] bpf: check_map_kptr_access() compute the offset from the reg state.
Date: Fri, 12 Apr 2024 01:13:08 +0300 [thread overview]
Message-ID: <51436d219e351558fdb6b57641280039540754ee.camel@gmail.com> (raw)
In-Reply-To: <20240410004150.2917641-5-thinker.li@gmail.com>
On Tue, 2024-04-09 at 17:41 -0700, Kui-Feng Lee wrote:
> Previously, check_map_kptr_access() assumed that the accessed offset was
> identical to the offset in the btf_field. However, once field array is
> supported, the accessed offset no longer matches the offset in the
> bpf_field. It may refer to an element in an array while the offset in the
> bpf_field refers to the beginning of the array.
>
> To handle arrays, it computes the offset from the reg state instead.
>
> Signed-off-by: Kui-Feng Lee <thinker.li@gmail.com>
> ---
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
> kernel/bpf/verifier.c | 15 +++++++++------
> 1 file changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 86adacc5f76c..34e43220c6f0 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -5349,18 +5349,19 @@ static u32 btf_ld_kptr_type(struct bpf_verifier_env *env, struct btf_field *kptr
> }
>
> static int check_map_kptr_access(struct bpf_verifier_env *env, u32 regno,
> - int value_regno, int insn_idx,
> + u32 offset, int value_regno, int insn_idx,
> struct btf_field *kptr_field)
> {
> struct bpf_insn *insn = &env->prog->insnsi[insn_idx];
> int class = BPF_CLASS(insn->code);
> - struct bpf_reg_state *val_reg;
> + struct bpf_reg_state *val_reg, *reg;
>
> /* Things we already checked for in check_map_access and caller:
Nit: at the moment when this patch is applied check_map_access is not
yet modified.
> * - Reject cases where variable offset may touch kptr
> * - size of access (must be BPF_DW)
> * - tnum_is_const(reg->var_off)
> - * - kptr_field->offset == off + reg->var_off.value
> + * - kptr_field->offset + kptr_field->size * i / kptr_field->nelems
> + * == off + reg->var_off.value where n is an index into the array
^^^ nit: this should be 'i'
> */
> /* Only BPF_[LDX,STX,ST] | BPF_MEM | BPF_DW is supported */
> if (BPF_MODE(insn->code) != BPF_MEM) {
[...]
next prev parent reply other threads:[~2024-04-11 22:13 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-10 0:41 [PATCH bpf-next 00/11] Enable BPF programs to declare arrays of kptr, bpf_rb_root, and bpf_list_head Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 01/11] bpf: Remove unnecessary checks on the offset of btf_field Kui-Feng Lee
2024-04-11 22:12 ` Eduard Zingerman
2024-04-10 0:41 ` [PATCH bpf-next 02/11] bpf: Remove unnecessary call to btf_field_type_size() Kui-Feng Lee
2024-04-11 22:12 ` Eduard Zingerman
2024-04-10 0:41 ` [PATCH bpf-next 03/11] bpf: Add nelems to struct btf_field_info and btf_field Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 04/11] bpf: check_map_kptr_access() compute the offset from the reg state Kui-Feng Lee
2024-04-11 22:13 ` Eduard Zingerman [this message]
2024-04-12 4:00 ` Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 05/11] bpf: initialize/free array of btf_field(s) Kui-Feng Lee
2024-04-11 22:13 ` Eduard Zingerman
2024-04-12 3:56 ` Kui-Feng Lee
2024-04-12 15:32 ` Eduard Zingerman
2024-04-12 17:00 ` Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 06/11] bpf: Find btf_field with the knowledge of arrays Kui-Feng Lee
2024-04-11 22:14 ` Eduard Zingerman
2024-04-12 2:00 ` Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 07/11] bpf: check_map_access() " Kui-Feng Lee
2024-04-11 22:14 ` Eduard Zingerman
2024-04-12 16:32 ` Kui-Feng Lee
2024-04-12 19:08 ` Eduard Zingerman
2024-04-12 19:29 ` Kui-Feng Lee
2024-04-12 19:50 ` Eduard Zingerman
2024-04-10 0:41 ` [PATCH bpf-next 08/11] bpf: Enable and verify btf_field arrays Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 09/11] selftests/bpf: Test global kptr arrays Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 10/11] selftests/bpf: Test global bpf_rb_root arrays Kui-Feng Lee
2024-04-10 0:41 ` [PATCH bpf-next 11/11] selftests/bpf: Test global bpf_list_head arrays Kui-Feng Lee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51436d219e351558fdb6b57641280039540754ee.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=kernel-team@meta.com \
--cc=kuifeng@meta.com \
--cc=martin.lau@linux.dev \
--cc=sinquersw@gmail.com \
--cc=song@kernel.org \
--cc=thinker.li@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.