| /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com |
| * Copyright (c) 2016 Facebook |
| * Copyright (c) 2018 Covalent IO, Inc. http://covalent.io |
| * |
| * This program is free software; you can redistribute it and/or |
| * modify it under the terms of version 2 of the GNU General Public |
| * License as published by the Free Software Foundation. |
| * |
| * This program is distributed in the hope that it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| * General Public License for more details. |
| */ |
| #include <uapi/linux/btf.h> |
| #include <linux/kernel.h> |
| #include <linux/types.h> |
| #include <linux/slab.h> |
| #include <linux/bpf.h> |
| #include <linux/btf.h> |
| #include <linux/bpf_verifier.h> |
| #include <linux/filter.h> |
| #include <net/netlink.h> |
| #include <linux/file.h> |
| #include <linux/vmalloc.h> |
| #include <linux/stringify.h> |
| #include <linux/bsearch.h> |
| #include <linux/sort.h> |
| #include <linux/perf_event.h> |
| #include <linux/ctype.h> |
| |
| #include "disasm.h" |
| |
| static const struct bpf_verifier_ops * const bpf_verifier_ops[] = { |
| #define BPF_PROG_TYPE(_id, _name) \ |
| [_id] = & _name ## _verifier_ops, |
| #define BPF_MAP_TYPE(_id, _ops) |
| #include <linux/bpf_types.h> |
| #undef BPF_PROG_TYPE |
| #undef BPF_MAP_TYPE |
| }; |
| |
| /* bpf_check() is a static code analyzer that walks eBPF program |
| * instruction by instruction and updates register/stack state. |
| * All paths of conditional branches are analyzed until 'bpf_exit' insn. |
| * |
| * The first pass is depth-first-search to check that the program is a DAG. |
| * It rejects the following programs: |
| * - larger than BPF_MAXINSNS insns |
| * - if loop is present (detected via back-edge) |
| * - unreachable insns exist (shouldn't be a forest. program = one function) |
| * - out of bounds or malformed jumps |
| * The second pass is all possible path descent from the 1st insn. |
| * Since it's analyzing all pathes through the program, the length of the |
| * analysis is limited to 64k insn, which may be hit even if total number of |
| * insn is less then 4K, but there are too many branches that change stack/regs. |
| * Number of 'branches to be analyzed' is limited to 1k |
| * |
| * On entry to each instruction, each register has a type, and the instruction |
| * changes the types of the registers depending on instruction semantics. |
| * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is |
| * copied to R1. |
| * |
| * All registers are 64-bit. |
| * R0 - return register |
| * R1-R5 argument passing registers |
| * R6-R9 callee saved registers |
| * R10 - frame pointer read-only |
| * |
| * At the start of BPF program the register R1 contains a pointer to bpf_context |
| * and has type PTR_TO_CTX. |
| * |
| * Verifier tracks arithmetic operations on pointers in case: |
| * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), |
| * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20), |
| * 1st insn copies R10 (which has FRAME_PTR) type into R1 |
| * and 2nd arithmetic instruction is pattern matched to recognize |
| * that it wants to construct a pointer to some element within stack. |
| * So after 2nd insn, the register R1 has type PTR_TO_STACK |
| * (and -20 constant is saved for further stack bounds checking). |
| * Meaning that this reg is a pointer to stack plus known immediate constant. |
| * |
| * Most of the time the registers have SCALAR_VALUE type, which |
| * means the register has some value, but it's not a valid pointer. |
| * (like pointer plus pointer becomes SCALAR_VALUE type) |
| * |
| * When verifier sees load or store instructions the type of base register |
| * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, PTR_TO_STACK, PTR_TO_SOCKET. These are |
| * four pointer types recognized by check_mem_access() function. |
| * |
| * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value' |
| * and the range of [ptr, ptr + map's value_size) is accessible. |
| * |
| * registers used to pass values to function calls are checked against |
| * function argument constraints. |
| * |
| * ARG_PTR_TO_MAP_KEY is one of such argument constraints. |
| * It means that the register type passed to this function must be |
| * PTR_TO_STACK and it will be used inside the function as |
| * 'pointer to map element key' |
| * |
| * For example the argument constraints for bpf_map_lookup_elem(): |
| * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, |
| * .arg1_type = ARG_CONST_MAP_PTR, |
| * .arg2_type = ARG_PTR_TO_MAP_KEY, |
| * |
| * ret_type says that this function returns 'pointer to map elem value or null' |
| * function expects 1st argument to be a const pointer to 'struct bpf_map' and |
| * 2nd argument should be a pointer to stack, which will be used inside |
| * the helper function as a pointer to map element key. |
| * |
| * On the kernel side the helper function looks like: |
| * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) |
| * { |
| * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1; |
| * void *key = (void *) (unsigned long) r2; |
| * void *value; |
| * |
| * here kernel can access 'key' and 'map' pointers safely, knowing that |
| * [key, key + map->key_size) bytes are valid and were initialized on |
| * the stack of eBPF program. |
| * } |
| * |
| * Corresponding eBPF program may look like: |
| * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR |
| * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK |
| * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP |
| * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
| * here verifier looks at prototype of map_lookup_elem() and sees: |
| * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok, |
| * Now verifier knows that this map has key of R1->map_ptr->key_size bytes |
| * |
| * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far, |
| * Now verifier checks that [R2, R2 + map's key_size) are within stack limits |
| * and were initialized prior to this call. |
| * If it's ok, then verifier allows this BPF_CALL insn and looks at |
| * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets |
| * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function |
| * returns ether pointer to map value or NULL. |
| * |
| * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off' |
| * insn, the register holding that pointer in the true branch changes state to |
| * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false |
| * branch. See check_cond_jmp_op(). |
| * |
| * After the call R0 is set to return type of the function and registers R1-R5 |
| * are set to NOT_INIT to indicate that they are no longer readable. |
| * |
| * The following reference types represent a potential reference to a kernel |
| * resource which, after first being allocated, must be checked and freed by |
| * the BPF program: |
| * - PTR_TO_SOCKET_OR_NULL, PTR_TO_SOCKET |
| * |
| * When the verifier sees a helper call return a reference type, it allocates a |
| * pointer id for the reference and stores it in the current function state. |
| * Similar to the way that PTR_TO_MAP_VALUE_OR_NULL is converted into |
| * PTR_TO_MAP_VALUE, PTR_TO_SOCKET_OR_NULL becomes PTR_TO_SOCKET when the type |
| * passes through a NULL-check conditional. For the branch wherein the state is |
| * changed to CONST_IMM, the verifier releases the reference. |
| * |
| * For each helper function that allocates a reference, such as |
| * bpf_sk_lookup_tcp(), there is a corresponding release function, such as |
| * bpf_sk_release(). When a reference type passes into the release function, |
| * the verifier also releases the reference. If any unchecked or unreleased |
| * reference remains at the end of the program, the verifier rejects it. |
| */ |
| |
| /* verifier_state + insn_idx are pushed to stack when branch is encountered */ |
| struct bpf_verifier_stack_elem { |
| /* verifer state is 'st' |
| * before processing instruction 'insn_idx' |
| * and after processing instruction 'prev_insn_idx' |
| */ |
| struct bpf_verifier_state st; |
| int insn_idx; |
| int prev_insn_idx; |
| struct bpf_verifier_stack_elem *next; |
| }; |
| |
| #define BPF_COMPLEXITY_LIMIT_INSNS 131072 |
| #define BPF_COMPLEXITY_LIMIT_STACK 1024 |
| #define BPF_COMPLEXITY_LIMIT_STATES 64 |
| |
| #define BPF_MAP_PTR_UNPRIV 1UL |
| #define BPF_MAP_PTR_POISON ((void *)((0xeB9FUL << 1) + \ |
| POISON_POINTER_DELTA)) |
| #define BPF_MAP_PTR(X) ((struct bpf_map *)((X) & ~BPF_MAP_PTR_UNPRIV)) |
| |
| static bool bpf_map_ptr_poisoned(const struct bpf_insn_aux_data *aux) |
| { |
| return BPF_MAP_PTR(aux->map_state) == BPF_MAP_PTR_POISON; |
| } |
| |
| static bool bpf_map_ptr_unpriv(const struct bpf_insn_aux_data *aux) |
| { |
| return aux->map_state & BPF_MAP_PTR_UNPRIV; |
| } |
| |
| static void bpf_map_ptr_store(struct bpf_insn_aux_data *aux, |
| const struct bpf_map *map, bool unpriv) |
| { |
| BUILD_BUG_ON((unsigned long)BPF_MAP_PTR_POISON & BPF_MAP_PTR_UNPRIV); |
| unpriv |= bpf_map_ptr_unpriv(aux); |
| aux->map_state = (unsigned long)map | |
| (unpriv ? BPF_MAP_PTR_UNPRIV : 0UL); |
| } |
| |
| struct bpf_call_arg_meta { |
| struct bpf_map *map_ptr; |
| bool raw_mode; |
| bool pkt_access; |
| int regno; |
| int access_size; |
| s64 msize_smax_value; |
| u64 msize_umax_value; |
| int ref_obj_id; |
| int func_id; |
| }; |
| |
| static DEFINE_MUTEX(bpf_verifier_lock); |
| |
| static const struct bpf_line_info * |
| find_linfo(const struct bpf_verifier_env *env, u32 insn_off) |
| { |
| const struct bpf_line_info *linfo; |
| const struct bpf_prog *prog; |
| u32 i, nr_linfo; |
| |
| prog = env->prog; |
| nr_linfo = prog->aux->nr_linfo; |
| |
| if (!nr_linfo || insn_off >= prog->len) |
| return NULL; |
| |
| linfo = prog->aux->linfo; |
| for (i = 1; i < nr_linfo; i++) |
| if (insn_off < linfo[i].insn_off) |
| break; |
| |
| return &linfo[i - 1]; |
| } |
| |
| void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, |
| va_list args) |
| { |
| unsigned int n; |
| |
| n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); |
| |
| WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, |
| "verifier log line truncated - local buffer too short\n"); |
| |
| n = min(log->len_total - log->len_used - 1, n); |
| log->kbuf[n] = '\0'; |
| |
| if (!copy_to_user(log->ubuf + log->len_used, log->kbuf, n + 1)) |
| log->len_used += n; |
| else |
| log->ubuf = NULL; |
| } |
| |
| /* log_level controls verbosity level of eBPF verifier. |
| * bpf_verifier_log_write() is used to dump the verification trace to the log, |
| * so the user can figure out what's wrong with the program |
| */ |
| __printf(2, 3) void bpf_verifier_log_write(struct bpf_verifier_env *env, |
| const char *fmt, ...) |
| { |
| va_list args; |
| |
| if (!bpf_verifier_log_needed(&env->log)) |
| return; |
| |
| va_start(args, fmt); |
| bpf_verifier_vlog(&env->log, fmt, args); |
| va_end(args); |
| } |
| EXPORT_SYMBOL_GPL(bpf_verifier_log_write); |
| |
| __printf(2, 3) static void verbose(void *private_data, const char *fmt, ...) |
| { |
| struct bpf_verifier_env *env = private_data; |
| va_list args; |
| |
| if (!bpf_verifier_log_needed(&env->log)) |
| return; |
| |
| va_start(args, fmt); |
| bpf_verifier_vlog(&env->log, fmt, args); |
| va_end(args); |
| } |
| |
| static const char *ltrim(const char *s) |
| { |
| while (isspace(*s)) |
| s++; |
| |
| return s; |
| } |
| |
| __printf(3, 4) static void verbose_linfo(struct bpf_verifier_env *env, |
| u32 insn_off, |
| const char *prefix_fmt, ...) |
| { |
| const struct bpf_line_info *linfo; |
| |
| if (!bpf_verifier_log_needed(&env->log)) |
| return; |
| |
| linfo = find_linfo(env, insn_off); |
| if (!linfo || linfo == env->prev_linfo) |
| return; |
| |
| if (prefix_fmt) { |
| va_list args; |
| |
| va_start(args, prefix_fmt); |
| bpf_verifier_vlog(&env->log, prefix_fmt, args); |
| va_end(args); |
| } |
| |
| verbose(env, "%s\n", |
| ltrim(btf_name_by_offset(env->prog->aux->btf, |
| linfo->line_off))); |
| |
| env->prev_linfo = linfo; |
| } |
| |
| static bool type_is_pkt_pointer(enum bpf_reg_type type) |
| { |
| return type == PTR_TO_PACKET || |
| type == PTR_TO_PACKET_META; |
| } |
| |
| static bool type_is_sk_pointer(enum bpf_reg_type type) |
| { |
| return type == PTR_TO_SOCKET || |
| type == PTR_TO_SOCK_COMMON || |
| type == PTR_TO_TCP_SOCK; |
| } |
| |
| static bool reg_type_may_be_null(enum bpf_reg_type type) |
| { |
| return type == PTR_TO_MAP_VALUE_OR_NULL || |
| type == PTR_TO_SOCKET_OR_NULL || |
| type == PTR_TO_SOCK_COMMON_OR_NULL || |
| type == PTR_TO_TCP_SOCK_OR_NULL; |
| } |
| |
| static bool reg_may_point_to_spin_lock(const struct bpf_reg_state *reg) |
| { |
| return reg->type == PTR_TO_MAP_VALUE && |
| map_value_has_spin_lock(reg->map_ptr); |
| } |
| |
| static bool reg_type_may_be_refcounted_or_null(enum bpf_reg_type type) |
| { |
| return type == PTR_TO_SOCKET || |
| type == PTR_TO_SOCKET_OR_NULL || |
| type == PTR_TO_TCP_SOCK || |
| type == PTR_TO_TCP_SOCK_OR_NULL; |
| } |
| |
| static bool arg_type_may_be_refcounted(enum bpf_arg_type type) |
| { |
| return type == ARG_PTR_TO_SOCK_COMMON; |
| } |
| |
| /* Determine whether the function releases some resources allocated by another |
| * function call. The first reference type argument will be assumed to be |
| * released by release_reference(). |
| */ |
| static bool is_release_function(enum bpf_func_id func_id) |
| { |
| return func_id == BPF_FUNC_sk_release; |
| } |
| |
| static bool is_acquire_function(enum bpf_func_id func_id) |
| { |
| return func_id == BPF_FUNC_sk_lookup_tcp || |
| func_id == BPF_FUNC_sk_lookup_udp; |
| } |
| |
| static bool is_ptr_cast_function(enum bpf_func_id func_id) |
| { |
| return func_id == BPF_FUNC_tcp_sock || |
| func_id == BPF_FUNC_sk_fullsock; |
| } |
| |
| /* string representation of 'enum bpf_reg_type' */ |
| static const char * const reg_type_str[] = { |
| [NOT_INIT] = "?", |
| [SCALAR_VALUE] = "inv", |
| [PTR_TO_CTX] = "ctx", |
| [CONST_PTR_TO_MAP] = "map_ptr", |
| [PTR_TO_MAP_VALUE] = "map_value", |
| [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null", |
| [PTR_TO_STACK] = "fp", |
| [PTR_TO_PACKET] = "pkt", |
| [PTR_TO_PACKET_META] = "pkt_meta", |
| [PTR_TO_PACKET_END] = "pkt_end", |
| [PTR_TO_FLOW_KEYS] = "flow_keys", |
| [PTR_TO_SOCKET] = "sock", |
| [PTR_TO_SOCKET_OR_NULL] = "sock_or_null", |
| [PTR_TO_SOCK_COMMON] = "sock_common", |
| [PTR_TO_SOCK_COMMON_OR_NULL] = "sock_common_or_null", |
| [PTR_TO_TCP_SOCK] = "tcp_sock", |
| [PTR_TO_TCP_SOCK_OR_NULL] = "tcp_sock_or_null", |
| }; |
| |
| static char slot_type_char[] = { |
| [STACK_INVALID] = '?', |
| [STACK_SPILL] = 'r', |
| [STACK_MISC] = 'm', |
| [STACK_ZERO] = '0', |
| }; |
| |
| static void print_liveness(struct bpf_verifier_env *env, |
| enum bpf_reg_liveness live) |
| { |
| if (live & (REG_LIVE_READ | REG_LIVE_WRITTEN | REG_LIVE_DONE)) |
| verbose(env, "_"); |
| if (live & REG_LIVE_READ) |
| verbose(env, "r"); |
| if (live & REG_LIVE_WRITTEN) |
| verbose(env, "w"); |
| if (live & REG_LIVE_DONE) |
| verbose(env, "D"); |
| } |
| |
| static struct bpf_func_state *func(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *reg) |
| { |
| struct bpf_verifier_state *cur = env->cur_state; |
| |
| return cur->frame[reg->frameno]; |
| } |
| |
| static void print_verifier_state(struct bpf_verifier_env *env, |
| const struct bpf_func_state *state) |
| { |
| const struct bpf_reg_state *reg; |
| enum bpf_reg_type t; |
| int i; |
| |
| if (state->frameno) |
| verbose(env, " frame%d:", state->frameno); |
| for (i = 0; i < MAX_BPF_REG; i++) { |
| reg = &state->regs[i]; |
| t = reg->type; |
| if (t == NOT_INIT) |
| continue; |
| verbose(env, " R%d", i); |
| print_liveness(env, reg->live); |
| verbose(env, "=%s", reg_type_str[t]); |
| if ((t == SCALAR_VALUE || t == PTR_TO_STACK) && |
| tnum_is_const(reg->var_off)) { |
| /* reg->off should be 0 for SCALAR_VALUE */ |
| verbose(env, "%lld", reg->var_off.value + reg->off); |
| if (t == PTR_TO_STACK) |
| verbose(env, ",call_%d", func(env, reg)->callsite); |
| } else { |
| verbose(env, "(id=%d", reg->id); |
| if (reg_type_may_be_refcounted_or_null(t)) |
| verbose(env, ",ref_obj_id=%d", reg->ref_obj_id); |
| if (t != SCALAR_VALUE) |
| verbose(env, ",off=%d", reg->off); |
| if (type_is_pkt_pointer(t)) |
| verbose(env, ",r=%d", reg->range); |
| else if (t == CONST_PTR_TO_MAP || |
| t == PTR_TO_MAP_VALUE || |
| t == PTR_TO_MAP_VALUE_OR_NULL) |
| verbose(env, ",ks=%d,vs=%d", |
| reg->map_ptr->key_size, |
| reg->map_ptr->value_size); |
| if (tnum_is_const(reg->var_off)) { |
| /* Typically an immediate SCALAR_VALUE, but |
| * could be a pointer whose offset is too big |
| * for reg->off |
| */ |
| verbose(env, ",imm=%llx", reg->var_off.value); |
| } else { |
| if (reg->smin_value != reg->umin_value && |
| reg->smin_value != S64_MIN) |
| verbose(env, ",smin_value=%lld", |
| (long long)reg->smin_value); |
| if (reg->smax_value != reg->umax_value && |
| reg->smax_value != S64_MAX) |
| verbose(env, ",smax_value=%lld", |
| (long long)reg->smax_value); |
| if (reg->umin_value != 0) |
| verbose(env, ",umin_value=%llu", |
| (unsigned long long)reg->umin_value); |
| if (reg->umax_value != U64_MAX) |
| verbose(env, ",umax_value=%llu", |
| (unsigned long long)reg->umax_value); |
| if (!tnum_is_unknown(reg->var_off)) { |
| char tn_buf[48]; |
| |
| tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| verbose(env, ",var_off=%s", tn_buf); |
| } |
| } |
| verbose(env, ")"); |
| } |
| } |
| for (i = 0; i < state->allocated_stack / BPF_REG_SIZE; i++) { |
| char types_buf[BPF_REG_SIZE + 1]; |
| bool valid = false; |
| int j; |
| |
| for (j = 0; j < BPF_REG_SIZE; j++) { |
| if (state->stack[i].slot_type[j] != STACK_INVALID) |
| valid = true; |
| types_buf[j] = slot_type_char[ |
| state->stack[i].slot_type[j]]; |
| } |
| types_buf[BPF_REG_SIZE] = 0; |
| if (!valid) |
| continue; |
| verbose(env, " fp%d", (-i - 1) * BPF_REG_SIZE); |
| print_liveness(env, state->stack[i].spilled_ptr.live); |
| if (state->stack[i].slot_type[0] == STACK_SPILL) |
| verbose(env, "=%s", |
| reg_type_str[state->stack[i].spilled_ptr.type]); |
| else |
| verbose(env, "=%s", types_buf); |
| } |
| if (state->acquired_refs && state->refs[0].id) { |
| verbose(env, " refs=%d", state->refs[0].id); |
| for (i = 1; i < state->acquired_refs; i++) |
| if (state->refs[i].id) |
| verbose(env, ",%d", state->refs[i].id); |
| } |
| verbose(env, "\n"); |
| } |
| |
| #define COPY_STATE_FN(NAME, COUNT, FIELD, SIZE) \ |
| static int copy_##NAME##_state(struct bpf_func_state *dst, \ |
| const struct bpf_func_state *src) \ |
| { \ |
| if (!src->FIELD) \ |
| return 0; \ |
| if (WARN_ON_ONCE(dst->COUNT < src->COUNT)) { \ |
| /* internal bug, make state invalid to reject the program */ \ |
| memset(dst, 0, sizeof(*dst)); \ |
| return -EFAULT; \ |
| } \ |
| memcpy(dst->FIELD, src->FIELD, \ |
| sizeof(*src->FIELD) * (src->COUNT / SIZE)); \ |
| return 0; \ |
| } |
| /* copy_reference_state() */ |
| COPY_STATE_FN(reference, acquired_refs, refs, 1) |
| /* copy_stack_state() */ |
| COPY_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) |
| #undef COPY_STATE_FN |
| |
| #define REALLOC_STATE_FN(NAME, COUNT, FIELD, SIZE) \ |
| static int realloc_##NAME##_state(struct bpf_func_state *state, int size, \ |
| bool copy_old) \ |
| { \ |
| u32 old_size = state->COUNT; \ |
| struct bpf_##NAME##_state *new_##FIELD; \ |
| int slot = size / SIZE; \ |
| \ |
| if (size <= old_size || !size) { \ |
| if (copy_old) \ |
| return 0; \ |
| state->COUNT = slot * SIZE; \ |
| if (!size && old_size) { \ |
| kfree(state->FIELD); \ |
| state->FIELD = NULL; \ |
| } \ |
| return 0; \ |
| } \ |
| new_##FIELD = kmalloc_array(slot, sizeof(struct bpf_##NAME##_state), \ |
| GFP_KERNEL); \ |
| if (!new_##FIELD) \ |
| return -ENOMEM; \ |
| if (copy_old) { \ |
| if (state->FIELD) \ |
| memcpy(new_##FIELD, state->FIELD, \ |
| sizeof(*new_##FIELD) * (old_size / SIZE)); \ |
| memset(new_##FIELD + old_size / SIZE, 0, \ |
| sizeof(*new_##FIELD) * (size - old_size) / SIZE); \ |
| } \ |
| state->COUNT = slot * SIZE; \ |
| kfree(state->FIELD); \ |
| state->FIELD = new_##FIELD; \ |
| return 0; \ |
| } |
| /* realloc_reference_state() */ |
| REALLOC_STATE_FN(reference, acquired_refs, refs, 1) |
| /* realloc_stack_state() */ |
| REALLOC_STATE_FN(stack, allocated_stack, stack, BPF_REG_SIZE) |
| #undef REALLOC_STATE_FN |
| |
| /* do_check() starts with zero-sized stack in struct bpf_verifier_state to |
| * make it consume minimal amount of memory. check_stack_write() access from |
| * the program calls into realloc_func_state() to grow the stack size. |
| * Note there is a non-zero 'parent' pointer inside bpf_verifier_state |
| * which realloc_stack_state() copies over. It points to previous |
| * bpf_verifier_state which is never reallocated. |
| */ |
| static int realloc_func_state(struct bpf_func_state *state, int stack_size, |
| int refs_size, bool copy_old) |
| { |
| int err = realloc_reference_state(state, refs_size, copy_old); |
| if (err) |
| return err; |
| return realloc_stack_state(state, stack_size, copy_old); |
| } |
| |
| /* Acquire a pointer id from the env and update the state->refs to include |
| * this new pointer reference. |
| * On success, returns a valid pointer id to associate with the register |
| * On failure, returns a negative errno. |
| */ |
| static int acquire_reference_state(struct bpf_verifier_env *env, int insn_idx) |
| { |
| struct bpf_func_state *state = cur_func(env); |
| int new_ofs = state->acquired_refs; |
| int id, err; |
| |
| err = realloc_reference_state(state, state->acquired_refs + 1, true); |
| if (err) |
| return err; |
| id = ++env->id_gen; |
| state->refs[new_ofs].id = id; |
| state->refs[new_ofs].insn_idx = insn_idx; |
| |
| return id; |
| } |
| |
| /* release function corresponding to acquire_reference_state(). Idempotent. */ |
| static int release_reference_state(struct bpf_func_state *state, int ptr_id) |
| { |
| int i, last_idx; |
| |
| last_idx = state->acquired_refs - 1; |
| for (i = 0; i < state->acquired_refs; i++) { |
| if (state->refs[i].id == ptr_id) { |
| if (last_idx && i != last_idx) |
| memcpy(&state->refs[i], &state->refs[last_idx], |
| sizeof(*state->refs)); |
| memset(&state->refs[last_idx], 0, sizeof(*state->refs)); |
| state->acquired_refs--; |
| return 0; |
| } |
| } |
| return -EINVAL; |
| } |
| |
| static int transfer_reference_state(struct bpf_func_state *dst, |
| struct bpf_func_state *src) |
| { |
| int err = realloc_reference_state(dst, src->acquired_refs, false); |
| if (err) |
| return err; |
| err = copy_reference_state(dst, src); |
| if (err) |
| return err; |
| return 0; |
| } |
| |
| static void free_func_state(struct bpf_func_state *state) |
| { |
| if (!state) |
| return; |
| kfree(state->refs); |
| kfree(state->stack); |
| kfree(state); |
| } |
| |
| static void free_verifier_state(struct bpf_verifier_state *state, |
| bool free_self) |
| { |
| int i; |
| |
| for (i = 0; i <= state->curframe; i++) { |
| free_func_state(state->frame[i]); |
| state->frame[i] = NULL; |
| } |
| if (free_self) |
| kfree(state); |
| } |
| |
| /* copy verifier state from src to dst growing dst stack space |
| * when necessary to accommodate larger src stack |
| */ |
| static int copy_func_state(struct bpf_func_state *dst, |
| const struct bpf_func_state *src) |
| { |
| int err; |
| |
| err = realloc_func_state(dst, src->allocated_stack, src->acquired_refs, |
| false); |
| if (err) |
| return err; |
| memcpy(dst, src, offsetof(struct bpf_func_state, acquired_refs)); |
| err = copy_reference_state(dst, src); |
| if (err) |
| return err; |
| return copy_stack_state(dst, src); |
| } |
| |
| static int copy_verifier_state(struct bpf_verifier_state *dst_state, |
| const struct bpf_verifier_state *src) |
| { |
| struct bpf_func_state *dst; |
| int i, err; |
| |
| /* if dst has more stack frames then src frame, free them */ |
| for (i = src->curframe + 1; i <= dst_state->curframe; i++) { |
| free_func_state(dst_state->frame[i]); |
| dst_state->frame[i] = NULL; |
| } |
| dst_state->speculative = src->speculative; |
| dst_state->curframe = src->curframe; |
| dst_state->active_spin_lock = src->active_spin_lock; |
| for (i = 0; i <= src->curframe; i++) { |
| dst = dst_state->frame[i]; |
| if (!dst) { |
| dst = kzalloc(sizeof(*dst), GFP_KERNEL); |
| if (!dst) |
| return -ENOMEM; |
| dst_state->frame[i] = dst; |
| } |
| err = copy_func_state(dst, src->frame[i]); |
| if (err) |
| return err; |
| } |
| return 0; |
| } |
| |
| static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx, |
| int *insn_idx) |
| { |
| struct bpf_verifier_state *cur = env->cur_state; |
| struct bpf_verifier_stack_elem *elem, *head = env->head; |
| int err; |
| |
| if (env->head == NULL) |
| return -ENOENT; |
| |
| if (cur) { |
| err = copy_verifier_state(cur, &head->st); |
| if (err) |
| return err; |
| } |
| if (insn_idx) |
| *insn_idx = head->insn_idx; |
| if (prev_insn_idx) |
| *prev_insn_idx = head->prev_insn_idx; |
| elem = head->next; |
| free_verifier_state(&head->st, false); |
| kfree(head); |
| env->head = elem; |
| env->stack_size--; |
| return 0; |
| } |
| |
| static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, |
| int insn_idx, int prev_insn_idx, |
| bool speculative) |
| { |
| struct bpf_verifier_state *cur = env->cur_state; |
| struct bpf_verifier_stack_elem *elem; |
| int err; |
| |
| elem = kzalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL); |
| if (!elem) |
| goto err; |
| |
| elem->insn_idx = insn_idx; |
| elem->prev_insn_idx = prev_insn_idx; |
| elem->next = env->head; |
| env->head = elem; |
| env->stack_size++; |
| err = copy_verifier_state(&elem->st, cur); |
| if (err) |
| goto err; |
| elem->st.speculative |= speculative; |
| if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { |
| verbose(env, "BPF program is too complex\n"); |
| goto err; |
| } |
| return &elem->st; |
| err: |
| free_verifier_state(env->cur_state, true); |
| env->cur_state = NULL; |
| /* pop all elements and return */ |
| while (!pop_stack(env, NULL, NULL)); |
| return NULL; |
| } |
| |
| #define CALLER_SAVED_REGS 6 |
| static const int caller_saved[CALLER_SAVED_REGS] = { |
| BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5 |
| }; |
| |
| static void __mark_reg_not_init(struct bpf_reg_state *reg); |
| |
| /* Mark the unknown part of a register (variable offset or scalar value) as |
| * known to have the value @imm. |
| */ |
| static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm) |
| { |
| /* Clear id, off, and union(map_ptr, range) */ |
| memset(((u8 *)reg) + sizeof(reg->type), 0, |
| offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type)); |
| reg->var_off = tnum_const(imm); |
| reg->smin_value = (s64)imm; |
| reg->smax_value = (s64)imm; |
| reg->umin_value = imm; |
| reg->umax_value = imm; |
| } |
| |
| /* Mark the 'variable offset' part of a register as zero. This should be |
| * used only on registers holding a pointer type. |
| */ |
| static void __mark_reg_known_zero(struct bpf_reg_state *reg) |
| { |
| __mark_reg_known(reg, 0); |
| } |
| |
| static void __mark_reg_const_zero(struct bpf_reg_state *reg) |
| { |
| __mark_reg_known(reg, 0); |
| reg->type = SCALAR_VALUE; |
| } |
| |
| static void mark_reg_known_zero(struct bpf_verifier_env *env, |
| struct bpf_reg_state *regs, u32 regno) |
| { |
| if (WARN_ON(regno >= MAX_BPF_REG)) { |
| verbose(env, "mark_reg_known_zero(regs, %u)\n", regno); |
| /* Something bad happened, let's kill all regs */ |
| for (regno = 0; regno < MAX_BPF_REG; regno++) |
| __mark_reg_not_init(regs + regno); |
| return; |
| } |
| __mark_reg_known_zero(regs + regno); |
| } |
| |
| static bool reg_is_pkt_pointer(const struct bpf_reg_state *reg) |
| { |
| return type_is_pkt_pointer(reg->type); |
| } |
| |
| static bool reg_is_pkt_pointer_any(const struct bpf_reg_state *reg) |
| { |
| return reg_is_pkt_pointer(reg) || |
| reg->type == PTR_TO_PACKET_END; |
| } |
| |
| /* Unmodified PTR_TO_PACKET[_META,_END] register from ctx access. */ |
| static bool reg_is_init_pkt_pointer(const struct bpf_reg_state *reg, |
| enum bpf_reg_type which) |
| { |
| /* The register can already have a range from prior markings. |
| * This is fine as long as it hasn't been advanced from its |
| * origin. |
| */ |
| return reg->type == which && |
| reg->id == 0 && |
| reg->off == 0 && |
| tnum_equals_const(reg->var_off, 0); |
| } |
| |
| /* Attempts to improve min/max values based on var_off information */ |
| static void __update_reg_bounds(struct bpf_reg_state *reg) |
| { |
| /* min signed is max(sign bit) | min(other bits) */ |
| reg->smin_value = max_t(s64, reg->smin_value, |
| reg->var_off.value | (reg->var_off.mask & S64_MIN)); |
| /* max signed is min(sign bit) | max(other bits) */ |
| reg->smax_value = min_t(s64, reg->smax_value, |
| reg->var_off.value | (reg->var_off.mask & S64_MAX)); |
| reg->umin_value = max(reg->umin_value, reg->var_off.value); |
| reg->umax_value = min(reg->umax_value, |
| reg->var_off.value | reg->var_off.mask); |
| } |
| |
| /* Uses signed min/max values to inform unsigned, and vice-versa */ |
| static void __reg_deduce_bounds(struct bpf_reg_state *reg) |
| { |
| /* Learn sign from signed bounds. |
| * If we cannot cross the sign boundary, then signed and unsigned bounds |
| * are the same, so combine. This works even in the negative case, e.g. |
| * -3 s<= x s<= -1 implies 0xf...fd u<= x u<= 0xf...ff. |
| */ |
| if (reg->smin_value >= 0 || reg->smax_value < 0) { |
| reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, |
| reg->umin_value); |
| reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, |
| reg->umax_value); |
| return; |
| } |
| /* Learn sign from unsigned bounds. Signed bounds cross the sign |
| * boundary, so we must be careful. |
| */ |
| if ((s64)reg->umax_value >= 0) { |
| /* Positive. We can't learn anything from the smin, but smax |
| * is positive, hence safe. |
| */ |
| reg->smin_value = reg->umin_value; |
| reg->smax_value = reg->umax_value = min_t(u64, reg->smax_value, |
| reg->umax_value); |
| } else if ((s64)reg->umin_value < 0) { |
| /* Negative. We can't learn anything from the smax, but smin |
| * is negative, hence safe. |
| */ |
| reg->smin_value = reg->umin_value = max_t(u64, reg->smin_value, |
| reg->umin_value); |
| reg->smax_value = reg->umax_value; |
| } |
| } |
| |
| /* Attempts to improve var_off based on unsigned min/max information */ |
| static void __reg_bound_offset(struct bpf_reg_state *reg) |
| { |
| reg->var_off = tnum_intersect(reg->var_off, |
| tnum_range(reg->umin_value, |
| reg->umax_value)); |
| } |
| |
| /* Reset the min/max bounds of a register */ |
| static void __mark_reg_unbounded(struct bpf_reg_state *reg) |
| { |
| reg->smin_value = S64_MIN; |
| reg->smax_value = S64_MAX; |
| reg->umin_value = 0; |
| reg->umax_value = U64_MAX; |
| } |
| |
| /* Mark a register as having a completely unknown (scalar) value. */ |
| static void __mark_reg_unknown(struct bpf_reg_state *reg) |
| { |
| /* |
| * Clear type, id, off, and union(map_ptr, range) and |
| * padding between 'type' and union |
| */ |
| memset(reg, 0, offsetof(struct bpf_reg_state, var_off)); |
| reg->type = SCALAR_VALUE; |
| reg->var_off = tnum_unknown; |
| reg->frameno = 0; |
| __mark_reg_unbounded(reg); |
| } |
| |
| static void mark_reg_unknown(struct bpf_verifier_env *env, |
| struct bpf_reg_state *regs, u32 regno) |
| { |
| if (WARN_ON(regno >= MAX_BPF_REG)) { |
| verbose(env, "mark_reg_unknown(regs, %u)\n", regno); |
| /* Something bad happened, let's kill all regs except FP */ |
| for (regno = 0; regno < BPF_REG_FP; regno++) |
| __mark_reg_not_init(regs + regno); |
| return; |
| } |
| __mark_reg_unknown(regs + regno); |
| } |
| |
| static void __mark_reg_not_init(struct bpf_reg_state *reg) |
| { |
| __mark_reg_unknown(reg); |
| reg->type = NOT_INIT; |
| } |
| |
| static void mark_reg_not_init(struct bpf_verifier_env *env, |
| struct bpf_reg_state *regs, u32 regno) |
| { |
| if (WARN_ON(regno >= MAX_BPF_REG)) { |
| verbose(env, "mark_reg_not_init(regs, %u)\n", regno); |
| /* Something bad happened, let's kill all regs except FP */ |
| for (regno = 0; regno < BPF_REG_FP; regno++) |
| __mark_reg_not_init(regs + regno); |
| return; |
| } |
| __mark_reg_not_init(regs + regno); |
| } |
| |
| static void init_reg_state(struct bpf_verifier_env *env, |
| struct bpf_func_state *state) |
| { |
| struct bpf_reg_state *regs = state->regs; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) { |
| mark_reg_not_init(env, regs, i); |
| regs[i].live = REG_LIVE_NONE; |
| regs[i].parent = NULL; |
| } |
| |
| /* frame pointer */ |
| regs[BPF_REG_FP].type = PTR_TO_STACK; |
| mark_reg_known_zero(env, regs, BPF_REG_FP); |
| regs[BPF_REG_FP].frameno = state->frameno; |
| |
| /* 1st arg to a function */ |
| regs[BPF_REG_1].type = PTR_TO_CTX; |
| mark_reg_known_zero(env, regs, BPF_REG_1); |
| } |
| |
| #define BPF_MAIN_FUNC (-1) |
| static void init_func_state(struct bpf_verifier_env *env, |
| struct bpf_func_state *state, |
| int callsite, int frameno, int subprogno) |
| { |
| state->callsite = callsite; |
| state->frameno = frameno; |
| state->subprogno = subprogno; |
| init_reg_state(env, state); |
| } |
| |
| enum reg_arg_type { |
| SRC_OP, /* register is used as source operand */ |
| DST_OP, /* register is used as destination operand */ |
| DST_OP_NO_MARK /* same as above, check only, don't mark */ |
| }; |
| |
| static int cmp_subprogs(const void *a, const void *b) |
| { |
| return ((struct bpf_subprog_info *)a)->start - |
| ((struct bpf_subprog_info *)b)->start; |
| } |
| |
| static int find_subprog(struct bpf_verifier_env *env, int off) |
| { |
| struct bpf_subprog_info *p; |
| |
| p = bsearch(&off, env->subprog_info, env->subprog_cnt, |
| sizeof(env->subprog_info[0]), cmp_subprogs); |
| if (!p) |
| return -ENOENT; |
| return p - env->subprog_info; |
| |
| } |
| |
| static int add_subprog(struct bpf_verifier_env *env, int off) |
| { |
| int insn_cnt = env->prog->len; |
| int ret; |
| |
| if (off >= insn_cnt || off < 0) { |
| verbose(env, "call to invalid destination\n"); |
| return -EINVAL; |
| } |
| ret = find_subprog(env, off); |
| if (ret >= 0) |
| return 0; |
| if (env->subprog_cnt >= BPF_MAX_SUBPROGS) { |
| verbose(env, "too many subprograms\n"); |
| return -E2BIG; |
| } |
| env->subprog_info[env->subprog_cnt++].start = off; |
| sort(env->subprog_info, env->subprog_cnt, |
| sizeof(env->subprog_info[0]), cmp_subprogs, NULL); |
| return 0; |
| } |
| |
| static int check_subprogs(struct bpf_verifier_env *env) |
| { |
| int i, ret, subprog_start, subprog_end, off, cur_subprog = 0; |
| struct bpf_subprog_info *subprog = env->subprog_info; |
| struct bpf_insn *insn = env->prog->insnsi; |
| int insn_cnt = env->prog->len; |
| |
| /* Add entry function. */ |
| ret = add_subprog(env, 0); |
| if (ret < 0) |
| return ret; |
| |
| /* determine subprog starts. The end is one before the next starts */ |
| for (i = 0; i < insn_cnt; i++) { |
| if (insn[i].code != (BPF_JMP | BPF_CALL)) |
| continue; |
| if (insn[i].src_reg != BPF_PSEUDO_CALL) |
| continue; |
| if (!env->allow_ptr_leaks) { |
| verbose(env, "function calls to other bpf functions are allowed for root only\n"); |
| return -EPERM; |
| } |
| ret = add_subprog(env, i + insn[i].imm + 1); |
| if (ret < 0) |
| return ret; |
| } |
| |
| /* Add a fake 'exit' subprog which could simplify subprog iteration |
| * logic. 'subprog_cnt' should not be increased. |
| */ |
| subprog[env->subprog_cnt].start = insn_cnt; |
| |
| if (env->log.level > 1) |
| for (i = 0; i < env->subprog_cnt; i++) |
| verbose(env, "func#%d @%d\n", i, subprog[i].start); |
| |
| /* now check that all jumps are within the same subprog */ |
| subprog_start = subprog[cur_subprog].start; |
| subprog_end = subprog[cur_subprog + 1].start; |
| for (i = 0; i < insn_cnt; i++) { |
| u8 code = insn[i].code; |
| |
| if (BPF_CLASS(code) != BPF_JMP && BPF_CLASS(code) != BPF_JMP32) |
| goto next; |
| if (BPF_OP(code) == BPF_EXIT || BPF_OP(code) == BPF_CALL) |
| goto next; |
| off = i + insn[i].off + 1; |
| if (off < subprog_start || off >= subprog_end) { |
| verbose(env, "jump out of range from insn %d to %d\n", i, off); |
| return -EINVAL; |
| } |
| next: |
| if (i == subprog_end - 1) { |
| /* to avoid fall-through from one subprog into another |
| * the last insn of the subprog should be either exit |
| * or unconditional jump back |
| */ |
| if (code != (BPF_JMP | BPF_EXIT) && |
| code != (BPF_JMP | BPF_JA)) { |
| verbose(env, "last insn is not an exit or jmp\n"); |
| return -EINVAL; |
| } |
| subprog_start = subprog_end; |
| cur_subprog++; |
| if (cur_subprog < env->subprog_cnt) |
| subprog_end = subprog[cur_subprog + 1].start; |
| } |
| } |
| return 0; |
| } |
| |
| /* Parentage chain of this register (or stack slot) should take care of all |
| * issues like callee-saved registers, stack slot allocation time, etc. |
| */ |
| static int mark_reg_read(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *state, |
| struct bpf_reg_state *parent) |
| { |
| bool writes = parent == state->parent; /* Observe write marks */ |
| |
| while (parent) { |
| /* if read wasn't screened by an earlier write ... */ |
| if (writes && state->live & REG_LIVE_WRITTEN) |
| break; |
| if (parent->live & REG_LIVE_DONE) { |
| verbose(env, "verifier BUG type %s var_off %lld off %d\n", |
| reg_type_str[parent->type], |
| parent->var_off.value, parent->off); |
| return -EFAULT; |
| } |
| /* ... then we depend on parent's value */ |
| parent->live |= REG_LIVE_READ; |
| state = parent; |
| parent = state->parent; |
| writes = true; |
| } |
| return 0; |
| } |
| |
| static int check_reg_arg(struct bpf_verifier_env *env, u32 regno, |
| enum reg_arg_type t) |
| { |
| struct bpf_verifier_state *vstate = env->cur_state; |
| struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
| struct bpf_reg_state *regs = state->regs; |
| |
| if (regno >= MAX_BPF_REG) { |
| verbose(env, "R%d is invalid\n", regno); |
| return -EINVAL; |
| } |
| |
| if (t == SRC_OP) { |
| /* check whether register used as source operand can be read */ |
| if (regs[regno].type == NOT_INIT) { |
| verbose(env, "R%d !read_ok\n", regno); |
| return -EACCES; |
| } |
| /* We don't need to worry about FP liveness because it's read-only */ |
| if (regno != BPF_REG_FP) |
| return mark_reg_read(env, ®s[regno], |
| regs[regno].parent); |
| } else { |
| /* check whether register used as dest operand can be written to */ |
| if (regno == BPF_REG_FP) { |
| verbose(env, "frame pointer is read only\n"); |
| return -EACCES; |
| } |
| regs[regno].live |= REG_LIVE_WRITTEN; |
| if (t == DST_OP) |
| mark_reg_unknown(env, regs, regno); |
| } |
| return 0; |
| } |
| |
| static bool is_spillable_regtype(enum bpf_reg_type type) |
| { |
| switch (type) { |
| case PTR_TO_MAP_VALUE: |
| case PTR_TO_MAP_VALUE_OR_NULL: |
| case PTR_TO_STACK: |
| case PTR_TO_CTX: |
| case PTR_TO_PACKET: |
| case PTR_TO_PACKET_META: |
| case PTR_TO_PACKET_END: |
| case PTR_TO_FLOW_KEYS: |
| case CONST_PTR_TO_MAP: |
| case PTR_TO_SOCKET: |
| case PTR_TO_SOCKET_OR_NULL: |
| case PTR_TO_SOCK_COMMON: |
| case PTR_TO_SOCK_COMMON_OR_NULL: |
| case PTR_TO_TCP_SOCK: |
| case PTR_TO_TCP_SOCK_OR_NULL: |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| /* Does this register contain a constant zero? */ |
| static bool register_is_null(struct bpf_reg_state *reg) |
| { |
| return reg->type == SCALAR_VALUE && tnum_equals_const(reg->var_off, 0); |
| } |
| |
| /* check_stack_read/write functions track spill/fill of registers, |
| * stack boundary and alignment are checked in check_mem_access() |
| */ |
| static int check_stack_write(struct bpf_verifier_env *env, |
| struct bpf_func_state *state, /* func where register points to */ |
| int off, int size, int value_regno, int insn_idx) |
| { |
| struct bpf_func_state *cur; /* state of the current function */ |
| int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err; |
| enum bpf_reg_type type; |
| |
| err = realloc_func_state(state, round_up(slot + 1, BPF_REG_SIZE), |
| state->acquired_refs, true); |
| if (err) |
| return err; |
| /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, |
| * so it's aligned access and [off, off + size) are within stack limits |
| */ |
| if (!env->allow_ptr_leaks && |
| state->stack[spi].slot_type[0] == STACK_SPILL && |
| size != BPF_REG_SIZE) { |
| verbose(env, "attempt to corrupt spilled pointer on stack\n"); |
| return -EACCES; |
| } |
| |
| cur = env->cur_state->frame[env->cur_state->curframe]; |
| if (value_regno >= 0 && |
| is_spillable_regtype((type = cur->regs[value_regno].type))) { |
| |
| /* register containing pointer is being spilled into stack */ |
| if (size != BPF_REG_SIZE) { |
| verbose(env, "invalid size of register spill\n"); |
| return -EACCES; |
| } |
| |
| if (state != cur && type == PTR_TO_STACK) { |
| verbose(env, "cannot spill pointers to stack into stack frame of the caller\n"); |
| return -EINVAL; |
| } |
| |
| /* save register state */ |
| state->stack[spi].spilled_ptr = cur->regs[value_regno]; |
| state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; |
| |
| for (i = 0; i < BPF_REG_SIZE; i++) { |
| if (state->stack[spi].slot_type[i] == STACK_MISC && |
| !env->allow_ptr_leaks) { |
| int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; |
| int soff = (-spi - 1) * BPF_REG_SIZE; |
| |
| /* detected reuse of integer stack slot with a pointer |
| * which means either llvm is reusing stack slot or |
| * an attacker is trying to exploit CVE-2018-3639 |
| * (speculative store bypass) |
| * Have to sanitize that slot with preemptive |
| * store of zero. |
| */ |
| if (*poff && *poff != soff) { |
| /* disallow programs where single insn stores |
| * into two different stack slots, since verifier |
| * cannot sanitize them |
| */ |
| verbose(env, |
| "insn %d cannot access two stack slots fp%d and fp%d", |
| insn_idx, *poff, soff); |
| return -EINVAL; |
| } |
| *poff = soff; |
| } |
| state->stack[spi].slot_type[i] = STACK_SPILL; |
| } |
| } else { |
| u8 type = STACK_MISC; |
| |
| /* regular write of data into stack destroys any spilled ptr */ |
| state->stack[spi].spilled_ptr.type = NOT_INIT; |
| /* Mark slots as STACK_MISC if they belonged to spilled ptr. */ |
| if (state->stack[spi].slot_type[0] == STACK_SPILL) |
| for (i = 0; i < BPF_REG_SIZE; i++) |
| state->stack[spi].slot_type[i] = STACK_MISC; |
| |
| /* only mark the slot as written if all 8 bytes were written |
| * otherwise read propagation may incorrectly stop too soon |
| * when stack slots are partially written. |
| * This heuristic means that read propagation will be |
| * conservative, since it will add reg_live_read marks |
| * to stack slots all the way to first state when programs |
| * writes+reads less than 8 bytes |
| */ |
| if (size == BPF_REG_SIZE) |
| state->stack[spi].spilled_ptr.live |= REG_LIVE_WRITTEN; |
| |
| /* when we zero initialize stack slots mark them as such */ |
| if (value_regno >= 0 && |
| register_is_null(&cur->regs[value_regno])) |
| type = STACK_ZERO; |
| |
| /* Mark slots affected by this stack write. */ |
| for (i = 0; i < size; i++) |
| state->stack[spi].slot_type[(slot - i) % BPF_REG_SIZE] = |
| type; |
| } |
| return 0; |
| } |
| |
| static int check_stack_read(struct bpf_verifier_env *env, |
| struct bpf_func_state *reg_state /* func where register points to */, |
| int off, int size, int value_regno) |
| { |
| struct bpf_verifier_state *vstate = env->cur_state; |
| struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
| int i, slot = -off - 1, spi = slot / BPF_REG_SIZE; |
| u8 *stype; |
| |
| if (reg_state->allocated_stack <= slot) { |
| verbose(env, "invalid read from stack off %d+0 size %d\n", |
| off, size); |
| return -EACCES; |
| } |
| stype = reg_state->stack[spi].slot_type; |
| |
| if (stype[0] == STACK_SPILL) { |
| if (size != BPF_REG_SIZE) { |
| verbose(env, "invalid size of register spill\n"); |
| return -EACCES; |
| } |
| for (i = 1; i < BPF_REG_SIZE; i++) { |
| if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) { |
| verbose(env, "corrupted spill memory\n"); |
| return -EACCES; |
| } |
| } |
| |
| if (value_regno >= 0) { |
| /* restore register state from stack */ |
| state->regs[value_regno] = reg_state->stack[spi].spilled_ptr; |
| /* mark reg as written since spilled pointer state likely |
| * has its liveness marks cleared by is_state_visited() |
| * which resets stack/reg liveness for state transitions |
| */ |
| state->regs[value_regno].live |= REG_LIVE_WRITTEN; |
| } |
| mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
| reg_state->stack[spi].spilled_ptr.parent); |
| return 0; |
| } else { |
| int zeros = 0; |
| |
| for (i = 0; i < size; i++) { |
| if (stype[(slot - i) % BPF_REG_SIZE] == STACK_MISC) |
| continue; |
| if (stype[(slot - i) % BPF_REG_SIZE] == STACK_ZERO) { |
| zeros++; |
| continue; |
| } |
| verbose(env, "invalid read from stack off %d+%d size %d\n", |
| off, i, size); |
| return -EACCES; |
| } |
| mark_reg_read(env, ®_state->stack[spi].spilled_ptr, |
| reg_state->stack[spi].spilled_ptr.parent); |
| if (value_regno >= 0) { |
| if (zeros == size) { |
| /* any size read into register is zero extended, |
| * so the whole register == const_zero |
| */ |
| __mark_reg_const_zero(&state->regs[value_regno]); |
| } else { |
| /* have read misc data from the stack */ |
| mark_reg_unknown(env, state->regs, value_regno); |
| } |
| state->regs[value_regno].live |= REG_LIVE_WRITTEN; |
| } |
| return 0; |
| } |
| } |
| |
| static int check_stack_access(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *reg, |
| int off, int size) |
| { |
| /* Stack accesses must be at a fixed offset, so that we |
| * can determine what type of data were returned. See |
| * check_stack_read(). |
| */ |
| if (!tnum_is_const(reg->var_off)) { |
| char tn_buf[48]; |
| |
| tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| verbose(env, "variable stack access var_off=%s off=%d size=%d", |
| tn_buf, off, size); |
| return -EACCES; |
| } |
| |
| if (off >= 0 || off < -MAX_BPF_STACK) { |
| verbose(env, "invalid stack off=%d size=%d\n", off, size); |
| return -EACCES; |
| } |
| |
| return 0; |
| } |
| |
| /* check read/write into map element returned by bpf_map_lookup_elem() */ |
| static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off, |
| int size, bool zero_size_allowed) |
| { |
| struct bpf_reg_state *regs = cur_regs(env); |
| struct bpf_map *map = regs[regno].map_ptr; |
| |
| if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) || |
| off + size > map->value_size) { |
| verbose(env, "invalid access to map value, value_size=%d off=%d size=%d\n", |
| map->value_size, off, size); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| /* check read/write into a map element with possible variable offset */ |
| static int check_map_access(struct bpf_verifier_env *env, u32 regno, |
| int off, int size, bool zero_size_allowed) |
| { |
| struct bpf_verifier_state *vstate = env->cur_state; |
| struct bpf_func_state *state = vstate->frame[vstate->curframe]; |
| struct bpf_reg_state *reg = &state->regs[regno]; |
| int err; |
| |
| /* We may have adjusted the register to this map value, so we |
| * need to try adding each of min_value and max_value to off |
| * to make sure our theoretical access will be safe. |
| */ |
| if (env->log.level) |
| print_verifier_state(env, state); |
| |
| /* The minimum value is only important with signed |
| * comparisons where we can't assume the floor of a |
| * value is 0. If we are using signed variables for our |
| * index'es we need to make sure that whatever we use |
| * will have a set floor within our range. |
| */ |
| if (reg->smin_value < 0 && |
| (reg->smin_value == S64_MIN || |
| (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) || |
| reg->smin_value + off < 0)) { |
| verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
| regno); |
| return -EACCES; |
| } |
| err = __check_map_access(env, regno, reg->smin_value + off, size, |
| zero_size_allowed); |
| if (err) { |
| verbose(env, "R%d min value is outside of the array range\n", |
| regno); |
| return err; |
| } |
| |
| /* If we haven't set a max value then we need to bail since we can't be |
| * sure we won't do bad things. |
| * If reg->umax_value + off could overflow, treat that as unbounded too. |
| */ |
| if (reg->umax_value >= BPF_MAX_VAR_OFF) { |
| verbose(env, "R%d unbounded memory access, make sure to bounds check any array access into a map\n", |
| regno); |
| return -EACCES; |
| } |
| err = __check_map_access(env, regno, reg->umax_value + off, size, |
| zero_size_allowed); |
| if (err) |
| verbose(env, "R%d max value is outside of the array range\n", |
| regno); |
| |
| if (map_value_has_spin_lock(reg->map_ptr)) { |
| u32 lock = reg->map_ptr->spin_lock_off; |
| |
| /* if any part of struct bpf_spin_lock can be touched by |
| * load/store reject this program. |
| * To check that [x1, x2) overlaps with [y1, y2) |
| * it is sufficient to check x1 < y2 && y1 < x2. |
| */ |
| if (reg->smin_value + off < lock + sizeof(struct bpf_spin_lock) && |
| lock < reg->umax_value + off + size) { |
| verbose(env, "bpf_spin_lock cannot be accessed directly by load/store\n"); |
| return -EACCES; |
| } |
| } |
| return err; |
| } |
| |
| #define MAX_PACKET_OFF 0xffff |
| |
| static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, |
| const struct bpf_call_arg_meta *meta, |
| enum bpf_access_type t) |
| { |
| switch (env->prog->type) { |
| /* Program types only with direct read access go here! */ |
| case BPF_PROG_TYPE_LWT_IN: |
| case BPF_PROG_TYPE_LWT_OUT: |
| case BPF_PROG_TYPE_LWT_SEG6LOCAL: |
| case BPF_PROG_TYPE_SK_REUSEPORT: |
| case BPF_PROG_TYPE_FLOW_DISSECTOR: |
| case BPF_PROG_TYPE_CGROUP_SKB: |
| if (t == BPF_WRITE) |
| return false; |
| /* fallthrough */ |
| |
| /* Program types with direct read + write access go here! */ |
| case BPF_PROG_TYPE_SCHED_CLS: |
| case BPF_PROG_TYPE_SCHED_ACT: |
| case BPF_PROG_TYPE_XDP: |
| case BPF_PROG_TYPE_LWT_XMIT: |
| case BPF_PROG_TYPE_SK_SKB: |
| case BPF_PROG_TYPE_SK_MSG: |
| if (meta) |
| return meta->pkt_access; |
| |
| env->seen_direct_write = true; |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| static int __check_packet_access(struct bpf_verifier_env *env, u32 regno, |
| int off, int size, bool zero_size_allowed) |
| { |
| struct bpf_reg_state *regs = cur_regs(env); |
| struct bpf_reg_state *reg = ®s[regno]; |
| |
| if (off < 0 || size < 0 || (size == 0 && !zero_size_allowed) || |
| (u64)off + size > reg->range) { |
| verbose(env, "invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", |
| off, size, regno, reg->id, reg->off, reg->range); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, |
| int size, bool zero_size_allowed) |
| { |
| struct bpf_reg_state *regs = cur_regs(env); |
| struct bpf_reg_state *reg = ®s[regno]; |
| int err; |
| |
| /* We may have added a variable offset to the packet pointer; but any |
| * reg->range we have comes after that. We are only checking the fixed |
| * offset. |
| */ |
| |
| /* We don't allow negative numbers, because we aren't tracking enough |
| * detail to prove they're safe. |
| */ |
| if (reg->smin_value < 0) { |
| verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
| regno); |
| return -EACCES; |
| } |
| err = __check_packet_access(env, regno, off, size, zero_size_allowed); |
| if (err) { |
| verbose(env, "R%d offset is outside of the packet\n", regno); |
| return err; |
| } |
| |
| /* __check_packet_access has made sure "off + size - 1" is within u16. |
| * reg->umax_value can't be bigger than MAX_PACKET_OFF which is 0xffff, |
| * otherwise find_good_pkt_pointers would have refused to set range info |
| * that __check_packet_access would have rejected this pkt access. |
| * Therefore, "off + reg->umax_value + size - 1" won't overflow u32. |
| */ |
| env->prog->aux->max_pkt_offset = |
| max_t(u32, env->prog->aux->max_pkt_offset, |
| off + reg->umax_value + size - 1); |
| |
| return err; |
| } |
| |
| /* check access to 'struct bpf_context' fields. Supports fixed offsets only */ |
| static int check_ctx_access(struct bpf_verifier_env *env, int insn_idx, int off, int size, |
| enum bpf_access_type t, enum bpf_reg_type *reg_type) |
| { |
| struct bpf_insn_access_aux info = { |
| .reg_type = *reg_type, |
| }; |
| |
| if (env->ops->is_valid_access && |
| env->ops->is_valid_access(off, size, t, env->prog, &info)) { |
| /* A non zero info.ctx_field_size indicates that this field is a |
| * candidate for later verifier transformation to load the whole |
| * field and then apply a mask when accessed with a narrower |
| * access than actual ctx access size. A zero info.ctx_field_size |
| * will only allow for whole field access and rejects any other |
| * type of narrower access. |
| */ |
| *reg_type = info.reg_type; |
| |
| env->insn_aux_data[insn_idx].ctx_field_size = info.ctx_field_size; |
| /* remember the offset of last byte accessed in ctx */ |
| if (env->prog->aux->max_ctx_offset < off + size) |
| env->prog->aux->max_ctx_offset = off + size; |
| return 0; |
| } |
| |
| verbose(env, "invalid bpf_context access off=%d size=%d\n", off, size); |
| return -EACCES; |
| } |
| |
| static int check_flow_keys_access(struct bpf_verifier_env *env, int off, |
| int size) |
| { |
| if (size < 0 || off < 0 || |
| (u64)off + size > sizeof(struct bpf_flow_keys)) { |
| verbose(env, "invalid access to flow keys off=%d size=%d\n", |
| off, size); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| static int check_sock_access(struct bpf_verifier_env *env, int insn_idx, |
| u32 regno, int off, int size, |
| enum bpf_access_type t) |
| { |
| struct bpf_reg_state *regs = cur_regs(env); |
| struct bpf_reg_state *reg = ®s[regno]; |
| struct bpf_insn_access_aux info = {}; |
| bool valid; |
| |
| if (reg->smin_value < 0) { |
| verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
| regno); |
| return -EACCES; |
| } |
| |
| switch (reg->type) { |
| case PTR_TO_SOCK_COMMON: |
| valid = bpf_sock_common_is_valid_access(off, size, t, &info); |
| break; |
| case PTR_TO_SOCKET: |
| valid = bpf_sock_is_valid_access(off, size, t, &info); |
| break; |
| case PTR_TO_TCP_SOCK: |
| valid = bpf_tcp_sock_is_valid_access(off, size, t, &info); |
| break; |
| default: |
| valid = false; |
| } |
| |
| |
| if (valid) { |
| env->insn_aux_data[insn_idx].ctx_field_size = |
| info.ctx_field_size; |
| return 0; |
| } |
| |
| verbose(env, "R%d invalid %s access off=%d size=%d\n", |
| regno, reg_type_str[reg->type], off, size); |
| |
| return -EACCES; |
| } |
| |
| static bool __is_pointer_value(bool allow_ptr_leaks, |
| const struct bpf_reg_state *reg) |
| { |
| if (allow_ptr_leaks) |
| return false; |
| |
| return reg->type != SCALAR_VALUE; |
| } |
| |
| static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno) |
| { |
| return cur_regs(env) + regno; |
| } |
| |
| static bool is_pointer_value(struct bpf_verifier_env *env, int regno) |
| { |
| return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno)); |
| } |
| |
| static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) |
| { |
| const struct bpf_reg_state *reg = reg_state(env, regno); |
| |
| return reg->type == PTR_TO_CTX; |
| } |
| |
| static bool is_sk_reg(struct bpf_verifier_env *env, int regno) |
| { |
| const struct bpf_reg_state *reg = reg_state(env, regno); |
| |
| return type_is_sk_pointer(reg->type); |
| } |
| |
| static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) |
| { |
| const struct bpf_reg_state *reg = reg_state(env, regno); |
| |
| return type_is_pkt_pointer(reg->type); |
| } |
| |
| static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno) |
| { |
| const struct bpf_reg_state *reg = reg_state(env, regno); |
| |
| /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */ |
| return reg->type == PTR_TO_FLOW_KEYS; |
| } |
| |
| static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *reg, |
| int off, int size, bool strict) |
| { |
| struct tnum reg_off; |
| int ip_align; |
| |
| /* Byte size accesses are always allowed. */ |
| if (!strict || size == 1) |
| return 0; |
| |
| /* For platforms that do not have a Kconfig enabling |
| * CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS the value of |
| * NET_IP_ALIGN is universally set to '2'. And on platforms |
| * that do set CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS, we get |
| * to this code only in strict mode where we want to emulate |
| * the NET_IP_ALIGN==2 checking. Therefore use an |
| * unconditional IP align value of '2'. |
| */ |
| ip_align = 2; |
| |
| reg_off = tnum_add(reg->var_off, tnum_const(ip_align + reg->off + off)); |
| if (!tnum_is_aligned(reg_off, size)) { |
| char tn_buf[48]; |
| |
| tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| verbose(env, |
| "misaligned packet access off %d+%s+%d+%d size %d\n", |
| ip_align, tn_buf, reg->off, off, size); |
| return -EACCES; |
| } |
| |
| return 0; |
| } |
| |
| static int check_generic_ptr_alignment(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *reg, |
| const char *pointer_desc, |
| int off, int size, bool strict) |
| { |
| struct tnum reg_off; |
| |
| /* Byte size accesses are always allowed. */ |
| if (!strict || size == 1) |
| return 0; |
| |
| reg_off = tnum_add(reg->var_off, tnum_const(reg->off + off)); |
| if (!tnum_is_aligned(reg_off, size)) { |
| char tn_buf[48]; |
| |
| tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| verbose(env, "misaligned %saccess off %s+%d+%d size %d\n", |
| pointer_desc, tn_buf, reg->off, off, size); |
| return -EACCES; |
| } |
| |
| return 0; |
| } |
| |
| static int check_ptr_alignment(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *reg, int off, |
| int size, bool strict_alignment_once) |
| { |
| bool strict = env->strict_alignment || strict_alignment_once; |
| const char *pointer_desc = ""; |
| |
| switch (reg->type) { |
| case PTR_TO_PACKET: |
| case PTR_TO_PACKET_META: |
| /* Special case, because of NET_IP_ALIGN. Given metadata sits |
| * right in front, treat it the very same way. |
| */ |
| return check_pkt_ptr_alignment(env, reg, off, size, strict); |
| case PTR_TO_FLOW_KEYS: |
| pointer_desc = "flow keys "; |
| break; |
| case PTR_TO_MAP_VALUE: |
| pointer_desc = "value "; |
| break; |
| case PTR_TO_CTX: |
| pointer_desc = "context "; |
| break; |
| case PTR_TO_STACK: |
| pointer_desc = "stack "; |
| /* The stack spill tracking logic in check_stack_write() |
| * and check_stack_read() relies on stack accesses being |
| * aligned. |
| */ |
| strict = true; |
| break; |
| case PTR_TO_SOCKET: |
| pointer_desc = "sock "; |
| break; |
| case PTR_TO_SOCK_COMMON: |
| pointer_desc = "sock_common "; |
| break; |
| case PTR_TO_TCP_SOCK: |
| pointer_desc = "tcp_sock "; |
| break; |
| default: |
| break; |
| } |
| return check_generic_ptr_alignment(env, reg, pointer_desc, off, size, |
| strict); |
| } |
| |
| static int update_stack_depth(struct bpf_verifier_env *env, |
| const struct bpf_func_state *func, |
| int off) |
| { |
| u16 stack = env->subprog_info[func->subprogno].stack_depth; |
| |
| if (stack >= -off) |
| return 0; |
| |
| /* update known max for given subprogram */ |
| env->subprog_info[func->subprogno].stack_depth = -off; |
| return 0; |
| } |
| |
| /* starting from main bpf function walk all instructions of the function |
| * and recursively walk all callees that given function can call. |
| * Ignore jump and exit insns. |
| * Since recursion is prevented by check_cfg() this algorithm |
| * only needs a local stack of MAX_CALL_FRAMES to remember callsites |
| */ |
| static int check_max_stack_depth(struct bpf_verifier_env *env) |
| { |
| int depth = 0, frame = 0, idx = 0, i = 0, subprog_end; |
| struct bpf_subprog_info *subprog = env->subprog_info; |
| struct bpf_insn *insn = env->prog->insnsi; |
| int ret_insn[MAX_CALL_FRAMES]; |
| int ret_prog[MAX_CALL_FRAMES]; |
| |
| process_func: |
| /* round up to 32-bytes, since this is granularity |
| * of interpreter stack size |
| */ |
| depth += round_up(max_t(u32, subprog[idx].stack_depth, 1), 32); |
| if (depth > MAX_BPF_STACK) { |
| verbose(env, "combined stack size of %d calls is %d. Too large\n", |
| frame + 1, depth); |
| return -EACCES; |
| } |
| continue_func: |
| subprog_end = subprog[idx + 1].start; |
| for (; i < subprog_end; i++) { |
| if (insn[i].code != (BPF_JMP | BPF_CALL)) |
| continue; |
| if (insn[i].src_reg != BPF_PSEUDO_CALL) |
| continue; |
| /* remember insn and function to return to */ |
| ret_insn[frame] = i + 1; |
| ret_prog[frame] = idx; |
| |
| /* find the callee */ |
| i = i + insn[i].imm + 1; |
| idx = find_subprog(env, i); |
| if (idx < 0) { |
| WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", |
| i); |
| return -EFAULT; |
| } |
| frame++; |
| if (frame >= MAX_CALL_FRAMES) { |
| verbose(env, "the call stack of %d frames is too deep !\n", |
| frame); |
| return -E2BIG; |
| } |
| goto process_func; |
| } |
| /* end of for() loop means the last insn of the 'subprog' |
| * was reached. Doesn't matter whether it was JA or EXIT |
| */ |
| if (frame == 0) |
| return 0; |
| depth -= round_up(max_t(u32, subprog[idx].stack_depth, 1), 32); |
| frame--; |
| i = ret_insn[frame]; |
| idx = ret_prog[frame]; |
| goto continue_func; |
| } |
| |
| #ifndef CONFIG_BPF_JIT_ALWAYS_ON |
| static int get_callee_stack_depth(struct bpf_verifier_env *env, |
| const struct bpf_insn *insn, int idx) |
| { |
| int start = idx + insn->imm + 1, subprog; |
| |
| subprog = find_subprog(env, start); |
| if (subprog < 0) { |
| WARN_ONCE(1, "verifier bug. No program starts at insn %d\n", |
| start); |
| return -EFAULT; |
| } |
| return env->subprog_info[subprog].stack_depth; |
| } |
| #endif |
| |
| static int check_ctx_reg(struct bpf_verifier_env *env, |
| const struct bpf_reg_state *reg, int regno) |
| { |
| /* Access to ctx or passing it to a helper is only allowed in |
| * its original, unmodified form. |
| */ |
| |
| if (reg->off) { |
| verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n", |
| regno, reg->off); |
| return -EACCES; |
| } |
| |
| if (!tnum_is_const(reg->var_off) || reg->var_off.value) { |
| char tn_buf[48]; |
| |
| tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf); |
| return -EACCES; |
| } |
| |
| return 0; |
| } |
| |
| /* truncate register to smaller size (in bytes) |
| * must be called with size < BPF_REG_SIZE |
| */ |
| static void coerce_reg_to_size(struct bpf_reg_state *reg, int size) |
| { |
| u64 mask; |
| |
| /* clear high bits in bit representation */ |
| reg->var_off = tnum_cast(reg->var_off, size); |
| |
| /* fix arithmetic bounds */ |
| mask = ((u64)1 << (size * 8)) - 1; |
| if ((reg->umin_value & ~mask) == (reg->umax_value & ~mask)) { |
| reg->umin_value &= mask; |
| reg->umax_value &= mask; |
| } else { |
| reg->umin_value = 0; |
| reg->umax_value = mask; |
| } |
| reg->smin_value = reg->umin_value; |
| reg->smax_value = reg->umax_value; |
| } |
| |
| /* check whether memory at (regno + off) is accessible for t = (read | write) |
| * if t==write, value_regno is a register which value is stored into memory |
| * if t==read, value_regno is a register which will receive the value from memory |
| * if t==write && value_regno==-1, some unknown value is stored into memory |
| * if t==read && value_regno==-1, don't care what we read from memory |
| */ |
| static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, |
| int off, int bpf_size, enum bpf_access_type t, |
| int value_regno, bool strict_alignment_once) |
| { |
| struct bpf_reg_state *regs = cur_regs(env); |
| struct bpf_reg_state *reg = regs + regno; |
| struct bpf_func_state *state; |
| int size, err = 0; |
| |
| size = bpf_size_to_bytes(bpf_size); |
| if (size < 0) |
| return size; |
| |
| /* alignment checks will add in reg->off themselves */ |
| err = check_ptr_alignment(env, reg, off, size, strict_alignment_once); |
| if (err) |
| return err; |
| |
| /* for access checks, reg->off is just part of off */ |
| off += reg->off; |
| |
| if (reg->type == PTR_TO_MAP_VALUE) { |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose(env, "R%d leaks addr into map\n", value_regno); |
| return -EACCES; |
| } |
| |
| err = check_map_access(env, regno, off, size, false); |
| if (!err && t == BPF_READ && value_regno >= 0) |
| mark_reg_unknown(env, regs, value_regno); |
| |
| } else if (reg->type == PTR_TO_CTX) { |
| enum bpf_reg_type reg_type = SCALAR_VALUE; |
| |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose(env, "R%d leaks addr into ctx\n", value_regno); |
| return -EACCES; |
| } |
| |
| err = check_ctx_reg(env, reg, regno); |
| if (err < 0) |
| return err; |
| |
| err = check_ctx_access(env, insn_idx, off, size, t, ®_type); |
| if (!err && t == BPF_READ && value_regno >= 0) { |
| /* ctx access returns either a scalar, or a |
| * PTR_TO_PACKET[_META,_END]. In the latter |
| * case, we know the offset is zero. |
| */ |
| if (reg_type == SCALAR_VALUE) { |
| mark_reg_unknown(env, regs, value_regno); |
| } else { |
| mark_reg_known_zero(env, regs, |
| value_regno); |
| if (reg_type_may_be_null(reg_type)) |
| regs[value_regno].id = ++env->id_gen; |
| } |
| regs[value_regno].type = reg_type; |
| } |
| |
| } else if (reg->type == PTR_TO_STACK) { |
| off += reg->var_off.value; |
| err = check_stack_access(env, reg, off, size); |
| if (err) |
| return err; |
| |
| state = func(env, reg); |
| err = update_stack_depth(env, state, off); |
| if (err) |
| return err; |
| |
| if (t == BPF_WRITE) |
| err = check_stack_write(env, state, off, size, |
| value_regno, insn_idx); |
| else |
| err = check_stack_read(env, state, off, size, |
| value_regno); |
| } else if (reg_is_pkt_pointer(reg)) { |
| if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL, t)) { |
| verbose(env, "cannot write into packet\n"); |
| return -EACCES; |
| } |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose(env, "R%d leaks addr into packet\n", |
| value_regno); |
| return -EACCES; |
| } |
| err = check_packet_access(env, regno, off, size, false); |
| if (!err && t == BPF_READ && value_regno >= 0) |
| mark_reg_unknown(env, regs, value_regno); |
| } else if (reg->type == PTR_TO_FLOW_KEYS) { |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose(env, "R%d leaks addr into flow keys\n", |
| value_regno); |
| return -EACCES; |
| } |
| |
| err = check_flow_keys_access(env, off, size); |
| if (!err && t == BPF_READ && value_regno >= 0) |
| mark_reg_unknown(env, regs, value_regno); |
| } else if (type_is_sk_pointer(reg->type)) { |
| if (t == BPF_WRITE) { |
| verbose(env, "R%d cannot write into %s\n", |
| regno, reg_type_str[reg->type]); |
| return -EACCES; |
| } |
| err = check_sock_access(env, insn_idx, regno, off, size, t); |
| if (!err && value_regno >= 0) |
| mark_reg_unknown(env, regs, value_regno); |
| } else { |
| verbose(env, "R%d invalid mem access '%s'\n", regno, |
| reg_type_str[reg->type]); |
| return -EACCES; |
| } |
| |
| if (!err && size < BPF_REG_SIZE && value_regno >= 0 && t == BPF_READ && |
| regs[value_regno].type == SCALAR_VALUE) { |
| /* b/h/w load zero-extends, mark upper bits as known 0 */ |
| coerce_reg_to_size(®s[value_regno], size); |
| } |
| return err; |
| } |
| |
| static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn) |
| { |
| int err; |
| |
| if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || |
| insn->imm != 0) { |
| verbose(env, "BPF_XADD uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| /* check src1 operand */ |
| err = check_reg_arg(env, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| /* check src2 operand */ |
| err = check_reg_arg(env, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| if (is_pointer_value(env, insn->src_reg)) { |
| verbose(env, "R%d leaks addr into mem\n", insn->src_reg); |
| return -EACCES; |
| } |
| |
| if (is_ctx_reg(env, insn->dst_reg) || |
| is_pkt_reg(env, insn->dst_reg) || |
| is_flow_key_reg(env, insn->dst_reg) || |
| is_sk_reg(env, insn->dst_reg)) { |
| verbose(env, "BPF_XADD stores into R%d %s is not allowed\n", |
| insn->dst_reg, |
| reg_type_str[reg_state(env, insn->dst_reg)->type]); |
| return -EACCES; |
| } |
| |
| /* check whether atomic_add can read the memory */ |
| err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_READ, -1, true); |
| if (err) |
| return err; |
| |
| /* check whether atomic_add can write into the same memory */ |
| return check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_WRITE, -1, true); |
| } |
| |
| /* when register 'regno' is passed into function that will read 'access_size' |
| * bytes from that pointer, make sure that it's within stack boundary |
| * and all elements of stack are initialized. |
| * Unlike most pointer bounds-checking functions, this one doesn't take an |
| * 'off' argument, so it has to add in reg->off itself. |
| */ |
| static int check_stack_boundary(struct bpf_verifier_env *env, int regno, |
| int access_size, bool zero_size_allowed, |
| struct bpf_call_arg_meta *meta) |
| { |
| struct bpf_reg_state *reg = reg_state(env, regno); |
| struct bpf_func_state *state = func(env, reg); |
| int off, i, slot, spi; |
| |
| if (reg->type != PTR_TO_STACK) { |
| /* Allow zero-byte read from NULL, regardless of pointer type */ |
| if (zero_size_allowed && access_size == 0 && |
| register_is_null(reg)) |
| return 0; |
| |
| verbose(env, "R%d type=%s expected=%s\n", regno, |
| reg_type_str[reg->type], |
| reg_type_str[PTR_TO_STACK]); |
| return -EACCES; |
| } |
| |
| /* Only allow fixed-offset stack reads */ |
| if (!tnum_is_const(reg->var_off)) { |
| char tn_buf[48]; |
| |
| tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); |
| verbose(env, "invalid variable stack read R%d var_off=%s\n", |
| regno, tn_buf); |
| return -EACCES; |
| } |
| off = reg->off + reg->var_off.value; |
| if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || |
| access_size < 0 || (access_size == 0 && !zero_size_allowed)) { |
| verbose(env, "invalid stack type R%d off=%d access_size=%d\n", |
| regno, off, access_size); |
| return -EACCES; |
| } |
| |
| if (meta && meta->raw_mode) { |
| meta->access_size = access_size; |
| meta->regno = regno; |
| return 0; |
| } |
| |
| for (i = 0; i < access_size; i++) { |
| u8 *stype; |
| |
| slot = -(off + i) - 1; |
| spi = slot / BPF_REG_SIZE; |
| if (state->allocated_stack <= slot) |
| goto err; |
| stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE]; |
| if (*stype == STACK_MISC) |
| goto mark; |
| if (*stype == STACK_ZERO) { |
| /* helper can write anything into the stack */ |
| *stype = STACK_MISC; |
| goto mark; |
| } |
| err: |
| verbose(env, "invalid indirect read from stack off %d+%d size %d\n", |
| off, i, access_size); |
| return -EACCES; |
| mark: |
| /* reading any byte out of 8-byte 'spill_slot' will cause |
| * the whole slot to be marked as 'read' |
| */ |
| mark_reg_read(env, &state->stack[spi].spilled_ptr, |
| state->stack[spi].spilled_ptr.parent); |
| } |
| return update_stack_depth(env, state, off); |
| } |
| |
| static int check_helper_mem_access(struct bpf_verifier_env *env, int regno, |
| int access_size, bool zero_size_allowed, |
| struct bpf_call_arg_meta *meta) |
| { |
| struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
| |
| switch (reg->type) { |
| case PTR_TO_PACKET: |
| case PTR_TO_PACKET_META: |
| return check_packet_access(env, regno, reg->off, access_size, |
| zero_size_allowed); |
| case PTR_TO_MAP_VALUE: |
| return check_map_access(env, regno, reg->off, access_size, |
| zero_size_allowed); |
| default: /* scalar_value|ptr_to_stack or invalid ptr */ |
| return check_stack_boundary(env, regno, access_size, |
| zero_size_allowed, meta); |
| } |
| } |
| |
| /* Implementation details: |
| * bpf_map_lookup returns PTR_TO_MAP_VALUE_OR_NULL |
| * Two bpf_map_lookups (even with the same key) will have different reg->id. |
| * For traditional PTR_TO_MAP_VALUE the verifier clears reg->id after |
| * value_or_null->value transition, since the verifier only cares about |
| * the range of access to valid map value pointer and doesn't care about actual |
| * address of the map element. |
| * For maps with 'struct bpf_spin_lock' inside map value the verifier keeps |
| * reg->id > 0 after value_or_null->value transition. By doing so |
| * two bpf_map_lookups will be considered two different pointers that |
| * point to different bpf_spin_locks. |
| * The verifier allows taking only one bpf_spin_lock at a time to avoid |
| * dead-locks. |
| * Since only one bpf_spin_lock is allowed the checks are simpler than |
| * reg_is_refcounted() logic. The verifier needs to remember only |
| * one spin_lock instead of array of acquired_refs. |
| * cur_state->active_spin_lock remembers which map value element got locked |
| * and clears it after bpf_spin_unlock. |
| */ |
| static int process_spin_lock(struct bpf_verifier_env *env, int regno, |
| bool is_lock) |
| { |
| struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
| struct bpf_verifier_state *cur = env->cur_state; |
| bool is_const = tnum_is_const(reg->var_off); |
| struct bpf_map *map = reg->map_ptr; |
| u64 val = reg->var_off.value; |
| |
| if (reg->type != PTR_TO_MAP_VALUE) { |
| verbose(env, "R%d is not a pointer to map_value\n", regno); |
| return -EINVAL; |
| } |
| if (!is_const) { |
| verbose(env, |
| "R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\n", |
| regno); |
| return -EINVAL; |
| } |
| if (!map->btf) { |
| verbose(env, |
| "map '%s' has to have BTF in order to use bpf_spin_lock\n", |
| map->name); |
| return -EINVAL; |
| } |
| if (!map_value_has_spin_lock(map)) { |
| if (map->spin_lock_off == -E2BIG) |
| verbose(env, |
| "map '%s' has more than one 'struct bpf_spin_lock'\n", |
| map->name); |
| else if (map->spin_lock_off == -ENOENT) |
| verbose(env, |
| "map '%s' doesn't have 'struct bpf_spin_lock'\n", |
| map->name); |
| else |
| verbose(env, |
| "map '%s' is not a struct type or bpf_spin_lock is mangled\n", |
| map->name); |
| return -EINVAL; |
| } |
| if (map->spin_lock_off != val + reg->off) { |
| verbose(env, "off %lld doesn't point to 'struct bpf_spin_lock'\n", |
| val + reg->off); |
| return -EINVAL; |
| } |
| if (is_lock) { |
| if (cur->active_spin_lock) { |
| verbose(env, |
| "Locking two bpf_spin_locks are not allowed\n"); |
| return -EINVAL; |
| } |
| cur->active_spin_lock = reg->id; |
| } else { |
| if (!cur->active_spin_lock) { |
| verbose(env, "bpf_spin_unlock without taking a lock\n"); |
| return -EINVAL; |
| } |
| if (cur->active_spin_lock != reg->id) { |
| verbose(env, "bpf_spin_unlock of different lock\n"); |
| return -EINVAL; |
| } |
| cur->active_spin_lock = 0; |
| } |
| return 0; |
| } |
| |
| static bool arg_type_is_mem_ptr(enum bpf_arg_type type) |
| { |
| return type == ARG_PTR_TO_MEM || |
| type == ARG_PTR_TO_MEM_OR_NULL || |
| type == ARG_PTR_TO_UNINIT_MEM; |
| } |
| |
| static bool arg_type_is_mem_size(enum bpf_arg_type type) |
| { |
| return type == ARG_CONST_SIZE || |
| type == ARG_CONST_SIZE_OR_ZERO; |
| } |
| |
| static int check_func_arg(struct bpf_verifier_env *env, u32 regno, |
| enum bpf_arg_type arg_type, |
| struct bpf_call_arg_meta *meta) |
| { |
| struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; |
| enum bpf_reg_type expected_type, type = reg->type; |
| int err = 0; |
| |
| if (arg_type == ARG_DONTCARE) |
| return 0; |
| |
| err = check_reg_arg(env, regno, SRC_OP); |
| if (err) |
| return err; |
| |
| if (arg_type == ARG_ANYTHING) { |
| if (is_pointer_value(env, regno)) { |
| verbose(env, "R%d leaks addr into helper function\n", |
| regno); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| if (type_is_pkt_pointer(type) && |
| !may_access_direct_pkt_data(env, meta, BPF_READ)) { |
| verbose(env, "helper access to the packet is not allowed\n"); |
| return -EACCES; |
| } |
| |
| if (arg_type == ARG_PTR_TO_MAP_KEY || |
| arg_type == ARG_PTR_TO_MAP_VALUE || |
| arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) { |
| expected_type = PTR_TO_STACK; |
| if (!type_is_pkt_pointer(type) && type != PTR_TO_MAP_VALUE && |
| type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_CONST_SIZE || |
| arg_type == ARG_CONST_SIZE_OR_ZERO) { |
| expected_type = SCALAR_VALUE; |
| if (type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_CONST_MAP_PTR) { |
| expected_type = CONST_PTR_TO_MAP; |
| if (type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_PTR_TO_CTX) { |
| expected_type = PTR_TO_CTX; |
| if (type != expected_type) |
| goto err_type; |
| err = check_ctx_reg(env, reg, regno); |
| if (err < 0) |
| return err; |
| } else if (arg_type == ARG_PTR_TO_SOCK_COMMON) { |
| expected_type = PTR_TO_SOCK_COMMON; |
| /* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */ |
| if (!type_is_sk_pointer(type)) |
| goto err_type; |
| if (reg->ref_obj_id) { |
| if (meta->ref_obj_id) { |
| verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n", |
| regno, reg->ref_obj_id, |
| meta->ref_obj_id); |
| return -EFAULT; |
| } |
| meta->ref_obj_id = reg->ref_obj_id; |
| } |
| } else if (arg_type == ARG_PTR_TO_SPIN_LOCK) { |
| if (meta->func_id == BPF_FUNC_spin_lock) { |
| if (process_spin_lock(env, regno, true)) |
| return -EACCES; |
| } else if (meta->func_id == BPF_FUNC_spin_unlock) { |
| if (process_spin_lock(env, regno, false)) |
| return -EACCES; |
| } else { |
| verbose(env, "verifier internal error\n"); |
| return -EFAULT; |
| } |
| } else if (arg_type_is_mem_ptr(arg_type)) { |
| expected_type = PTR_TO_STACK; |
| /* One exception here. In case function allows for NULL to be |
| * passed in as argument, it's a SCALAR_VALUE type. Final test |
| * happens during stack boundary checking. |
| */ |
| if (register_is_null(reg) && |
| arg_type == ARG_PTR_TO_MEM_OR_NULL) |
| /* final test in check_stack_boundary() */; |
| else if (!type_is_pkt_pointer(type) && |
| type != PTR_TO_MAP_VALUE && |
| type != expected_type) |
| goto err_type; |
| meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM; |
| } else { |
| verbose(env, "unsupported arg_type %d\n", arg_type); |
| return -EFAULT; |
| } |
| |
| if (arg_type == ARG_CONST_MAP_PTR) { |
| /* bpf_map_xxx(map_ptr) call: remember that map_ptr */ |
| meta->map_ptr = reg->map_ptr; |
| } else if (arg_type == ARG_PTR_TO_MAP_KEY) { |
| /* bpf_map_xxx(..., map_ptr, ..., key) call: |
| * check that [key, key + map->key_size) are within |
| * stack limits and initialized |
| */ |
| if (!meta->map_ptr) { |
| /* in function declaration map_ptr must come before |
| * map_key, so that it's verified and known before |
| * we have to check map_key here. Otherwise it means |
| * that kernel subsystem misconfigured verifier |
| */ |
| verbose(env, "invalid map_ptr to access map->key\n"); |
| return -EACCES; |
| } |
| err = check_helper_mem_access(env, regno, |
| meta->map_ptr->key_size, false, |
| NULL); |
| } else if (arg_type == ARG_PTR_TO_MAP_VALUE || |
| arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE) { |
| /* bpf_map_xxx(..., map_ptr, ..., value) call: |
| * check [value, value + map->value_size) validity |
| */ |
| if (!meta->map_ptr) { |
| /* kernel subsystem misconfigured verifier */ |
| verbose(env, "invalid map_ptr to access map->value\n"); |
| return -EACCES; |
| } |
| meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE); |
| err = check_helper_mem_access(env, regno, |
| meta->map_ptr->value_size, false, |
| meta); |
| } else if (arg_type_is_mem_size(arg_type)) { |
| bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO); |
| |
| /* remember the mem_size which may be used later |
| * to refine return values. |
| */ |
| meta->msize_smax_value = reg->smax_value; |
| meta->msize_umax_value = reg->umax_value; |
| |
| /* The register is SCALAR_VALUE; the access check |
| * happens using its boundaries. |
| */ |
| if (!tnum_is_const(reg->var_off)) |
| /* For unprivileged variable accesses, disable raw |
| * mode so that the program is required to |
| * initialize all the memory that the helper could |
| * just partially fill up. |
| */ |
| meta = NULL; |
| |
| if (reg->smin_value < 0) { |
| verbose(env, "R%d min value is negative, either use unsigned or 'var &= const'\n", |
| regno); |
| return -EACCES; |
| } |
| |
| if (reg->umin_value == 0) { |
| err = check_helper_mem_access(env, regno - 1, 0, |
| zero_size_allowed, |
| meta); |
| if (err) |
| return err; |
| } |
| |
| if (reg->umax_value >= BPF_MAX_VAR_SIZ) { |
| verbose(env, "R%d unbounded memory access, use 'var &= const' or 'if (var < const)'\n", |
| regno); |
| return -EACCES; |
| } |
| err = check_helper_mem_access(env, regno - 1, |
| reg->umax_value, |
| zero_size_allowed, meta); |
| } |
| |
| return err; |
| err_type: |
| verbose(env, "R%d type=%s expected=%s\n", regno, |
| reg_type_str[type], reg_type_str[expected_type]); |
| return -EACCES; |
| } |
| |
| static int check_map_func_compatibility(struct bpf_verifier_env *env, |
| struct bpf_map *map, int func_id) |
| { |
| if (!map) |
| return 0; |
| |
| /* We need a two way check, first is from map perspective ... */ |
| switch (map->map_type) { |
| case BPF_MAP_TYPE_PROG_ARRAY: |
| if (func_id != BPF_FUNC_tail_call) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_PERF_EVENT_ARRAY: |
| if (func_id != BPF_FUNC_perf_event_read && |
| func_id != BPF_FUNC_perf_event_output && |
| func_id != BPF_FUNC_perf_event_read_value) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_STACK_TRACE: |
| if (func_id != BPF_FUNC_get_stackid) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_CGROUP_ARRAY: |
| if (func_id != BPF_FUNC_skb_under_cgroup && |
| func_id != BPF_FUNC_current_task_under_cgroup) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_CGROUP_STORAGE: |
| case BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE: |
| if (func_id != BPF_FUNC_get_local_storage) |
| goto error; |
| break; |
| /* devmap returns a pointer to a live net_device ifindex that we cannot |
| * allow to be modified from bpf side. So do not allow lookup elements |
| * for now. |
| */ |
| case BPF_MAP_TYPE_DEVMAP: |
| if (func_id != BPF_FUNC_redirect_map) |
| goto error; |
| break; |
| /* Restrict bpf side of cpumap and xskmap, open when use-cases |
| * appear. |
| */ |
| case BPF_MAP_TYPE_CPUMAP: |
| case BPF_MAP_TYPE_XSKMAP: |
| if (func_id != BPF_FUNC_redirect_map) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_ARRAY_OF_MAPS: |
| case BPF_MAP_TYPE_HASH_OF_MAPS: |
| if (func_id != BPF_FUNC_map_lookup_elem) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_SOCKMAP: |
| if (func_id != BPF_FUNC_sk_redirect_map && |
| func_id != BPF_FUNC_sock_map_update && |
| func_id != BPF_FUNC_map_delete_elem && |
| func_id != BPF_FUNC_msg_redirect_map) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_SOCKHASH: |
| if (func_id != BPF_FUNC_sk_redirect_hash && |
| func_id != BPF_FUNC_sock_hash_update && |
| func_id != BPF_FUNC_map_delete_elem && |
| func_id != BPF_FUNC_msg_redirect_hash) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_REUSEPORT_SOCKARRAY: |
| if (func_id != BPF_FUNC_sk_select_reuseport) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_QUEUE: |
| case BPF_MAP_TYPE_STACK: |
| if (func_id != BPF_FUNC_map_peek_elem && |
| func_id != BPF_FUNC_map_pop_elem && |
| func_id != BPF_FUNC_map_push_elem) |
| goto error; |
| break; |
| default: |
| break; |
| } |
| |
| /* ... and second from the function itself. */ |
| switch (func_id) { |
| case BPF_FUNC_tail_call: |
| if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) |
| goto error; |
| if (env->subprog_cnt > 1) { |
| verbose(env, "tail_calls are not allowed in programs with bpf-to-bpf calls\n"); |
| return -EINVAL; |
| } |
| break; |
| case BPF_FUNC_perf_event_read: |
| case BPF_FUNC_perf_event_output: |
| case BPF_FUNC_perf_event_read_value: |
| if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) |
| goto error; |
| break; |
| case BPF_FUNC_get_stackid: |
| if (map->map_type != BPF_MAP_TYPE_STACK_TRACE) |
| goto error; |
| break; |
| case BPF_FUNC_current_task_under_cgroup: |
| case BPF_FUNC_skb_under_cgroup: |
| if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY) |
| goto error; |
| break; |
| case BPF_FUNC_redirect_map: |
| if (map->map_type != BPF_MAP_TYPE_DEVMAP && |
| map->map_type != BPF_MAP_TYPE_CPUMAP && |
| map->map_type != BPF_MAP_TYPE_XSKMAP) |
| goto error; |
| break; |
| case BPF_FUNC_sk_redirect_map: |
| case BPF_FUNC_msg_redirect_map: |
| case BPF_FUNC_sock_map_update: |
| if (map->map_type != BPF_MAP_TYPE_SOCKMAP) |
| goto error; |
| break; |
| case BPF_FUNC_sk_redirect_hash: |
| case BPF_FUNC_msg_redirect_hash: |
| case BPF_FUNC_sock_hash_update: |
| if (map->map_type != BPF_MAP_TYPE_SOCKHASH) |
| goto error; |
| break; |
| case BPF_FUNC_get_local_storage: |
| if (map->map_type != BPF_MAP_TYPE_CGROUP_STORAGE && |
| map->map_type != BPF_MAP_TYPE_PERCPU_CGROUP_STORAGE) |
| goto error; |
| break; |
| case BPF_FUNC_sk_select_reuseport: |
| if (map->map_type != BPF_MAP_TYPE_REUSEPORT_SOCKARRAY) |
| goto error; |
| break; |
| case BPF_FUNC_map_peek_elem: |
| case BPF_FUNC_map_pop_elem: |
| case BPF_FUNC_map_push_elem: |
| if (map->map_type != BPF_MAP_TYPE_QUEUE && |
| map->map_type != BPF_MAP_TYPE_STACK) |
| goto error; |
| break; |
| default: |
| break; |
| } |
| |
| return 0; |
| error: |
| verbose(env, "cannot pass map_type %d into func %s#%d\n", |
| map->map_type, func_id_name(func_id), func_id); |
| return -EINVAL; |
| } |
| |
| static bool check_raw_mode_ok(const struct bpf_func_proto *fn) |
| { |
| int count = 0; |
| |
| if (fn->arg1_type == ARG_PTR_TO_UNINIT_MEM) |
| count++; |
| if (fn->arg2_type == ARG_PTR_TO_UNINIT_MEM) |
| count++; |
| if (fn->arg3_type == ARG_PTR_TO_UNINIT_MEM) |
| count++; |
| if (fn->arg4_type == ARG_PTR_TO_UNINIT_MEM) |
| count++; |
| if (fn->arg5_type == ARG_PTR_TO_UNINIT_MEM) |
| count++; |
| |
| /* We only support one arg being in raw mode at the moment, |
| * which is sufficient for the helper functions we have |
| * right now. |
| */ |
| return count <= 1; |
| } |
| |
| static bool check_args_pair_invalid(enum bpf_arg_type arg_curr, |
| enum bpf_arg_type arg_next) |
| { |
| return (arg_type_is_mem_ptr(arg_curr) && |
| !arg_type_is_mem_size(arg_next)) || |
| (!arg_type_is_mem_ptr(arg_curr) && |
| arg_type_is_mem_size(arg_next)); |
| } |
| |
| static bool check_arg_pair_ok(const struct bpf_func_proto *fn) |
| { |
| /* bpf_xxx(..., buf, len) call will access 'len' |
| * bytes from memory 'buf'. Both arg types need |
| * to be paired, so make sure there's no buggy |
| * helper function specification. |
| */ |
| if (arg_type_is_mem_size(fn->arg1_type) || |
| arg_type_is_mem_ptr(fn->arg5_type) || |
| check_args_pair_invalid(fn->arg1_type, fn->arg2_type) || |
| check_args_pair_invalid(fn->arg2_type, fn->arg3_type) || |
| check_args_pair_invalid(fn->arg3_type, fn->arg4_type) || |
| check_args_pair_invalid(fn->arg4_type, fn->arg5_type)) |
| return false; |
| |
| return true; |
| } |
| |
| static bool check_refcount_ok(const struct bpf_func_proto *fn, int func_id) |
| { |
| int count = 0; |
| |
| if (arg_type_may_be_refcounted(fn->arg1_type)) |
| count++; |
| if (arg_type_may_be_refcounted(fn->arg2_type)) |
| count++; |
| if (arg_type_may_be_refcounted(fn->arg3_type)) |
| count++; |
| if (arg_type_may_be_refcounted(fn->arg4_type)) |
| count++; |
| if (arg_type_may_be_refcounted(fn->arg5_type)) |
| count++; |
| |
| /* A reference acquiring function cannot acquire |
| * another refcounted ptr. |
| */ |
| if (is_acquire_function(func_id) && count) |
| return false; |
| |
| /* We only support one arg being unreferenced at the moment, |
| * which is sufficient for the helper functions we have right now. |
| */ |
| return count <= 1; |
| } |
| |
| static int check_func_proto(const struct bpf_func_proto *fn, int func_id) |
| { |
| return check_raw_mode_ok(fn) && |
| check_arg_pair_ok(fn) && |
| check_refcount_ok(fn, func_id) ? 0 : -EINVAL; |
| } |
| |
| /* Packet data might have moved, any old PTR_TO_PACKET[_META,_END] |
| * are now invalid, so turn them into unknown SCALAR_VALUE. |
| */ |
| static void __clear_all_pkt_pointers(struct bpf_verifier_env *env, |
| struct bpf_func_state *state) |
| { |
| struct bpf_reg_state *regs = state->regs, *reg; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) |
| if (reg_is_pkt_pointer_any(®s[i])) |
| mark_reg_unknown(env, regs, i); |
| |
| bpf_for_each_spilled_reg(i, state, reg) { |
| if (!reg) |
| continue; |
| if (reg_is_pkt_pointer_any(reg)) |
| __mark_reg_unknown(reg); |
| } |
| } |
| |
| static void clear_all_pkt_pointers(struct bpf_verifier_env *env) |
| { |
| struct bpf_verifier_state *vstate = env->cur_state; |
| int i; |
| |
| for (i = 0; i <= vstate->curframe; i++) |
| __clear_all_pkt_pointers(env, vstate->frame[i]); |
| } |
| |
| static void release_reg_references(struct bpf_verifier_env *env, |
| struct bpf_func_state *state, |
| int ref_obj_id) |
| { |
| struct bpf_reg_state *regs = state->regs, *reg; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) |
| if (regs[i].ref_obj_id == ref_obj_id) |
| mark_reg_unknown(env, regs, i); |
| |
| bpf_for_each_spilled_reg(i, state, reg) { |
| if (!reg) |
| continue; |
| if (reg->ref_obj_id == ref_obj_id) |
| __mark_reg_unknown(reg); |
| } |
| } |
| |
| /* The pointer with the specified id has released its reference to kernel |
| * resources. Identify all copies of the same pointer and clear the reference. |
| */ |
| static int release_reference(struct bpf_verifier_env *env, |
| int ref_obj_id) |
| { |
| struct bpf_verifier_state *vstate = env->cur_state; |
| int err; |
| int i; |
| |
| err = release_reference_state(cur_func(env), ref_obj_id); |
| if (err) |
| return err; |
| |
| for (i = 0; i <= vstate->curframe; i++) |
| release_reg_references(env, vstate->frame[i], ref_obj_id); |
| |
| return 0; |
| } |
| |
| static int check_func_call(struct bpf_verifier_env *env, struct bpf_insn *insn, |
| int *insn_idx) |
| { |
| struct bpf_verifier_state *state = env->cur_state; |
| struct bpf_func_state *caller, *callee; |
| int i, err, subprog, target_insn; |
| |
| if (state->curframe + 1 >= MAX_CALL_FRAMES) { |
| verbose(env, "the call stack of %d frames is too deep\n", |
| state->curframe + 2); |
| return -E2BIG; |
| } |
| |
| target_insn = *insn_idx + insn->imm; |
| subprog = find_subprog(env, target_insn + 1); |
| if (subprog < 0) { |
| verbose(env, "verifier bug. No program starts at insn %d\n", |
| target_insn + 1); |
| return -EFAULT; |
| } |
| |
| caller = state->frame[state->curframe]; |
| if (state->frame[state->curframe + 1]) { |
| verbose(env, "verifier bug. Frame %d already allocated\n", |
| state->curframe + 1); |
| return -EFAULT; |
| } |
| |
| callee = kzalloc(sizeof(*callee), GFP_KERNEL); |
| if (!callee) |
| return -ENOMEM; |
| state->frame[state->curframe + 1] = callee; |
| |
| /* callee cannot access r0, r6 - r9 for reading and has to write |
| * into its own stack before reading from it. |
| * callee can read/write into caller's stack |
| */ |
| init_func_state(env, callee, |
| /* remember the callsite, it will be used by bpf_exit */ |
| *insn_idx /* callsite */, |
| state->curframe + 1 /* frameno within this callchain */, |
| subprog /* subprog number within this prog */); |
| |
| /* Transfer references to the callee */ |
| err = transfer_reference_state(callee, caller); |
| if (err) |
| return err; |
| |
| /* copy r1 - r5 args that callee can access. The copy includes parent |
| * pointers, which connects us up to the liveness chain |
| */ |
| for (i = BPF_REG_1; i <= BPF_REG_5; i++) |
| callee->regs[i] = caller->regs[i]; |
| |
| /* after the call registers r0 - r5 were scratched */ |
| for (i = 0; i < CALLER_SAVED_REGS; i++) { |
| mark_reg_not_init(env, caller->regs, caller_saved[i]); |
| check_reg_arg(env, caller_saved[i], DST_OP_NO_MARK); |
| } |
| |
| /* only increment it after check_reg_arg() finished */ |
| state->curframe++; |
| |
| /* and go analyze first insn of the callee */ |
| *insn_idx = target_insn; |
| |
| if (env->log.level) { |
| verbose(env, "caller:\n"); |
| print_verifier_state(env, caller); |
| verbose(env, "callee:\n"); |
| print_verifier_state(env, callee); |
| } |
| return 0; |
| } |
| |
| static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) |
| { |
| struct bpf_verifier_state *state = env->cur_state; |
| struct bpf_func_state *caller, *callee; |
| struct bpf_reg_state *r0; |
| int err; |
| |
| callee = state->frame[state->curframe]; |
| r0 = &callee->regs[BPF_REG_0]; |
| if (r0->type == PTR_TO_STACK) { |
| /* technically it's ok to return caller's stack pointer |
| * (or caller's caller's pointer) back to the caller, |
| * since these pointers are valid. Only current stack |
| * pointer will be invalid as soon as function exits, |
| * but let's be conservative |
| */ |
| verbose(env, "cannot return stack pointer to the caller\n"); |
| return -EINVAL; |
| } |
| |
| state->curframe--; |
| caller = state->frame[state->curframe]; |
| /* return to the caller whatever r0 had in the callee */ |
| caller->regs[BPF_REG_0] = *r0; |
| |
| /* Transfer references to the caller */ |
| err = transfer_reference_state(caller, callee); |
| if (err) |
| return err; |
| |
| *insn_idx = callee->callsite + 1; |
| if (env->log.level) { |
| verbose(env, "returning from callee:\n"); |
| print_verifier_state(env, callee); |
| verbose(env, "to caller at %d:\n", *insn_idx); |
| print_verifier_state(env, caller); |
| } |
| /* clear everything in the callee */ |
| free_func_state(callee); |
| state->frame[state->curframe + 1] = NULL; |
| return 0; |
| } |
| |
| static void do_refine_retval_range(struct bpf_reg_state *regs, int ret_type, |
| int func_id, |
| struct bpf_call_arg_meta *meta) |
| { |
| struct bpf_reg_state *ret_reg = ®s[BPF_REG_0]; |
| |
| if (ret_type != RET_INTEGER || |
| (func_id != BPF_FUNC_get_stack && |
| func_id != BPF_FUNC_probe_read_str)) |
| return; |
| |
| ret_reg->smax_value = meta->msize_smax_value; |
| ret_reg->umax_value = meta->msize_umax_value; |
| __reg_deduce_bounds(ret_reg); |
| __reg_bound_offset(ret_reg); |
| } |
| |
| static int |
| record_func_map(struct bpf_verifier_env
|