1. 27 Aug, 2020 2 commits
    • Yonghong Song's avatar
      selftests/bpf: Add verifier tests for xor operation · f5493c51
      Yonghong Song authored
      Added some test_verifier bounds check test cases for
      xor operations.
        $ ./test_verifier
        ...
        #78/u bounds check for reg = 0, reg xor 1 OK
        #78/p bounds check for reg = 0, reg xor 1 OK
        #79/u bounds check for reg32 = 0, reg32 xor 1 OK
        #79/p bounds check for reg32 = 0, reg32 xor 1 OK
        #80/u bounds check for reg = 2, reg xor 3 OK
        #80/p bounds check for reg = 2, reg xor 3 OK
        #81/u bounds check for reg = any, reg xor 3 OK
        #81/p bounds check for reg = any, reg xor 3 OK
        #82/u bounds check for reg32 = any, reg32 xor 3 OK
        #82/p bounds check for reg32 = any, reg32 xor 3 OK
        #83/u bounds check for reg > 0, reg xor 3 OK
        #83/p bounds check for reg > 0, reg xor 3 OK
        #84/u bounds check for reg32 > 0, reg32 xor 3 OK
        #84/p bounds check for reg32 > 0, reg32 xor 3 OK
        ...
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Cc: John Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20200825064609.2018077-1-yhs@fb.com
      f5493c51
    • Yonghong Song's avatar
      bpf: Fix a verifier failure with xor · 2921c90d
      Yonghong Song authored
      bpf selftest test_progs/test_sk_assign failed with llvm 11 and llvm 12.
      Compared to llvm 10, llvm 11 and 12 generates xor instruction which
      is not handled properly in verifier. The following illustrates the
      problem:
      
        16: (b4) w5 = 0
        17: ... R5_w=inv0 ...
        ...
        132: (a4) w5 ^= 1
        133: ... R5_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) ...
        ...
        37: (bc) w8 = w5
        38: ... R5=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff))
                R8_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) ...
        ...
        41: (bc) w3 = w8
        42: ... R3_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) ...
        45: (56) if w3 != 0x0 goto pc+1
         ... R3_w=inv0 ...
        46: (b7) r1 = 34
        47: R1_w=inv34 R7=pkt(id=0,off=26,r=38,imm=0)
        47: (0f) r7 += r1
        48: R1_w=invP34 R3_w=inv0 R7_w=pkt(id=0,off=60,r=38,imm=0)
        48: (b4) w9 = 0
        49: R1_w=invP34 R3_w=inv0 R7_w=pkt(id=0,off=60,r=38,imm=0)
        49: (69) r1 = *(u16 *)(r7 +0)
        invalid access to packet, off=60 size=2, R7(id=0,off=60,r=38)
        R7 offset is outside of the packet
      
      At above insn 132, w5 = 0, but after w5 ^= 1, we give a really conservative
      value of w5. At insn 45, in reality the condition should be always false.
      But due to conservative value for w3, the verifier evaluates it could be
      true and this later leads to verifier failure complaining potential
      packet out-of-bound access.
      
      This patch implemented proper XOR support in verifier.
      In the above example, we have:
        132: R5=invP0
        132: (a4) w5 ^= 1
        133: R5_w=invP1
        ...
        37: (bc) w8 = w5
        ...
        41: (bc) w3 = w8
        42: R3_w=invP1
        ...
        45: (56) if w3 != 0x0 goto pc+1
        47: R3_w=invP1
        ...
        processed 353 insns ...
      and the verifier can verify the program successfully.
      Signed-off-by: default avatarYonghong Song <yhs@fb.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Link: https://lore.kernel.org/bpf/20200825064608.2017937-1-yhs@fb.com
      2921c90d
  2. 26 Aug, 2020 8 commits
  3. 25 Aug, 2020 26 commits
  4. 24 Aug, 2020 4 commits