| /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com |
| * Copyright (c) 2016 Facebook |
| * |
| * This program is free software; you can redistribute it and/or |
| * modify it under the terms of version 2 of the GNU General Public |
| * License as published by the Free Software Foundation. |
| * |
| * This program is distributed in the hope that it will be useful, but |
| * WITHOUT ANY WARRANTY; without even the implied warranty of |
| * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
| * General Public License for more details. |
| */ |
| #include <linux/kernel.h> |
| #include <linux/types.h> |
| #include <linux/slab.h> |
| #include <linux/bpf.h> |
| #include <linux/bpf_verifier.h> |
| #include <linux/filter.h> |
| #include <net/netlink.h> |
| #include <linux/file.h> |
| #include <linux/vmalloc.h> |
| |
| /* bpf_check() is a static code analyzer that walks eBPF program |
| * instruction by instruction and updates register/stack state. |
| * All paths of conditional branches are analyzed until 'bpf_exit' insn. |
| * |
| * The first pass is depth-first-search to check that the program is a DAG. |
| * It rejects the following programs: |
| * - larger than BPF_MAXINSNS insns |
| * - if loop is present (detected via back-edge) |
| * - unreachable insns exist (shouldn't be a forest. program = one function) |
| * - out of bounds or malformed jumps |
| * The second pass is all possible path descent from the 1st insn. |
| * Since it's analyzing all pathes through the program, the length of the |
| * analysis is limited to 32k insn, which may be hit even if total number of |
| * insn is less then 4K, but there are too many branches that change stack/regs. |
| * Number of 'branches to be analyzed' is limited to 1k |
| * |
| * On entry to each instruction, each register has a type, and the instruction |
| * changes the types of the registers depending on instruction semantics. |
| * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is |
| * copied to R1. |
| * |
| * All registers are 64-bit. |
| * R0 - return register |
| * R1-R5 argument passing registers |
| * R6-R9 callee saved registers |
| * R10 - frame pointer read-only |
| * |
| * At the start of BPF program the register R1 contains a pointer to bpf_context |
| * and has type PTR_TO_CTX. |
| * |
| * Verifier tracks arithmetic operations on pointers in case: |
| * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), |
| * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20), |
| * 1st insn copies R10 (which has FRAME_PTR) type into R1 |
| * and 2nd arithmetic instruction is pattern matched to recognize |
| * that it wants to construct a pointer to some element within stack. |
| * So after 2nd insn, the register R1 has type PTR_TO_STACK |
| * (and -20 constant is saved for further stack bounds checking). |
| * Meaning that this reg is a pointer to stack plus known immediate constant. |
| * |
| * Most of the time the registers have UNKNOWN_VALUE type, which |
| * means the register has some value, but it's not a valid pointer. |
| * (like pointer plus pointer becomes UNKNOWN_VALUE type) |
| * |
| * When verifier sees load or store instructions the type of base register |
| * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, FRAME_PTR. These are three pointer |
| * types recognized by check_mem_access() function. |
| * |
| * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value' |
| * and the range of [ptr, ptr + map's value_size) is accessible. |
| * |
| * registers used to pass values to function calls are checked against |
| * function argument constraints. |
| * |
| * ARG_PTR_TO_MAP_KEY is one of such argument constraints. |
| * It means that the register type passed to this function must be |
| * PTR_TO_STACK and it will be used inside the function as |
| * 'pointer to map element key' |
| * |
| * For example the argument constraints for bpf_map_lookup_elem(): |
| * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL, |
| * .arg1_type = ARG_CONST_MAP_PTR, |
| * .arg2_type = ARG_PTR_TO_MAP_KEY, |
| * |
| * ret_type says that this function returns 'pointer to map elem value or null' |
| * function expects 1st argument to be a const pointer to 'struct bpf_map' and |
| * 2nd argument should be a pointer to stack, which will be used inside |
| * the helper function as a pointer to map element key. |
| * |
| * On the kernel side the helper function looks like: |
| * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5) |
| * { |
| * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1; |
| * void *key = (void *) (unsigned long) r2; |
| * void *value; |
| * |
| * here kernel can access 'key' and 'map' pointers safely, knowing that |
| * [key, key + map->key_size) bytes are valid and were initialized on |
| * the stack of eBPF program. |
| * } |
| * |
| * Corresponding eBPF program may look like: |
| * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR |
| * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK |
| * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP |
| * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem), |
| * here verifier looks at prototype of map_lookup_elem() and sees: |
| * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok, |
| * Now verifier knows that this map has key of R1->map_ptr->key_size bytes |
| * |
| * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far, |
| * Now verifier checks that [R2, R2 + map's key_size) are within stack limits |
| * and were initialized prior to this call. |
| * If it's ok, then verifier allows this BPF_CALL insn and looks at |
| * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets |
| * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function |
| * returns ether pointer to map value or NULL. |
| * |
| * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off' |
| * insn, the register holding that pointer in the true branch changes state to |
| * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false |
| * branch. See check_cond_jmp_op(). |
| * |
| * After the call R0 is set to return type of the function and registers R1-R5 |
| * are set to NOT_INIT to indicate that they are no longer readable. |
| */ |
| |
| /* verifier_state + insn_idx are pushed to stack when branch is encountered */ |
| struct bpf_verifier_stack_elem { |
| /* verifer state is 'st' |
| * before processing instruction 'insn_idx' |
| * and after processing instruction 'prev_insn_idx' |
| */ |
| struct bpf_verifier_state st; |
| int insn_idx; |
| int prev_insn_idx; |
| struct bpf_verifier_stack_elem *next; |
| }; |
| |
| #define BPF_COMPLEXITY_LIMIT_INSNS 98304 |
| #define BPF_COMPLEXITY_LIMIT_STACK 1024 |
| |
| struct bpf_call_arg_meta { |
| struct bpf_map *map_ptr; |
| bool raw_mode; |
| bool pkt_access; |
| int regno; |
| int access_size; |
| }; |
| |
| /* verbose verifier prints what it's seeing |
| * bpf_check() is called under lock, so no race to access these global vars |
| */ |
| static u32 log_level, log_size, log_len; |
| static char *log_buf; |
| |
| static DEFINE_MUTEX(bpf_verifier_lock); |
| |
| /* log_level controls verbosity level of eBPF verifier. |
| * verbose() is used to dump the verification trace to the log, so the user |
| * can figure out what's wrong with the program |
| */ |
| static __printf(1, 2) void verbose(const char *fmt, ...) |
| { |
| va_list args; |
| |
| if (log_level == 0 || log_len >= log_size - 1) |
| return; |
| |
| va_start(args, fmt); |
| log_len += vscnprintf(log_buf + log_len, log_size - log_len, fmt, args); |
| va_end(args); |
| } |
| |
| /* string representation of 'enum bpf_reg_type' */ |
| static const char * const reg_type_str[] = { |
| [NOT_INIT] = "?", |
| [UNKNOWN_VALUE] = "inv", |
| [PTR_TO_CTX] = "ctx", |
| [CONST_PTR_TO_MAP] = "map_ptr", |
| [PTR_TO_MAP_VALUE] = "map_value", |
| [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null", |
| [PTR_TO_MAP_VALUE_ADJ] = "map_value_adj", |
| [FRAME_PTR] = "fp", |
| [PTR_TO_STACK] = "fp", |
| [CONST_IMM] = "imm", |
| [PTR_TO_PACKET] = "pkt", |
| [PTR_TO_PACKET_END] = "pkt_end", |
| }; |
| |
| static void print_verifier_state(struct bpf_verifier_state *state) |
| { |
| struct bpf_reg_state *reg; |
| enum bpf_reg_type t; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) { |
| reg = &state->regs[i]; |
| t = reg->type; |
| if (t == NOT_INIT) |
| continue; |
| verbose(" R%d=%s", i, reg_type_str[t]); |
| if (t == CONST_IMM || t == PTR_TO_STACK) |
| verbose("%lld", reg->imm); |
| else if (t == PTR_TO_PACKET) |
| verbose("(id=%d,off=%d,r=%d)", |
| reg->id, reg->off, reg->range); |
| else if (t == UNKNOWN_VALUE && reg->imm) |
| verbose("%lld", reg->imm); |
| else if (t == CONST_PTR_TO_MAP || t == PTR_TO_MAP_VALUE || |
| t == PTR_TO_MAP_VALUE_OR_NULL || |
| t == PTR_TO_MAP_VALUE_ADJ) |
| verbose("(ks=%d,vs=%d,id=%u)", |
| reg->map_ptr->key_size, |
| reg->map_ptr->value_size, |
| reg->id); |
| if (reg->min_value != BPF_REGISTER_MIN_RANGE) |
| verbose(",min_value=%lld", |
| (long long)reg->min_value); |
| if (reg->max_value != BPF_REGISTER_MAX_RANGE) |
| verbose(",max_value=%llu", |
| (unsigned long long)reg->max_value); |
| } |
| for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
| if (state->stack_slot_type[i] == STACK_SPILL) |
| verbose(" fp%d=%s", -MAX_BPF_STACK + i, |
| reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]); |
| } |
| verbose("\n"); |
| } |
| |
| static const char *const bpf_class_string[] = { |
| [BPF_LD] = "ld", |
| [BPF_LDX] = "ldx", |
| [BPF_ST] = "st", |
| [BPF_STX] = "stx", |
| [BPF_ALU] = "alu", |
| [BPF_JMP] = "jmp", |
| [BPF_RET] = "BUG", |
| [BPF_ALU64] = "alu64", |
| }; |
| |
| static const char *const bpf_alu_string[16] = { |
| [BPF_ADD >> 4] = "+=", |
| [BPF_SUB >> 4] = "-=", |
| [BPF_MUL >> 4] = "*=", |
| [BPF_DIV >> 4] = "/=", |
| [BPF_OR >> 4] = "|=", |
| [BPF_AND >> 4] = "&=", |
| [BPF_LSH >> 4] = "<<=", |
| [BPF_RSH >> 4] = ">>=", |
| [BPF_NEG >> 4] = "neg", |
| [BPF_MOD >> 4] = "%=", |
| [BPF_XOR >> 4] = "^=", |
| [BPF_MOV >> 4] = "=", |
| [BPF_ARSH >> 4] = "s>>=", |
| [BPF_END >> 4] = "endian", |
| }; |
| |
| static const char *const bpf_ldst_string[] = { |
| [BPF_W >> 3] = "u32", |
| [BPF_H >> 3] = "u16", |
| [BPF_B >> 3] = "u8", |
| [BPF_DW >> 3] = "u64", |
| }; |
| |
| static const char *const bpf_jmp_string[16] = { |
| [BPF_JA >> 4] = "jmp", |
| [BPF_JEQ >> 4] = "==", |
| [BPF_JGT >> 4] = ">", |
| [BPF_JGE >> 4] = ">=", |
| [BPF_JSET >> 4] = "&", |
| [BPF_JNE >> 4] = "!=", |
| [BPF_JSGT >> 4] = "s>", |
| [BPF_JSGE >> 4] = "s>=", |
| [BPF_CALL >> 4] = "call", |
| [BPF_EXIT >> 4] = "exit", |
| }; |
| |
| static void print_bpf_insn(const struct bpf_verifier_env *env, |
| const struct bpf_insn *insn) |
| { |
| u8 class = BPF_CLASS(insn->code); |
| |
| if (class == BPF_ALU || class == BPF_ALU64) { |
| if (BPF_SRC(insn->code) == BPF_X) |
| verbose("(%02x) %sr%d %s %sr%d\n", |
| insn->code, class == BPF_ALU ? "(u32) " : "", |
| insn->dst_reg, |
| bpf_alu_string[BPF_OP(insn->code) >> 4], |
| class == BPF_ALU ? "(u32) " : "", |
| insn->src_reg); |
| else |
| verbose("(%02x) %sr%d %s %s%d\n", |
| insn->code, class == BPF_ALU ? "(u32) " : "", |
| insn->dst_reg, |
| bpf_alu_string[BPF_OP(insn->code) >> 4], |
| class == BPF_ALU ? "(u32) " : "", |
| insn->imm); |
| } else if (class == BPF_STX) { |
| if (BPF_MODE(insn->code) == BPF_MEM) |
| verbose("(%02x) *(%s *)(r%d %+d) = r%d\n", |
| insn->code, |
| bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| insn->dst_reg, |
| insn->off, insn->src_reg); |
| else if (BPF_MODE(insn->code) == BPF_XADD) |
| verbose("(%02x) lock *(%s *)(r%d %+d) += r%d\n", |
| insn->code, |
| bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| insn->dst_reg, insn->off, |
| insn->src_reg); |
| else |
| verbose("BUG_%02x\n", insn->code); |
| } else if (class == BPF_ST) { |
| if (BPF_MODE(insn->code) != BPF_MEM) { |
| verbose("BUG_st_%02x\n", insn->code); |
| return; |
| } |
| verbose("(%02x) *(%s *)(r%d %+d) = %d\n", |
| insn->code, |
| bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| insn->dst_reg, |
| insn->off, insn->imm); |
| } else if (class == BPF_LDX) { |
| if (BPF_MODE(insn->code) != BPF_MEM) { |
| verbose("BUG_ldx_%02x\n", insn->code); |
| return; |
| } |
| verbose("(%02x) r%d = *(%s *)(r%d %+d)\n", |
| insn->code, insn->dst_reg, |
| bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| insn->src_reg, insn->off); |
| } else if (class == BPF_LD) { |
| if (BPF_MODE(insn->code) == BPF_ABS) { |
| verbose("(%02x) r0 = *(%s *)skb[%d]\n", |
| insn->code, |
| bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| insn->imm); |
| } else if (BPF_MODE(insn->code) == BPF_IND) { |
| verbose("(%02x) r0 = *(%s *)skb[r%d + %d]\n", |
| insn->code, |
| bpf_ldst_string[BPF_SIZE(insn->code) >> 3], |
| insn->src_reg, insn->imm); |
| } else if (BPF_MODE(insn->code) == BPF_IMM && |
| BPF_SIZE(insn->code) == BPF_DW) { |
| /* At this point, we already made sure that the second |
| * part of the ldimm64 insn is accessible. |
| */ |
| u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; |
| bool map_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD; |
| |
| if (map_ptr && !env->allow_ptr_leaks) |
| imm = 0; |
| |
| verbose("(%02x) r%d = 0x%llx\n", insn->code, |
| insn->dst_reg, (unsigned long long)imm); |
| } else { |
| verbose("BUG_ld_%02x\n", insn->code); |
| return; |
| } |
| } else if (class == BPF_JMP) { |
| u8 opcode = BPF_OP(insn->code); |
| |
| if (opcode == BPF_CALL) { |
| verbose("(%02x) call %d\n", insn->code, insn->imm); |
| } else if (insn->code == (BPF_JMP | BPF_JA)) { |
| verbose("(%02x) goto pc%+d\n", |
| insn->code, insn->off); |
| } else if (insn->code == (BPF_JMP | BPF_EXIT)) { |
| verbose("(%02x) exit\n", insn->code); |
| } else if (BPF_SRC(insn->code) == BPF_X) { |
| verbose("(%02x) if r%d %s r%d goto pc%+d\n", |
| insn->code, insn->dst_reg, |
| bpf_jmp_string[BPF_OP(insn->code) >> 4], |
| insn->src_reg, insn->off); |
| } else { |
| verbose("(%02x) if r%d %s 0x%x goto pc%+d\n", |
| insn->code, insn->dst_reg, |
| bpf_jmp_string[BPF_OP(insn->code) >> 4], |
| insn->imm, insn->off); |
| } |
| } else { |
| verbose("(%02x) %s\n", insn->code, bpf_class_string[class]); |
| } |
| } |
| |
| static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx) |
| { |
| struct bpf_verifier_stack_elem *elem; |
| int insn_idx; |
| |
| if (env->head == NULL) |
| return -1; |
| |
| memcpy(&env->cur_state, &env->head->st, sizeof(env->cur_state)); |
| insn_idx = env->head->insn_idx; |
| if (prev_insn_idx) |
| *prev_insn_idx = env->head->prev_insn_idx; |
| elem = env->head->next; |
| kfree(env->head); |
| env->head = elem; |
| env->stack_size--; |
| return insn_idx; |
| } |
| |
| static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env, |
| int insn_idx, int prev_insn_idx) |
| { |
| struct bpf_verifier_stack_elem *elem; |
| |
| elem = kmalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL); |
| if (!elem) |
| goto err; |
| |
| memcpy(&elem->st, &env->cur_state, sizeof(env->cur_state)); |
| elem->insn_idx = insn_idx; |
| elem->prev_insn_idx = prev_insn_idx; |
| elem->next = env->head; |
| env->head = elem; |
| env->stack_size++; |
| if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) { |
| verbose("BPF program is too complex\n"); |
| goto err; |
| } |
| return &elem->st; |
| err: |
| /* pop all elements and return */ |
| while (pop_stack(env, NULL) >= 0); |
| return NULL; |
| } |
| |
| #define CALLER_SAVED_REGS 6 |
| static const int caller_saved[CALLER_SAVED_REGS] = { |
| BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5 |
| }; |
| |
| static void init_reg_state(struct bpf_reg_state *regs) |
| { |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) { |
| regs[i].type = NOT_INIT; |
| regs[i].imm = 0; |
| regs[i].min_value = BPF_REGISTER_MIN_RANGE; |
| regs[i].max_value = BPF_REGISTER_MAX_RANGE; |
| } |
| |
| /* frame pointer */ |
| regs[BPF_REG_FP].type = FRAME_PTR; |
| |
| /* 1st arg to a function */ |
| regs[BPF_REG_1].type = PTR_TO_CTX; |
| } |
| |
| static void __mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno) |
| { |
| regs[regno].type = UNKNOWN_VALUE; |
| regs[regno].id = 0; |
| regs[regno].imm = 0; |
| } |
| |
| static void mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno) |
| { |
| BUG_ON(regno >= MAX_BPF_REG); |
| __mark_reg_unknown_value(regs, regno); |
| } |
| |
| static void reset_reg_range_values(struct bpf_reg_state *regs, u32 regno) |
| { |
| regs[regno].min_value = BPF_REGISTER_MIN_RANGE; |
| regs[regno].max_value = BPF_REGISTER_MAX_RANGE; |
| } |
| |
| enum reg_arg_type { |
| SRC_OP, /* register is used as source operand */ |
| DST_OP, /* register is used as destination operand */ |
| DST_OP_NO_MARK /* same as above, check only, don't mark */ |
| }; |
| |
| static int check_reg_arg(struct bpf_reg_state *regs, u32 regno, |
| enum reg_arg_type t) |
| { |
| if (regno >= MAX_BPF_REG) { |
| verbose("R%d is invalid\n", regno); |
| return -EINVAL; |
| } |
| |
| if (t == SRC_OP) { |
| /* check whether register used as source operand can be read */ |
| if (regs[regno].type == NOT_INIT) { |
| verbose("R%d !read_ok\n", regno); |
| return -EACCES; |
| } |
| } else { |
| /* check whether register used as dest operand can be written to */ |
| if (regno == BPF_REG_FP) { |
| verbose("frame pointer is read only\n"); |
| return -EACCES; |
| } |
| if (t == DST_OP) |
| mark_reg_unknown_value(regs, regno); |
| } |
| return 0; |
| } |
| |
| static int bpf_size_to_bytes(int bpf_size) |
| { |
| if (bpf_size == BPF_W) |
| return 4; |
| else if (bpf_size == BPF_H) |
| return 2; |
| else if (bpf_size == BPF_B) |
| return 1; |
| else if (bpf_size == BPF_DW) |
| return 8; |
| else |
| return -EINVAL; |
| } |
| |
| static bool is_spillable_regtype(enum bpf_reg_type type) |
| { |
| switch (type) { |
| case PTR_TO_MAP_VALUE: |
| case PTR_TO_MAP_VALUE_OR_NULL: |
| case PTR_TO_STACK: |
| case PTR_TO_CTX: |
| case PTR_TO_PACKET: |
| case PTR_TO_PACKET_END: |
| case FRAME_PTR: |
| case CONST_PTR_TO_MAP: |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| /* check_stack_read/write functions track spill/fill of registers, |
| * stack boundary and alignment are checked in check_mem_access() |
| */ |
| static int check_stack_write(struct bpf_verifier_env *env, |
| struct bpf_verifier_state *state, int off, |
| int size, int value_regno, int insn_idx) |
| { |
| int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; |
| /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, |
| * so it's aligned access and [off, off + size) are within stack limits |
| */ |
| |
| if (value_regno >= 0 && |
| is_spillable_regtype(state->regs[value_regno].type)) { |
| |
| /* register containing pointer is being spilled into stack */ |
| if (size != BPF_REG_SIZE) { |
| verbose("invalid size of register spill\n"); |
| return -EACCES; |
| } |
| |
| /* save register state */ |
| state->spilled_regs[spi] = state->regs[value_regno]; |
| |
| for (i = 0; i < BPF_REG_SIZE; i++) { |
| if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC && |
| !env->allow_ptr_leaks) { |
| int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; |
| int soff = (-spi - 1) * BPF_REG_SIZE; |
| |
| /* detected reuse of integer stack slot with a pointer |
| * which means either llvm is reusing stack slot or |
| * an attacker is trying to exploit CVE-2018-3639 |
| * (speculative store bypass) |
| * Have to sanitize that slot with preemptive |
| * store of zero. |
| */ |
| if (*poff && *poff != soff) { |
| /* disallow programs where single insn stores |
| * into two different stack slots, since verifier |
| * cannot sanitize them |
| */ |
| verbose("insn %d cannot access two stack slots fp%d and fp%d", |
| insn_idx, *poff, soff); |
| return -EINVAL; |
| } |
| *poff = soff; |
| } |
| state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL; |
| } |
| } else { |
| /* regular write of data into stack */ |
| state->spilled_regs[spi] = (struct bpf_reg_state) {}; |
| |
| for (i = 0; i < size; i++) |
| state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_MISC; |
| } |
| return 0; |
| } |
| |
| static int check_stack_read(struct bpf_verifier_state *state, int off, int size, |
| int value_regno) |
| { |
| u8 *slot_type; |
| int i; |
| |
| slot_type = &state->stack_slot_type[MAX_BPF_STACK + off]; |
| |
| if (slot_type[0] == STACK_SPILL) { |
| if (size != BPF_REG_SIZE) { |
| verbose("invalid size of register spill\n"); |
| return -EACCES; |
| } |
| for (i = 1; i < BPF_REG_SIZE; i++) { |
| if (slot_type[i] != STACK_SPILL) { |
| verbose("corrupted spill memory\n"); |
| return -EACCES; |
| } |
| } |
| |
| if (value_regno >= 0) |
| /* restore register state from stack */ |
| state->regs[value_regno] = |
| state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE]; |
| return 0; |
| } else { |
| for (i = 0; i < size; i++) { |
| if (slot_type[i] != STACK_MISC) { |
| verbose("invalid read from stack off %d+%d size %d\n", |
| off, i, size); |
| return -EACCES; |
| } |
| } |
| if (value_regno >= 0) |
| /* have read misc data from the stack */ |
| mark_reg_unknown_value(state->regs, value_regno); |
| return 0; |
| } |
| } |
| |
| /* check read/write into map element returned by bpf_map_lookup_elem() */ |
| static int check_map_access(struct bpf_verifier_env *env, u32 regno, int off, |
| int size) |
| { |
| struct bpf_map *map = env->cur_state.regs[regno].map_ptr; |
| |
| if (off < 0 || off + size > map->value_size) { |
| verbose("invalid access to map value, value_size=%d off=%d size=%d\n", |
| map->value_size, off, size); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| #define MAX_PACKET_OFF 0xffff |
| |
| static bool may_access_direct_pkt_data(struct bpf_verifier_env *env, |
| const struct bpf_call_arg_meta *meta) |
| { |
| switch (env->prog->type) { |
| case BPF_PROG_TYPE_SCHED_CLS: |
| case BPF_PROG_TYPE_SCHED_ACT: |
| case BPF_PROG_TYPE_XDP: |
| if (meta) |
| return meta->pkt_access; |
| |
| env->seen_direct_write = true; |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off, |
| int size) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| struct bpf_reg_state *reg = ®s[regno]; |
| |
| off += reg->off; |
| if (off < 0 || size <= 0 || off + size > reg->range) { |
| verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n", |
| off, size, regno, reg->id, reg->off, reg->range); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| /* check access to 'struct bpf_context' fields */ |
| static int check_ctx_access(struct bpf_verifier_env *env, int off, int size, |
| enum bpf_access_type t, enum bpf_reg_type *reg_type) |
| { |
| /* for analyzer ctx accesses are already validated and converted */ |
| if (env->analyzer_ops) |
| return 0; |
| |
| if (env->prog->aux->ops->is_valid_access && |
| env->prog->aux->ops->is_valid_access(off, size, t, reg_type)) { |
| /* remember the offset of last byte accessed in ctx */ |
| if (env->prog->aux->max_ctx_offset < off + size) |
| env->prog->aux->max_ctx_offset = off + size; |
| return 0; |
| } |
| |
| verbose("invalid bpf_context access off=%d size=%d\n", off, size); |
| return -EACCES; |
| } |
| |
| static bool __is_pointer_value(bool allow_ptr_leaks, |
| const struct bpf_reg_state *reg) |
| { |
| if (allow_ptr_leaks) |
| return false; |
| |
| switch (reg->type) { |
| case UNKNOWN_VALUE: |
| case CONST_IMM: |
| return false; |
| default: |
| return true; |
| } |
| } |
| |
| static bool is_pointer_value(struct bpf_verifier_env *env, int regno) |
| { |
| return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); |
| } |
| |
| static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) |
| { |
| const struct bpf_reg_state *reg = &env->cur_state.regs[regno]; |
| |
| return reg->type == PTR_TO_CTX; |
| } |
| |
| static int check_ptr_alignment(struct bpf_verifier_env *env, |
| struct bpf_reg_state *reg, int off, int size) |
| { |
| if (reg->type != PTR_TO_PACKET && reg->type != PTR_TO_MAP_VALUE_ADJ) { |
| if (off % size != 0) { |
| verbose("misaligned access off %d size %d\n", |
| off, size); |
| return -EACCES; |
| } else { |
| return 0; |
| } |
| } |
| |
| if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) |
| /* misaligned access to packet is ok on x86,arm,arm64 */ |
| return 0; |
| |
| if (reg->id && size != 1) { |
| verbose("Unknown packet alignment. Only byte-sized access allowed\n"); |
| return -EACCES; |
| } |
| |
| /* skb->data is NET_IP_ALIGN-ed */ |
| if (reg->type == PTR_TO_PACKET && |
| (NET_IP_ALIGN + reg->off + off) % size != 0) { |
| verbose("misaligned packet access off %d+%d+%d size %d\n", |
| NET_IP_ALIGN, reg->off, off, size); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| /* check whether memory at (regno + off) is accessible for t = (read | write) |
| * if t==write, value_regno is a register which value is stored into memory |
| * if t==read, value_regno is a register which will receive the value from memory |
| * if t==write && value_regno==-1, some unknown value is stored into memory |
| * if t==read && value_regno==-1, don't care what we read from memory |
| */ |
| static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off, |
| int bpf_size, enum bpf_access_type t, |
| int value_regno) |
| { |
| struct bpf_verifier_state *state = &env->cur_state; |
| struct bpf_reg_state *reg = &state->regs[regno]; |
| int size, err = 0; |
| |
| if (reg->type == PTR_TO_STACK) |
| off += reg->imm; |
| |
| size = bpf_size_to_bytes(bpf_size); |
| if (size < 0) |
| return size; |
| |
| err = check_ptr_alignment(env, reg, off, size); |
| if (err) |
| return err; |
| |
| if (reg->type == PTR_TO_MAP_VALUE || |
| reg->type == PTR_TO_MAP_VALUE_ADJ) { |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose("R%d leaks addr into map\n", value_regno); |
| return -EACCES; |
| } |
| |
| /* If we adjusted the register to this map value at all then we |
| * need to change off and size to min_value and max_value |
| * respectively to make sure our theoretical access will be |
| * safe. |
| */ |
| if (reg->type == PTR_TO_MAP_VALUE_ADJ) { |
| if (log_level) |
| print_verifier_state(state); |
| env->varlen_map_value_access = true; |
| /* The minimum value is only important with signed |
| * comparisons where we can't assume the floor of a |
| * value is 0. If we are using signed variables for our |
| * index'es we need to make sure that whatever we use |
| * will have a set floor within our range. |
| */ |
| if (reg->min_value < 0) { |
| verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", |
| regno); |
| return -EACCES; |
| } |
| err = check_map_access(env, regno, reg->min_value + off, |
| size); |
| if (err) { |
| verbose("R%d min value is outside of the array range\n", |
| regno); |
| return err; |
| } |
| |
| /* If we haven't set a max value then we need to bail |
| * since we can't be sure we won't do bad things. |
| */ |
| if (reg->max_value == BPF_REGISTER_MAX_RANGE) { |
| verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n", |
| regno); |
| return -EACCES; |
| } |
| off += reg->max_value; |
| } |
| err = check_map_access(env, regno, off, size); |
| if (!err && t == BPF_READ && value_regno >= 0) |
| mark_reg_unknown_value(state->regs, value_regno); |
| |
| } else if (reg->type == PTR_TO_CTX) { |
| enum bpf_reg_type reg_type = UNKNOWN_VALUE; |
| |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose("R%d leaks addr into ctx\n", value_regno); |
| return -EACCES; |
| } |
| err = check_ctx_access(env, off, size, t, ®_type); |
| if (!err && t == BPF_READ && value_regno >= 0) { |
| mark_reg_unknown_value(state->regs, value_regno); |
| /* note that reg.[id|off|range] == 0 */ |
| state->regs[value_regno].type = reg_type; |
| } |
| |
| } else if (reg->type == FRAME_PTR || reg->type == PTR_TO_STACK) { |
| if (off >= 0 || off < -MAX_BPF_STACK) { |
| verbose("invalid stack off=%d size=%d\n", off, size); |
| return -EACCES; |
| } |
| if (t == BPF_WRITE) { |
| if (!env->allow_ptr_leaks && |
| state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL && |
| size != BPF_REG_SIZE) { |
| verbose("attempt to corrupt spilled pointer on stack\n"); |
| return -EACCES; |
| } |
| err = check_stack_write(env, state, off, size, |
| value_regno, insn_idx); |
| } else { |
| err = check_stack_read(state, off, size, value_regno); |
| } |
| } else if (state->regs[regno].type == PTR_TO_PACKET) { |
| if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL)) { |
| verbose("cannot write into packet\n"); |
| return -EACCES; |
| } |
| if (t == BPF_WRITE && value_regno >= 0 && |
| is_pointer_value(env, value_regno)) { |
| verbose("R%d leaks addr into packet\n", value_regno); |
| return -EACCES; |
| } |
| err = check_packet_access(env, regno, off, size); |
| if (!err && t == BPF_READ && value_regno >= 0) |
| mark_reg_unknown_value(state->regs, value_regno); |
| } else { |
| verbose("R%d invalid mem access '%s'\n", |
| regno, reg_type_str[reg->type]); |
| return -EACCES; |
| } |
| |
| if (!err && size <= 2 && value_regno >= 0 && env->allow_ptr_leaks && |
| state->regs[value_regno].type == UNKNOWN_VALUE) { |
| /* 1 or 2 byte load zero-extends, determine the number of |
| * zero upper bits. Not doing it fo 4 byte load, since |
| * such values cannot be added to ptr_to_packet anyway. |
| */ |
| state->regs[value_regno].imm = 64 - size * 8; |
| } |
| return err; |
| } |
| |
| static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| int err; |
| |
| if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) || |
| insn->imm != 0) { |
| verbose("BPF_XADD uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| /* check src1 operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| /* check src2 operand */ |
| err = check_reg_arg(regs, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| if (is_pointer_value(env, insn->src_reg)) { |
| verbose("R%d leaks addr into mem\n", insn->src_reg); |
| return -EACCES; |
| } |
| |
| if (is_ctx_reg(env, insn->dst_reg)) { |
| verbose("BPF_XADD stores into R%d context is not allowed\n", |
| insn->dst_reg); |
| return -EACCES; |
| } |
| |
| /* check whether atomic_add can read the memory */ |
| err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_READ, -1); |
| if (err) |
| return err; |
| |
| /* check whether atomic_add can write into the same memory */ |
| return check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_WRITE, -1); |
| } |
| |
| /* when register 'regno' is passed into function that will read 'access_size' |
| * bytes from that pointer, make sure that it's within stack boundary |
| * and all elements of stack are initialized |
| */ |
| static int check_stack_boundary(struct bpf_verifier_env *env, int regno, |
| int access_size, bool zero_size_allowed, |
| struct bpf_call_arg_meta *meta) |
| { |
| struct bpf_verifier_state *state = &env->cur_state; |
| struct bpf_reg_state *regs = state->regs; |
| int off, i; |
| |
| if (regs[regno].type != PTR_TO_STACK) { |
| if (zero_size_allowed && access_size == 0 && |
| regs[regno].type == CONST_IMM && |
| regs[regno].imm == 0) |
| return 0; |
| |
| verbose("R%d type=%s expected=%s\n", regno, |
| reg_type_str[regs[regno].type], |
| reg_type_str[PTR_TO_STACK]); |
| return -EACCES; |
| } |
| |
| off = regs[regno].imm; |
| if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || |
| access_size <= 0) { |
| verbose("invalid stack type R%d off=%d access_size=%d\n", |
| regno, off, access_size); |
| return -EACCES; |
| } |
| |
| if (meta && meta->raw_mode) { |
| meta->access_size = access_size; |
| meta->regno = regno; |
| return 0; |
| } |
| |
| for (i = 0; i < access_size; i++) { |
| if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) { |
| verbose("invalid indirect read from stack off %d+%d size %d\n", |
| off, i, access_size); |
| return -EACCES; |
| } |
| } |
| return 0; |
| } |
| |
| static int check_func_arg(struct bpf_verifier_env *env, u32 regno, |
| enum bpf_arg_type arg_type, |
| struct bpf_call_arg_meta *meta) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs, *reg = ®s[regno]; |
| enum bpf_reg_type expected_type, type = reg->type; |
| int err = 0; |
| |
| if (arg_type == ARG_DONTCARE) |
| return 0; |
| |
| if (type == NOT_INIT) { |
| verbose("R%d !read_ok\n", regno); |
| return -EACCES; |
| } |
| |
| if (arg_type == ARG_ANYTHING) { |
| if (is_pointer_value(env, regno)) { |
| verbose("R%d leaks addr into helper function\n", regno); |
| return -EACCES; |
| } |
| return 0; |
| } |
| |
| if (type == PTR_TO_PACKET && !may_access_direct_pkt_data(env, meta)) { |
| verbose("helper access to the packet is not allowed\n"); |
| return -EACCES; |
| } |
| |
| if (arg_type == ARG_PTR_TO_MAP_KEY || |
| arg_type == ARG_PTR_TO_MAP_VALUE) { |
| expected_type = PTR_TO_STACK; |
| if (type != PTR_TO_PACKET && type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_CONST_STACK_SIZE || |
| arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) { |
| expected_type = CONST_IMM; |
| if (type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_CONST_MAP_PTR) { |
| expected_type = CONST_PTR_TO_MAP; |
| if (type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_PTR_TO_CTX) { |
| expected_type = PTR_TO_CTX; |
| if (type != expected_type) |
| goto err_type; |
| } else if (arg_type == ARG_PTR_TO_STACK || |
| arg_type == ARG_PTR_TO_RAW_STACK) { |
| expected_type = PTR_TO_STACK; |
| /* One exception here. In case function allows for NULL to be |
| * passed in as argument, it's a CONST_IMM type. Final test |
| * happens during stack boundary checking. |
| */ |
| if (type == CONST_IMM && reg->imm == 0) |
| /* final test in check_stack_boundary() */; |
| else if (type != PTR_TO_PACKET && type != expected_type) |
| goto err_type; |
| meta->raw_mode = arg_type == ARG_PTR_TO_RAW_STACK; |
| } else { |
| verbose("unsupported arg_type %d\n", arg_type); |
| return -EFAULT; |
| } |
| |
| if (arg_type == ARG_CONST_MAP_PTR) { |
| /* bpf_map_xxx(map_ptr) call: remember that map_ptr */ |
| meta->map_ptr = reg->map_ptr; |
| } else if (arg_type == ARG_PTR_TO_MAP_KEY) { |
| /* bpf_map_xxx(..., map_ptr, ..., key) call: |
| * check that [key, key + map->key_size) are within |
| * stack limits and initialized |
| */ |
| if (!meta->map_ptr) { |
| /* in function declaration map_ptr must come before |
| * map_key, so that it's verified and known before |
| * we have to check map_key here. Otherwise it means |
| * that kernel subsystem misconfigured verifier |
| */ |
| verbose("invalid map_ptr to access map->key\n"); |
| return -EACCES; |
| } |
| if (type == PTR_TO_PACKET) |
| err = check_packet_access(env, regno, 0, |
| meta->map_ptr->key_size); |
| else |
| err = check_stack_boundary(env, regno, |
| meta->map_ptr->key_size, |
| false, NULL); |
| } else if (arg_type == ARG_PTR_TO_MAP_VALUE) { |
| /* bpf_map_xxx(..., map_ptr, ..., value) call: |
| * check [value, value + map->value_size) validity |
| */ |
| if (!meta->map_ptr) { |
| /* kernel subsystem misconfigured verifier */ |
| verbose("invalid map_ptr to access map->value\n"); |
| return -EACCES; |
| } |
| if (type == PTR_TO_PACKET) |
| err = check_packet_access(env, regno, 0, |
| meta->map_ptr->value_size); |
| else |
| err = check_stack_boundary(env, regno, |
| meta->map_ptr->value_size, |
| false, NULL); |
| } else if (arg_type == ARG_CONST_STACK_SIZE || |
| arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) { |
| bool zero_size_allowed = (arg_type == ARG_CONST_STACK_SIZE_OR_ZERO); |
| |
| /* bpf_xxx(..., buf, len) call will access 'len' bytes |
| * from stack pointer 'buf'. Check it |
| * note: regno == len, regno - 1 == buf |
| */ |
| if (regno == 0) { |
| /* kernel subsystem misconfigured verifier */ |
| verbose("ARG_CONST_STACK_SIZE cannot be first argument\n"); |
| return -EACCES; |
| } |
| if (regs[regno - 1].type == PTR_TO_PACKET) |
| err = check_packet_access(env, regno - 1, 0, reg->imm); |
| else |
| err = check_stack_boundary(env, regno - 1, reg->imm, |
| zero_size_allowed, meta); |
| } |
| |
| return err; |
| err_type: |
| verbose("R%d type=%s expected=%s\n", regno, |
| reg_type_str[type], reg_type_str[expected_type]); |
| return -EACCES; |
| } |
| |
| static int check_map_func_compatibility(struct bpf_map *map, int func_id) |
| { |
| if (!map) |
| return 0; |
| |
| /* We need a two way check, first is from map perspective ... */ |
| switch (map->map_type) { |
| case BPF_MAP_TYPE_PROG_ARRAY: |
| if (func_id != BPF_FUNC_tail_call) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_PERF_EVENT_ARRAY: |
| if (func_id != BPF_FUNC_perf_event_read && |
| func_id != BPF_FUNC_perf_event_output) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_STACK_TRACE: |
| if (func_id != BPF_FUNC_get_stackid) |
| goto error; |
| break; |
| case BPF_MAP_TYPE_CGROUP_ARRAY: |
| if (func_id != BPF_FUNC_skb_under_cgroup && |
| func_id != BPF_FUNC_current_task_under_cgroup) |
| goto error; |
| break; |
| default: |
| break; |
| } |
| |
| /* ... and second from the function itself. */ |
| switch (func_id) { |
| case BPF_FUNC_tail_call: |
| if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY) |
| goto error; |
| break; |
| case BPF_FUNC_perf_event_read: |
| case BPF_FUNC_perf_event_output: |
| if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY) |
| goto error; |
| break; |
| case BPF_FUNC_get_stackid: |
| if (map->map_type != BPF_MAP_TYPE_STACK_TRACE) |
| goto error; |
| break; |
| case BPF_FUNC_current_task_under_cgroup: |
| case BPF_FUNC_skb_under_cgroup: |
| if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY) |
| goto error; |
| break; |
| default: |
| break; |
| } |
| |
| return 0; |
| error: |
| verbose("cannot pass map_type %d into func %d\n", |
| map->map_type, func_id); |
| return -EINVAL; |
| } |
| |
| static int check_raw_mode(const struct bpf_func_proto *fn) |
| { |
| int count = 0; |
| |
| if (fn->arg1_type == ARG_PTR_TO_RAW_STACK) |
| count++; |
| if (fn->arg2_type == ARG_PTR_TO_RAW_STACK) |
| count++; |
| if (fn->arg3_type == ARG_PTR_TO_RAW_STACK) |
| count++; |
| if (fn->arg4_type == ARG_PTR_TO_RAW_STACK) |
| count++; |
| if (fn->arg5_type == ARG_PTR_TO_RAW_STACK) |
| count++; |
| |
| return count > 1 ? -EINVAL : 0; |
| } |
| |
| static void clear_all_pkt_pointers(struct bpf_verifier_env *env) |
| { |
| struct bpf_verifier_state *state = &env->cur_state; |
| struct bpf_reg_state *regs = state->regs, *reg; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) |
| if (regs[i].type == PTR_TO_PACKET || |
| regs[i].type == PTR_TO_PACKET_END) |
| mark_reg_unknown_value(regs, i); |
| |
| for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
| if (state->stack_slot_type[i] != STACK_SPILL) |
| continue; |
| reg = &state->spilled_regs[i / BPF_REG_SIZE]; |
| if (reg->type != PTR_TO_PACKET && |
| reg->type != PTR_TO_PACKET_END) |
| continue; |
| reg->type = UNKNOWN_VALUE; |
| reg->imm = 0; |
| } |
| } |
| |
| static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx) |
| { |
| struct bpf_verifier_state *state = &env->cur_state; |
| const struct bpf_func_proto *fn = NULL; |
| struct bpf_reg_state *regs = state->regs; |
| struct bpf_reg_state *reg; |
| struct bpf_call_arg_meta meta; |
| bool changes_data; |
| int i, err; |
| |
| /* find function prototype */ |
| if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) { |
| verbose("invalid func %d\n", func_id); |
| return -EINVAL; |
| } |
| |
| if (env->prog->aux->ops->get_func_proto) |
| fn = env->prog->aux->ops->get_func_proto(func_id); |
| |
| if (!fn) { |
| verbose("unknown func %d\n", func_id); |
| return -EINVAL; |
| } |
| |
| /* eBPF programs must be GPL compatible to use GPL-ed functions */ |
| if (!env->prog->gpl_compatible && fn->gpl_only) { |
| verbose("cannot call GPL only function from proprietary program\n"); |
| return -EINVAL; |
| } |
| |
| changes_data = bpf_helper_changes_skb_data(fn->func); |
| |
| memset(&meta, 0, sizeof(meta)); |
| meta.pkt_access = fn->pkt_access; |
| |
| /* We only support one arg being in raw mode at the moment, which |
| * is sufficient for the helper functions we have right now. |
| */ |
| err = check_raw_mode(fn); |
| if (err) { |
| verbose("kernel subsystem misconfigured func %d\n", func_id); |
| return err; |
| } |
| |
| /* check args */ |
| err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta); |
| if (err) |
| return err; |
| err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta); |
| if (err) |
| return err; |
| if (func_id == BPF_FUNC_tail_call) { |
| if (meta.map_ptr == NULL) { |
| verbose("verifier bug\n"); |
| return -EINVAL; |
| } |
| env->insn_aux_data[insn_idx].map_ptr = meta.map_ptr; |
| } |
| err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta); |
| if (err) |
| return err; |
| err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta); |
| if (err) |
| return err; |
| err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta); |
| if (err) |
| return err; |
| |
| /* Mark slots with STACK_MISC in case of raw mode, stack offset |
| * is inferred from register state. |
| */ |
| for (i = 0; i < meta.access_size; i++) { |
| err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1); |
| if (err) |
| return err; |
| } |
| |
| /* reset caller saved regs */ |
| for (i = 0; i < CALLER_SAVED_REGS; i++) { |
| reg = regs + caller_saved[i]; |
| reg->type = NOT_INIT; |
| reg->imm = 0; |
| } |
| |
| /* update return register */ |
| if (fn->ret_type == RET_INTEGER) { |
| regs[BPF_REG_0].type = UNKNOWN_VALUE; |
| } else if (fn->ret_type == RET_VOID) { |
| regs[BPF_REG_0].type = NOT_INIT; |
| } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) { |
| regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; |
| regs[BPF_REG_0].max_value = regs[BPF_REG_0].min_value = 0; |
| /* remember map_ptr, so that check_map_access() |
| * can check 'value_size' boundary of memory access |
| * to map element returned from bpf_map_lookup_elem() |
| */ |
| if (meta.map_ptr == NULL) { |
| verbose("kernel subsystem misconfigured verifier\n"); |
| return -EINVAL; |
| } |
| regs[BPF_REG_0].map_ptr = meta.map_ptr; |
| regs[BPF_REG_0].id = ++env->id_gen; |
| } else { |
| verbose("unknown return type %d of func %d\n", |
| fn->ret_type, func_id); |
| return -EINVAL; |
| } |
| |
| err = check_map_func_compatibility(meta.map_ptr, func_id); |
| if (err) |
| return err; |
| |
| if (changes_data) |
| clear_all_pkt_pointers(env); |
| return 0; |
| } |
| |
| static int check_packet_ptr_add(struct bpf_verifier_env *env, |
| struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| struct bpf_reg_state *dst_reg = ®s[insn->dst_reg]; |
| struct bpf_reg_state *src_reg = ®s[insn->src_reg]; |
| struct bpf_reg_state tmp_reg; |
| s32 imm; |
| |
| if (BPF_SRC(insn->code) == BPF_K) { |
| /* pkt_ptr += imm */ |
| imm = insn->imm; |
| |
| add_imm: |
| if (imm <= 0) { |
| verbose("addition of negative constant to packet pointer is not allowed\n"); |
| return -EACCES; |
| } |
| if (imm >= MAX_PACKET_OFF || |
| imm + dst_reg->off >= MAX_PACKET_OFF) { |
| verbose("constant %d is too large to add to packet pointer\n", |
| imm); |
| return -EACCES; |
| } |
| /* a constant was added to pkt_ptr. |
| * Remember it while keeping the same 'id' |
| */ |
| dst_reg->off += imm; |
| } else { |
| if (src_reg->type == PTR_TO_PACKET) { |
| /* R6=pkt(id=0,off=0,r=62) R7=imm22; r7 += r6 */ |
| tmp_reg = *dst_reg; /* save r7 state */ |
| *dst_reg = *src_reg; /* copy pkt_ptr state r6 into r7 */ |
| src_reg = &tmp_reg; /* pretend it's src_reg state */ |
| /* if the checks below reject it, the copy won't matter, |
| * since we're rejecting the whole program. If all ok, |
| * then imm22 state will be added to r7 |
| * and r7 will be pkt(id=0,off=22,r=62) while |
| * r6 will stay as pkt(id=0,off=0,r=62) |
| */ |
| } |
| |
| if (src_reg->type == CONST_IMM) { |
| /* pkt_ptr += reg where reg is known constant */ |
| imm = src_reg->imm; |
| goto add_imm; |
| } |
| /* disallow pkt_ptr += reg |
| * if reg is not uknown_value with guaranteed zero upper bits |
| * otherwise pkt_ptr may overflow and addition will become |
| * subtraction which is not allowed |
| */ |
| if (src_reg->type != UNKNOWN_VALUE) { |
| verbose("cannot add '%s' to ptr_to_packet\n", |
| reg_type_str[src_reg->type]); |
| return -EACCES; |
| } |
| if (src_reg->imm < 48) { |
| verbose("cannot add integer value with %lld upper zero bits to ptr_to_packet\n", |
| src_reg->imm); |
| return -EACCES; |
| } |
| /* dst_reg stays as pkt_ptr type and since some positive |
| * integer value was added to the pointer, increment its 'id' |
| */ |
| dst_reg->id = ++env->id_gen; |
| |
| /* something was added to pkt_ptr, set range and off to zero */ |
| dst_reg->off = 0; |
| dst_reg->range = 0; |
| } |
| return 0; |
| } |
| |
| static int evaluate_reg_alu(struct bpf_verifier_env *env, struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| struct bpf_reg_state *dst_reg = ®s[insn->dst_reg]; |
| u8 opcode = BPF_OP(insn->code); |
| s64 imm_log2; |
| |
| /* for type == UNKNOWN_VALUE: |
| * imm > 0 -> number of zero upper bits |
| * imm == 0 -> don't track which is the same as all bits can be non-zero |
| */ |
| |
| if (BPF_SRC(insn->code) == BPF_X) { |
| struct bpf_reg_state *src_reg = ®s[insn->src_reg]; |
| |
| if (src_reg->type == UNKNOWN_VALUE && src_reg->imm > 0 && |
| dst_reg->imm && opcode == BPF_ADD) { |
| /* dreg += sreg |
| * where both have zero upper bits. Adding them |
| * can only result making one more bit non-zero |
| * in the larger value. |
| * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47) |
| * 0xffff (imm=48) + 0xffff = 0x1fffe (imm=47) |
| */ |
| dst_reg->imm = min(dst_reg->imm, src_reg->imm); |
| dst_reg->imm--; |
| return 0; |
| } |
| if (src_reg->type == CONST_IMM && src_reg->imm > 0 && |
| dst_reg->imm && opcode == BPF_ADD) { |
| /* dreg += sreg |
| * where dreg has zero upper bits and sreg is const. |
| * Adding them can only result making one more bit |
| * non-zero in the larger value. |
| */ |
| imm_log2 = __ilog2_u64((long long)src_reg->imm); |
| dst_reg->imm = min(dst_reg->imm, 63 - imm_log2); |
| dst_reg->imm--; |
| return 0; |
| } |
| /* all other cases non supported yet, just mark dst_reg */ |
| dst_reg->imm = 0; |
| return 0; |
| } |
| |
| /* sign extend 32-bit imm into 64-bit to make sure that |
| * negative values occupy bit 63. Note ilog2() would have |
| * been incorrect, since sizeof(insn->imm) == 4 |
| */ |
| imm_log2 = __ilog2_u64((long long)insn->imm); |
| |
| if (dst_reg->imm && opcode == BPF_LSH) { |
| /* reg <<= imm |
| * if reg was a result of 2 byte load, then its imm == 48 |
| * which means that upper 48 bits are zero and shifting this reg |
| * left by 4 would mean that upper 44 bits are still zero |
| */ |
| dst_reg->imm -= insn->imm; |
| } else if (dst_reg->imm && opcode == BPF_MUL) { |
| /* reg *= imm |
| * if multiplying by 14 subtract 4 |
| * This is conservative calculation of upper zero bits. |
| * It's not trying to special case insn->imm == 1 or 0 cases |
| */ |
| dst_reg->imm -= imm_log2 + 1; |
| } else if (opcode == BPF_AND) { |
| /* reg &= imm */ |
| dst_reg->imm = 63 - imm_log2; |
| } else if (dst_reg->imm && opcode == BPF_ADD) { |
| /* reg += imm */ |
| dst_reg->imm = min(dst_reg->imm, 63 - imm_log2); |
| dst_reg->imm--; |
| } else if (opcode == BPF_RSH) { |
| /* reg >>= imm |
| * which means that after right shift, upper bits will be zero |
| * note that verifier already checked that |
| * 0 <= imm < 64 for shift insn |
| */ |
| dst_reg->imm += insn->imm; |
| if (unlikely(dst_reg->imm > 64)) |
| /* some dumb code did: |
| * r2 = *(u32 *)mem; |
| * r2 >>= 32; |
| * and all bits are zero now */ |
| dst_reg->imm = 64; |
| } else { |
| /* all other alu ops, means that we don't know what will |
| * happen to the value, mark it with unknown number of zero bits |
| */ |
| dst_reg->imm = 0; |
| } |
| |
| if (dst_reg->imm < 0) { |
| /* all 64 bits of the register can contain non-zero bits |
| * and such value cannot be added to ptr_to_packet, since it |
| * may overflow, mark it as unknown to avoid further eval |
| */ |
| dst_reg->imm = 0; |
| } |
| return 0; |
| } |
| |
| static int evaluate_reg_imm_alu_unknown(struct bpf_verifier_env *env, |
| struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| struct bpf_reg_state *dst_reg = ®s[insn->dst_reg]; |
| struct bpf_reg_state *src_reg = ®s[insn->src_reg]; |
| u8 opcode = BPF_OP(insn->code); |
| s64 imm_log2 = __ilog2_u64((long long)dst_reg->imm); |
| |
| /* BPF_X code with src_reg->type UNKNOWN_VALUE here. */ |
| if (src_reg->imm > 0 && dst_reg->imm) { |
| switch (opcode) { |
| case BPF_ADD: |
| /* dreg += sreg |
| * where both have zero upper bits. Adding them |
| * can only result making one more bit non-zero |
| * in the larger value. |
| * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47) |
| * 0xffff (imm=48) + 0xffff = 0x1fffe (imm=47) |
| */ |
| dst_reg->imm = min(src_reg->imm, 63 - imm_log2); |
| dst_reg->imm--; |
| break; |
| case BPF_AND: |
| /* dreg &= sreg |
| * AND can not extend zero bits only shrink |
| * Ex. 0x00..00ffffff |
| * & 0x0f..ffffffff |
| * ---------------- |
| * 0x00..00ffffff |
| */ |
| dst_reg->imm = max(src_reg->imm, 63 - imm_log2); |
| break; |
| case BPF_OR: |
| /* dreg |= sreg |
| * OR can only extend zero bits |
| * Ex. 0x00..00ffffff |
| * | 0x0f..ffffffff |
| * ---------------- |
| * 0x0f..00ffffff |
| */ |
| dst_reg->imm = min(src_reg->imm, 63 - imm_log2); |
| break; |
| case BPF_SUB: |
| case BPF_MUL: |
| case BPF_RSH: |
| case BPF_LSH: |
| /* These may be flushed out later */ |
| default: |
| mark_reg_unknown_value(regs, insn->dst_reg); |
| } |
| } else { |
| mark_reg_unknown_value(regs, insn->dst_reg); |
| } |
| |
| dst_reg->type = UNKNOWN_VALUE; |
| return 0; |
| } |
| |
| static int evaluate_reg_imm_alu(struct bpf_verifier_env *env, |
| struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| struct bpf_reg_state *dst_reg = ®s[insn->dst_reg]; |
| struct bpf_reg_state *src_reg = ®s[insn->src_reg]; |
| u8 opcode = BPF_OP(insn->code); |
| |
| if (BPF_SRC(insn->code) == BPF_X && src_reg->type == UNKNOWN_VALUE) |
| return evaluate_reg_imm_alu_unknown(env, insn); |
| |
| /* dst_reg->type == CONST_IMM here, simulate execution of 'add' insn. |
| * Don't care about overflow or negative values, just add them |
| */ |
| if (opcode == BPF_ADD && BPF_SRC(insn->code) == BPF_K) |
| dst_reg->imm += insn->imm; |
| else if (opcode == BPF_ADD && BPF_SRC(insn->code) == BPF_X && |
| src_reg->type == CONST_IMM) |
| dst_reg->imm += src_reg->imm; |
| else |
| mark_reg_unknown_value(regs, insn->dst_reg); |
| return 0; |
| } |
| |
| static void check_reg_overflow(struct bpf_reg_state *reg) |
| { |
| if (reg->max_value > BPF_REGISTER_MAX_RANGE) |
| reg->max_value = BPF_REGISTER_MAX_RANGE; |
| if (reg->min_value < BPF_REGISTER_MIN_RANGE || |
| reg->min_value > BPF_REGISTER_MAX_RANGE) |
| reg->min_value = BPF_REGISTER_MIN_RANGE; |
| } |
| |
| static void adjust_reg_min_max_vals(struct bpf_verifier_env *env, |
| struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg; |
| s64 min_val = BPF_REGISTER_MIN_RANGE; |
| u64 max_val = BPF_REGISTER_MAX_RANGE; |
| bool min_set = false, max_set = false; |
| u8 opcode = BPF_OP(insn->code); |
| |
| dst_reg = ®s[insn->dst_reg]; |
| if (BPF_SRC(insn->code) == BPF_X) { |
| check_reg_overflow(®s[insn->src_reg]); |
| min_val = regs[insn->src_reg].min_value; |
| max_val = regs[insn->src_reg].max_value; |
| |
| /* If the source register is a random pointer then the |
| * min_value/max_value values represent the range of the known |
| * accesses into that value, not the actual min/max value of the |
| * register itself. In this case we have to reset the reg range |
| * values so we know it is not safe to look at. |
| */ |
| if (regs[insn->src_reg].type != CONST_IMM && |
| regs[insn->src_reg].type != UNKNOWN_VALUE) { |
| min_val = BPF_REGISTER_MIN_RANGE; |
| max_val = BPF_REGISTER_MAX_RANGE; |
| } |
| } else if (insn->imm < BPF_REGISTER_MAX_RANGE && |
| (s64)insn->imm > BPF_REGISTER_MIN_RANGE) { |
| min_val = max_val = insn->imm; |
| min_set = max_set = true; |
| } |
| |
| /* We don't know anything about what was done to this register, mark it |
| * as unknown. Also, if both derived bounds came from signed/unsigned |
| * mixed compares and one side is unbounded, we cannot really do anything |
| * with them as boundaries cannot be trusted. Thus, arithmetic of two |
| * regs of such kind will get invalidated bounds on the dst side. |
| */ |
| if ((min_val == BPF_REGISTER_MIN_RANGE && |
| max_val == BPF_REGISTER_MAX_RANGE) || |
| (BPF_SRC(insn->code) == BPF_X && |
| ((min_val != BPF_REGISTER_MIN_RANGE && |
| max_val == BPF_REGISTER_MAX_RANGE) || |
| (min_val == BPF_REGISTER_MIN_RANGE && |
| max_val != BPF_REGISTER_MAX_RANGE) || |
| (dst_reg->min_value != BPF_REGISTER_MIN_RANGE && |
| dst_reg->max_value == BPF_REGISTER_MAX_RANGE) || |
| (dst_reg->min_value == BPF_REGISTER_MIN_RANGE && |
| dst_reg->max_value != BPF_REGISTER_MAX_RANGE)) && |
| regs[insn->dst_reg].value_from_signed != |
| regs[insn->src_reg].value_from_signed)) { |
| reset_reg_range_values(regs, insn->dst_reg); |
| return; |
| } |
| |
| /* If one of our values was at the end of our ranges then we can't just |
| * do our normal operations to the register, we need to set the values |
| * to the min/max since they are undefined. |
| */ |
| if (opcode != BPF_SUB) { |
| if (min_val == BPF_REGISTER_MIN_RANGE) |
| dst_reg->min_value = BPF_REGISTER_MIN_RANGE; |
| if (max_val == BPF_REGISTER_MAX_RANGE) |
| dst_reg->max_value = BPF_REGISTER_MAX_RANGE; |
| } |
| |
| switch (opcode) { |
| case BPF_ADD: |
| if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) |
| dst_reg->min_value += min_val; |
| if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) |
| dst_reg->max_value += max_val; |
| break; |
| case BPF_SUB: |
| /* If one of our values was at the end of our ranges, then the |
| * _opposite_ value in the dst_reg goes to the end of our range. |
| */ |
| if (min_val == BPF_REGISTER_MIN_RANGE) |
| dst_reg->max_value = BPF_REGISTER_MAX_RANGE; |
| if (max_val == BPF_REGISTER_MAX_RANGE) |
| dst_reg->min_value = BPF_REGISTER_MIN_RANGE; |
| if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) |
| dst_reg->min_value -= max_val; |
| if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) |
| dst_reg->max_value -= min_val; |
| break; |
| case BPF_MUL: |
| if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) |
| dst_reg->min_value *= min_val; |
| if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) |
| dst_reg->max_value *= max_val; |
| break; |
| case BPF_AND: |
| /* Disallow AND'ing of negative numbers, ain't nobody got time |
| * for that. Otherwise the minimum is 0 and the max is the max |
| * value we could AND against. |
| */ |
| if (min_val < 0) |
| dst_reg->min_value = BPF_REGISTER_MIN_RANGE; |
| else |
| dst_reg->min_value = 0; |
| dst_reg->max_value = max_val; |
| break; |
| case BPF_LSH: |
| /* Gotta have special overflow logic here, if we're shifting |
| * more than MAX_RANGE then just assume we have an invalid |
| * range. |
| */ |
| if (min_val > ilog2(BPF_REGISTER_MAX_RANGE)) |
| dst_reg->min_value = BPF_REGISTER_MIN_RANGE; |
| else if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) |
| dst_reg->min_value <<= min_val; |
| |
| if (max_val > ilog2(BPF_REGISTER_MAX_RANGE)) |
| dst_reg->max_value = BPF_REGISTER_MAX_RANGE; |
| else if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) |
| dst_reg->max_value <<= max_val; |
| break; |
| case BPF_RSH: |
| /* RSH by a negative number is undefined, and the BPF_RSH is an |
| * unsigned shift, so make the appropriate casts. |
| */ |
| if (min_val < 0 || dst_reg->min_value < 0) |
| reset_reg_range_values(regs, insn->dst_reg); |
| else |
| dst_reg->min_value = (u64)(dst_reg->min_value) >> max_val; |
| if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) |
| dst_reg->max_value >>= min_val; |
| break; |
| default: |
| reset_reg_range_values(regs, insn->dst_reg); |
| break; |
| } |
| |
| check_reg_overflow(dst_reg); |
| } |
| |
| /* check validity of 32-bit and 64-bit arithmetic operations */ |
| static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg; |
| u8 opcode = BPF_OP(insn->code); |
| int err; |
| |
| if (opcode == BPF_END || opcode == BPF_NEG) { |
| if (opcode == BPF_NEG) { |
| if (BPF_SRC(insn->code) != 0 || |
| insn->src_reg != BPF_REG_0 || |
| insn->off != 0 || insn->imm != 0) { |
| verbose("BPF_NEG uses reserved fields\n"); |
| return -EINVAL; |
| } |
| } else { |
| if (insn->src_reg != BPF_REG_0 || insn->off != 0 || |
| (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) || |
| BPF_CLASS(insn->code) == BPF_ALU64) { |
| verbose("BPF_END uses reserved fields\n"); |
| return -EINVAL; |
| } |
| } |
| |
| /* check src operand */ |
| err = check_reg_arg(regs, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| if (is_pointer_value(env, insn->dst_reg)) { |
| verbose("R%d pointer arithmetic prohibited\n", |
| insn->dst_reg); |
| return -EACCES; |
| } |
| |
| /* check dest operand */ |
| err = check_reg_arg(regs, insn->dst_reg, DST_OP); |
| if (err) |
| return err; |
| |
| } else if (opcode == BPF_MOV) { |
| |
| if (BPF_SRC(insn->code) == BPF_X) { |
| if (insn->imm != 0 || insn->off != 0) { |
| verbose("BPF_MOV uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| /* check src operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| } else { |
| if (insn->src_reg != BPF_REG_0 || insn->off != 0) { |
| verbose("BPF_MOV uses reserved fields\n"); |
| return -EINVAL; |
| } |
| } |
| |
| /* check dest operand */ |
| err = check_reg_arg(regs, insn->dst_reg, DST_OP); |
| if (err) |
| return err; |
| |
| /* we are setting our register to something new, we need to |
| * reset its range values. |
| */ |
| reset_reg_range_values(regs, insn->dst_reg); |
| |
| if (BPF_SRC(insn->code) == BPF_X) { |
| if (BPF_CLASS(insn->code) == BPF_ALU64) { |
| /* case: R1 = R2 |
| * copy register state to dest reg |
| */ |
| regs[insn->dst_reg] = regs[insn->src_reg]; |
| } else { |
| if (is_pointer_value(env, insn->src_reg)) { |
| verbose("R%d partial copy of pointer\n", |
| insn->src_reg); |
| return -EACCES; |
| } |
| mark_reg_unknown_value(regs, insn->dst_reg); |
| } |
| } else { |
| /* case: R = imm |
| * remember the value we stored into this reg |
| */ |
| u64 imm; |
| |
| if (BPF_CLASS(insn->code) == BPF_ALU64) |
| imm = insn->imm; |
| else |
| imm = (u32)insn->imm; |
| |
| regs[insn->dst_reg].type = CONST_IMM; |
| regs[insn->dst_reg].imm = imm; |
| regs[insn->dst_reg].max_value = imm; |
| regs[insn->dst_reg].min_value = imm; |
| } |
| |
| } else if (opcode > BPF_END) { |
| verbose("invalid BPF_ALU opcode %x\n", opcode); |
| return -EINVAL; |
| |
| } else { /* all other ALU ops: and, sub, xor, add, ... */ |
| |
| if (BPF_SRC(insn->code) == BPF_X) { |
| if (insn->imm != 0 || insn->off != 0) { |
| verbose("BPF_ALU uses reserved fields\n"); |
| return -EINVAL; |
| } |
| /* check src1 operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| } else { |
| if (insn->src_reg != BPF_REG_0 || insn->off != 0) { |
| verbose("BPF_ALU uses reserved fields\n"); |
| return -EINVAL; |
| } |
| } |
| |
| /* check src2 operand */ |
| err = check_reg_arg(regs, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| if ((opcode == BPF_MOD || opcode == BPF_DIV) && |
| BPF_SRC(insn->code) == BPF_K && insn->imm == 0) { |
| verbose("div by zero\n"); |
| return -EINVAL; |
| } |
| |
| if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) { |
| verbose("BPF_ARSH not supported for 32 bit ALU\n"); |
| return -EINVAL; |
| } |
| |
| if ((opcode == BPF_LSH || opcode == BPF_RSH || |
| opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) { |
| int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32; |
| |
| if (insn->imm < 0 || insn->imm >= size) { |
| verbose("invalid shift %d\n", insn->imm); |
| return -EINVAL; |
| } |
| } |
| |
| /* check dest operand */ |
| err = check_reg_arg(regs, insn->dst_reg, DST_OP_NO_MARK); |
| if (err) |
| return err; |
| |
| dst_reg = ®s[insn->dst_reg]; |
| |
| /* first we want to adjust our ranges. */ |
| adjust_reg_min_max_vals(env, insn); |
| |
| /* pattern match 'bpf_add Rx, imm' instruction */ |
| if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 && |
| dst_reg->type == FRAME_PTR && BPF_SRC(insn->code) == BPF_K) { |
| dst_reg->type = PTR_TO_STACK; |
| dst_reg->imm = insn->imm; |
| return 0; |
| } else if (opcode == BPF_ADD && |
| BPF_CLASS(insn->code) == BPF_ALU64 && |
| dst_reg->type == PTR_TO_STACK && |
| ((BPF_SRC(insn->code) == BPF_X && |
| regs[insn->src_reg].type == CONST_IMM) || |
| BPF_SRC(insn->code) == BPF_K)) { |
| if (BPF_SRC(insn->code) == BPF_X) { |
| /* check in case the register contains a big |
| * 64-bit value |
| */ |
| if (regs[insn->src_reg].imm < -MAX_BPF_STACK || |
| regs[insn->src_reg].imm > MAX_BPF_STACK) { |
| verbose("R%d value too big in R%d pointer arithmetic\n", |
| insn->src_reg, insn->dst_reg); |
| return -EACCES; |
| } |
| dst_reg->imm += regs[insn->src_reg].imm; |
| } else { |
| /* safe against overflow: addition of 32-bit |
| * numbers in 64-bit representation |
| */ |
| dst_reg->imm += insn->imm; |
| } |
| if (dst_reg->imm > 0 || dst_reg->imm < -MAX_BPF_STACK) { |
| verbose("R%d out-of-bounds pointer arithmetic\n", |
| insn->dst_reg); |
| return -EACCES; |
| } |
| return 0; |
| } else if (opcode == BPF_ADD && |
| BPF_CLASS(insn->code) == BPF_ALU64 && |
| (dst_reg->type == PTR_TO_PACKET || |
| (BPF_SRC(insn->code) == BPF_X && |
| regs[insn->src_reg].type == PTR_TO_PACKET))) { |
| /* ptr_to_packet += K|X */ |
| return check_packet_ptr_add(env, insn); |
| } else if (BPF_CLASS(insn->code) == BPF_ALU64 && |
| dst_reg->type == UNKNOWN_VALUE && |
| env->allow_ptr_leaks) { |
| /* unknown += K|X */ |
| return evaluate_reg_alu(env, insn); |
| } else if (BPF_CLASS(insn->code) == BPF_ALU64 && |
| dst_reg->type == CONST_IMM && |
| env->allow_ptr_leaks) { |
| /* reg_imm += K|X */ |
| return evaluate_reg_imm_alu(env, insn); |
| } else if (is_pointer_value(env, insn->dst_reg)) { |
| verbose("R%d pointer arithmetic prohibited\n", |
| insn->dst_reg); |
| return -EACCES; |
| } else if (BPF_SRC(insn->code) == BPF_X && |
| is_pointer_value(env, insn->src_reg)) { |
| verbose("R%d pointer arithmetic prohibited\n", |
| insn->src_reg); |
| return -EACCES; |
| } |
| |
| /* If we did pointer math on a map value then just set it to our |
| * PTR_TO_MAP_VALUE_ADJ type so we can deal with any stores or |
| * loads to this register appropriately, otherwise just mark the |
| * register as unknown. |
| */ |
| if (env->allow_ptr_leaks && |
| BPF_CLASS(insn->code) == BPF_ALU64 && opcode == BPF_ADD && |
| (dst_reg->type == PTR_TO_MAP_VALUE || |
| dst_reg->type == PTR_TO_MAP_VALUE_ADJ)) |
| dst_reg->type = PTR_TO_MAP_VALUE_ADJ; |
| else |
| mark_reg_unknown_value(regs, insn->dst_reg); |
| } |
| |
| return 0; |
| } |
| |
| static void find_good_pkt_pointers(struct bpf_verifier_state *state, |
| struct bpf_reg_state *dst_reg) |
| { |
| struct bpf_reg_state *regs = state->regs, *reg; |
| int i; |
| |
| /* LLVM can generate two kind of checks: |
| * |
| * Type 1: |
| * |
| * r2 = r3; |
| * r2 += 8; |
| * if (r2 > pkt_end) goto <handle exception> |
| * <access okay> |
| * |
| * Where: |
| * r2 == dst_reg, pkt_end == src_reg |
| * r2=pkt(id=n,off=8,r=0) |
| * r3=pkt(id=n,off=0,r=0) |
| * |
| * Type 2: |
| * |
| * r2 = r3; |
| * r2 += 8; |
| * if (pkt_end >= r2) goto <access okay> |
| * <handle exception> |
| * |
| * Where: |
| * pkt_end == dst_reg, r2 == src_reg |
| * r2=pkt(id=n,off=8,r=0) |
| * r3=pkt(id=n,off=0,r=0) |
| * |
| * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8) |
| * so that range of bytes [r3, r3 + 8) is safe to access. |
| */ |
| |
| for (i = 0; i < MAX_BPF_REG; i++) |
| if (regs[i].type == PTR_TO_PACKET && regs[i].id == dst_reg->id) |
| /* keep the maximum range already checked */ |
| regs[i].range = max(regs[i].range, dst_reg->off); |
| |
| for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
| if (state->stack_slot_type[i] != STACK_SPILL) |
| continue; |
| reg = &state->spilled_regs[i / BPF_REG_SIZE]; |
| if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id) |
| reg->range = max(reg->range, dst_reg->off); |
| } |
| } |
| |
| /* Adjusts the register min/max values in the case that the dst_reg is the |
| * variable register that we are working on, and src_reg is a constant or we're |
| * simply doing a BPF_K check. |
| */ |
| static void reg_set_min_max(struct bpf_reg_state *true_reg, |
| struct bpf_reg_state *false_reg, u64 val, |
| u8 opcode) |
| { |
| bool value_from_signed = true; |
| bool is_range = true; |
| |
| switch (opcode) { |
| case BPF_JEQ: |
| /* If this is false then we know nothing Jon Snow, but if it is |
| * true then we know for sure. |
| */ |
| true_reg->max_value = true_reg->min_value = val; |
| is_range = false; |
| break; |
| case BPF_JNE: |
| /* If this is true we know nothing Jon Snow, but if it is false |
| * we know the value for sure; |
| */ |
| false_reg->max_value = false_reg->min_value = val; |
| is_range = false; |
| break; |
| case BPF_JGT: |
| value_from_signed = false; |
| /* fallthrough */ |
| case BPF_JSGT: |
| if (true_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(true_reg, 0); |
| if (false_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(false_reg, 0); |
| if (opcode == BPF_JGT) { |
| /* Unsigned comparison, the minimum value is 0. */ |
| false_reg->min_value = 0; |
| } |
| /* If this is false then we know the maximum val is val, |
| * otherwise we know the min val is val+1. |
| */ |
| false_reg->max_value = val; |
| false_reg->value_from_signed = value_from_signed; |
| true_reg->min_value = val + 1; |
| true_reg->value_from_signed = value_from_signed; |
| break; |
| case BPF_JGE: |
| value_from_signed = false; |
| /* fallthrough */ |
| case BPF_JSGE: |
| if (true_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(true_reg, 0); |
| if (false_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(false_reg, 0); |
| if (opcode == BPF_JGE) { |
| /* Unsigned comparison, the minimum value is 0. */ |
| false_reg->min_value = 0; |
| } |
| /* If this is false then we know the maximum value is val - 1, |
| * otherwise we know the mimimum value is val. |
| */ |
| false_reg->max_value = val - 1; |
| false_reg->value_from_signed = value_from_signed; |
| true_reg->min_value = val; |
| true_reg->value_from_signed = value_from_signed; |
| break; |
| default: |
| break; |
| } |
| |
| check_reg_overflow(false_reg); |
| check_reg_overflow(true_reg); |
| if (is_range) { |
| if (__is_pointer_value(false, false_reg)) |
| reset_reg_range_values(false_reg, 0); |
| if (__is_pointer_value(false, true_reg)) |
| reset_reg_range_values(true_reg, 0); |
| } |
| } |
| |
| /* Same as above, but for the case that dst_reg is a CONST_IMM reg and src_reg |
| * is the variable reg. |
| */ |
| static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, |
| struct bpf_reg_state *false_reg, u64 val, |
| u8 opcode) |
| { |
| bool value_from_signed = true; |
| bool is_range = true; |
| |
| switch (opcode) { |
| case BPF_JEQ: |
| /* If this is false then we know nothing Jon Snow, but if it is |
| * true then we know for sure. |
| */ |
| true_reg->max_value = true_reg->min_value = val; |
| is_range = false; |
| break; |
| case BPF_JNE: |
| /* If this is true we know nothing Jon Snow, but if it is false |
| * we know the value for sure; |
| */ |
| false_reg->max_value = false_reg->min_value = val; |
| is_range = false; |
| break; |
| case BPF_JGT: |
| value_from_signed = false; |
| /* fallthrough */ |
| case BPF_JSGT: |
| if (true_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(true_reg, 0); |
| if (false_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(false_reg, 0); |
| if (opcode == BPF_JGT) { |
| /* Unsigned comparison, the minimum value is 0. */ |
| true_reg->min_value = 0; |
| } |
| /* |
| * If this is false, then the val is <= the register, if it is |
| * true the register <= to the val. |
| */ |
| false_reg->min_value = val; |
| false_reg->value_from_signed = value_from_signed; |
| true_reg->max_value = val - 1; |
| true_reg->value_from_signed = value_from_signed; |
| break; |
| case BPF_JGE: |
| value_from_signed = false; |
| /* fallthrough */ |
| case BPF_JSGE: |
| if (true_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(true_reg, 0); |
| if (false_reg->value_from_signed != value_from_signed) |
| reset_reg_range_values(false_reg, 0); |
| if (opcode == BPF_JGE) { |
| /* Unsigned comparison, the minimum value is 0. */ |
| true_reg->min_value = 0; |
| } |
| /* If this is false then constant < register, if it is true then |
| * the register < constant. |
| */ |
| false_reg->min_value = val + 1; |
| false_reg->value_from_signed = value_from_signed; |
| true_reg->max_value = val; |
| true_reg->value_from_signed = value_from_signed; |
| break; |
| default: |
| break; |
| } |
| |
| check_reg_overflow(false_reg); |
| check_reg_overflow(true_reg); |
| if (is_range) { |
| if (__is_pointer_value(false, false_reg)) |
| reset_reg_range_values(false_reg, 0); |
| if (__is_pointer_value(false, true_reg)) |
| reset_reg_range_values(true_reg, 0); |
| } |
| } |
| |
| static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id, |
| enum bpf_reg_type type) |
| { |
| struct bpf_reg_state *reg = ®s[regno]; |
| |
| if (reg->type == PTR_TO_MAP_VALUE_OR_NULL && reg->id == id) { |
| reg->type = type; |
| /* We don't need id from this point onwards anymore, thus we |
| * should better reset it, so that state pruning has chances |
| * to take effect. |
| */ |
| reg->id = 0; |
| if (type == UNKNOWN_VALUE) |
| __mark_reg_unknown_value(regs, regno); |
| } |
| } |
| |
| /* The logic is similar to find_good_pkt_pointers(), both could eventually |
| * be folded together at some point. |
| */ |
| static void mark_map_regs(struct bpf_verifier_state *state, u32 regno, |
| enum bpf_reg_type type) |
| { |
| struct bpf_reg_state *regs = state->regs; |
| u32 id = regs[regno].id; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) |
| mark_map_reg(regs, i, id, type); |
| |
| for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { |
| if (state->stack_slot_type[i] != STACK_SPILL) |
| continue; |
| mark_map_reg(state->spilled_regs, i / BPF_REG_SIZE, id, type); |
| } |
| } |
| |
| static int check_cond_jmp_op(struct bpf_verifier_env *env, |
| struct bpf_insn *insn, int *insn_idx) |
| { |
| struct bpf_verifier_state *other_branch, *this_branch = &env->cur_state; |
| struct bpf_reg_state *regs = this_branch->regs, *dst_reg; |
| u8 opcode = BPF_OP(insn->code); |
| int err; |
| |
| if (opcode > BPF_EXIT) { |
| verbose("invalid BPF_JMP opcode %x\n", opcode); |
| return -EINVAL; |
| } |
| |
| if (BPF_SRC(insn->code) == BPF_X) { |
| if (insn->imm != 0) { |
| verbose("BPF_JMP uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| /* check src1 operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| if (is_pointer_value(env, insn->src_reg)) { |
| verbose("R%d pointer comparison prohibited\n", |
| insn->src_reg); |
| return -EACCES; |
| } |
| } else { |
| if (insn->src_reg != BPF_REG_0) { |
| verbose("BPF_JMP uses reserved fields\n"); |
| return -EINVAL; |
| } |
| } |
| |
| /* check src2 operand */ |
| err = check_reg_arg(regs, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| dst_reg = ®s[insn->dst_reg]; |
| |
| /* detect if R == 0 where R was initialized to zero earlier */ |
| if (BPF_SRC(insn->code) == BPF_K && |
| (opcode == BPF_JEQ || opcode == BPF_JNE) && |
| dst_reg->type == CONST_IMM && dst_reg->imm == insn->imm) { |
| if (opcode == BPF_JEQ) { |
| /* if (imm == imm) goto pc+off; |
| * only follow the goto, ignore fall-through |
| */ |
| *insn_idx += insn->off; |
| return 0; |
| } else { |
| /* if (imm != imm) goto pc+off; |
| * only follow fall-through branch, since |
| * that's where the program will go |
| */ |
| return 0; |
| } |
| } |
| |
| other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx); |
| if (!other_branch) |
| return -EFAULT; |
| |
| /* detect if we are comparing against a constant value so we can adjust |
| * our min/max values for our dst register. |
| */ |
| if (BPF_SRC(insn->code) == BPF_X) { |
| if (regs[insn->src_reg].type == CONST_IMM) |
| reg_set_min_max(&other_branch->regs[insn->dst_reg], |
| dst_reg, regs[insn->src_reg].imm, |
| opcode); |
| else if (dst_reg->type == CONST_IMM) |
| reg_set_min_max_inv(&other_branch->regs[insn->src_reg], |
| ®s[insn->src_reg], dst_reg->imm, |
| opcode); |
| } else { |
| reg_set_min_max(&other_branch->regs[insn->dst_reg], |
| dst_reg, insn->imm, opcode); |
| } |
| |
| /* detect if R == 0 where R is returned from bpf_map_lookup_elem() */ |
| if (BPF_SRC(insn->code) == BPF_K && |
| insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) && |
| dst_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { |
| /* Mark all identical map registers in each branch as either |
| * safe or unknown depending R == 0 or R != 0 conditional. |
| */ |
| mark_map_regs(this_branch, insn->dst_reg, |
| opcode == BPF_JEQ ? PTR_TO_MAP_VALUE : UNKNOWN_VALUE); |
| mark_map_regs(other_branch, insn->dst_reg, |
| opcode == BPF_JEQ ? UNKNOWN_VALUE : PTR_TO_MAP_VALUE); |
| } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT && |
| dst_reg->type == PTR_TO_PACKET && |
| regs[insn->src_reg].type == PTR_TO_PACKET_END) { |
| find_good_pkt_pointers(this_branch, dst_reg); |
| } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE && |
| dst_reg->type == PTR_TO_PACKET_END && |
| regs[insn->src_reg].type == PTR_TO_PACKET) { |
| find_good_pkt_pointers(other_branch, ®s[insn->src_reg]); |
| } else if (is_pointer_value(env, insn->dst_reg)) { |
| verbose("R%d pointer comparison prohibited\n", insn->dst_reg); |
| return -EACCES; |
| } |
| if (log_level) |
| print_verifier_state(this_branch); |
| return 0; |
| } |
| |
| /* return the map pointer stored inside BPF_LD_IMM64 instruction */ |
| static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn) |
| { |
| u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32; |
| |
| return (struct bpf_map *) (unsigned long) imm64; |
| } |
| |
| /* verify BPF_LD_IMM64 instruction */ |
| static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| int err; |
| |
| if (BPF_SIZE(insn->code) != BPF_DW) { |
| verbose("invalid BPF_LD_IMM insn\n"); |
| return -EINVAL; |
| } |
| if (insn->off != 0) { |
| verbose("BPF_LD_IMM64 uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| err = check_reg_arg(regs, insn->dst_reg, DST_OP); |
| if (err) |
| return err; |
| |
| if (insn->src_reg == 0) { |
| /* generic move 64-bit immediate into a register, |
| * only analyzer needs to collect the ld_imm value. |
| */ |
| u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm; |
| |
| if (!env->analyzer_ops) |
| return 0; |
| |
| regs[insn->dst_reg].type = CONST_IMM; |
| regs[insn->dst_reg].imm = imm; |
| return 0; |
| } |
| |
| /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */ |
| BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD); |
| |
| regs[insn->dst_reg].type = CONST_PTR_TO_MAP; |
| regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn); |
| return 0; |
| } |
| |
| static bool may_access_skb(enum bpf_prog_type type) |
| { |
| switch (type) { |
| case BPF_PROG_TYPE_SOCKET_FILTER: |
| case BPF_PROG_TYPE_SCHED_CLS: |
| case BPF_PROG_TYPE_SCHED_ACT: |
| return true; |
| default: |
| return false; |
| } |
| } |
| |
| /* verify safety of LD_ABS|LD_IND instructions: |
| * - they can only appear in the programs where ctx == skb |
| * - since they are wrappers of function calls, they scratch R1-R5 registers, |
| * preserve R6-R9, and store return value into R0 |
| * |
| * Implicit input: |
| * ctx == skb == R6 == CTX |
| * |
| * Explicit input: |
| * SRC == any register |
| * IMM == 32-bit immediate |
| * |
| * Output: |
| * R0 - 8/16/32-bit skb data converted to cpu endianness |
| */ |
| static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) |
| { |
| struct bpf_reg_state *regs = env->cur_state.regs; |
| u8 mode = BPF_MODE(insn->code); |
| struct bpf_reg_state *reg; |
| int i, err; |
| |
| if (!may_access_skb(env->prog->type)) { |
| verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type\n"); |
| return -EINVAL; |
| } |
| |
| if (insn->dst_reg != BPF_REG_0 || insn->off != 0 || |
| BPF_SIZE(insn->code) == BPF_DW || |
| (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) { |
| verbose("BPF_LD_[ABS|IND] uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| /* check whether implicit source operand (register R6) is readable */ |
| err = check_reg_arg(regs, BPF_REG_6, SRC_OP); |
| if (err) |
| return err; |
| |
| if (regs[BPF_REG_6].type != PTR_TO_CTX) { |
| verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n"); |
| return -EINVAL; |
| } |
| |
| if (mode == BPF_IND) { |
| /* check explicit source operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| } |
| |
| /* reset caller saved regs to unreadable */ |
| for (i = 0; i < CALLER_SAVED_REGS; i++) { |
| reg = regs + caller_saved[i]; |
| reg->type = NOT_INIT; |
| reg->imm = 0; |
| } |
| |
| /* mark destination R0 register as readable, since it contains |
| * the value fetched from the packet |
| */ |
| regs[BPF_REG_0].type = UNKNOWN_VALUE; |
| return 0; |
| } |
| |
| /* non-recursive DFS pseudo code |
| * 1 procedure DFS-iterative(G,v): |
| * 2 label v as discovered |
| * 3 let S be a stack |
| * 4 S.push(v) |
| * 5 while S is not empty |
| * 6 t <- S.pop() |
| * 7 if t is what we're looking for: |
| * 8 return t |
| * 9 for all edges e in G.adjacentEdges(t) do |
| * 10 if edge e is already labelled |
| * 11 continue with the next edge |
| * 12 w <- G.adjacentVertex(t,e) |
| * 13 if vertex w is not discovered and not explored |
| * 14 label e as tree-edge |
| * 15 label w as discovered |
| * 16 S.push(w) |
| * 17 continue at 5 |
| * 18 else if vertex w is discovered |
| * 19 label e as back-edge |
| * 20 else |
| * 21 // vertex w is explored |
| * 22 label e as forward- or cross-edge |
| * 23 label t as explored |
| * 24 S.pop() |
| * |
| * convention: |
| * 0x10 - discovered |
| * 0x11 - discovered and fall-through edge labelled |
| * 0x12 - discovered and fall-through and branch edges labelled |
| * 0x20 - explored |
| */ |
| |
| enum { |
| DISCOVERED = 0x10, |
| EXPLORED = 0x20, |
| FALLTHROUGH = 1, |
| BRANCH = 2, |
| }; |
| |
| #define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L) |
| |
| static int *insn_stack; /* stack of insns to process */ |
| static int cur_stack; /* current stack index */ |
| static int *insn_state; |
| |
| /* t, w, e - match pseudo-code above: |
| * t - index of current instruction |
| * w - next instruction |
| * e - edge |
| */ |
| static int push_insn(int t, int w, int e, struct bpf_verifier_env *env) |
| { |
| if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH)) |
| return 0; |
| |
| if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH)) |
| return 0; |
| |
| if (w < 0 || w >= env->prog->len) { |
| verbose("jump out of range from insn %d to %d\n", t, w); |
| return -EINVAL; |
| } |
| |
| if (e == BRANCH) |
| /* mark branch target for state pruning */ |
| env->explored_states[w] = STATE_LIST_MARK; |
| |
| if (insn_state[w] == 0) { |
| /* tree-edge */ |
| insn_state[t] = DISCOVERED | e; |
| insn_state[w] = DISCOVERED; |
| if (cur_stack >= env->prog->len) |
| return -E2BIG; |
| insn_stack[cur_stack++] = w; |
| return 1; |
| } else if ((insn_state[w] & 0xF0) == DISCOVERED) { |
| verbose("back-edge from insn %d to %d\n", t, w); |
| return -EINVAL; |
| } else if (insn_state[w] == EXPLORED) { |
| /* forward- or cross-edge */ |
| insn_state[t] = DISCOVERED | e; |
| } else { |
| verbose("insn state internal bug\n"); |
| return -EFAULT; |
| } |
| return 0; |
| } |
| |
| /* non-recursive depth-first-search to detect loops in BPF program |
| * loop == back-edge in directed graph |
| */ |
| static int check_cfg(struct bpf_verifier_env *env) |
| { |
| struct bpf_insn *insns = env->prog->insnsi; |
| int insn_cnt = env->prog->len; |
| int ret = 0; |
| int i, t; |
| |
| insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); |
| if (!insn_state) |
| return -ENOMEM; |
| |
| insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL); |
| if (!insn_stack) { |
| kfree(insn_state); |
| return -ENOMEM; |
| } |
| |
| insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */ |
| insn_stack[0] = 0; /* 0 is the first instruction */ |
| cur_stack = 1; |
| |
| peek_stack: |
| if (cur_stack == 0) |
| goto check_state; |
| t = insn_stack[cur_stack - 1]; |
| |
| if (BPF_CLASS(insns[t].code) == BPF_JMP) { |
| u8 opcode = BPF_OP(insns[t].code); |
| |
| if (opcode == BPF_EXIT) { |
| goto mark_explored; |
| } else if (opcode == BPF_CALL) { |
| ret = push_insn(t, t + 1, FALLTHROUGH, env); |
| if (ret == 1) |
| goto peek_stack; |
| else if (ret < 0) |
| goto err_free; |
| if (t + 1 < insn_cnt) |
| env->explored_states[t + 1] = STATE_LIST_MARK; |
| } else if (opcode == BPF_JA) { |
| if (BPF_SRC(insns[t].code) != BPF_K) { |
| ret = -EINVAL; |
| goto err_free; |
| } |
| /* unconditional jump with single edge */ |
| ret = push_insn(t, t + insns[t].off + 1, |
| FALLTHROUGH, env); |
| if (ret == 1) |
| goto peek_stack; |
| else if (ret < 0) |
| goto err_free; |
| /* tell verifier to check for equivalent states |
| * after every call and jump |
| */ |
| if (t + 1 < insn_cnt) |
| env->explored_states[t + 1] = STATE_LIST_MARK; |
| } else { |
| /* conditional jump with two edges */ |
| env->explored_states[t] = STATE_LIST_MARK; |
| ret = push_insn(t, t + 1, FALLTHROUGH, env); |
| if (ret == 1) |
| goto peek_stack; |
| else if (ret < 0) |
| goto err_free; |
| |
| ret = push_insn(t, t + insns[t].off + 1, BRANCH, env); |
| if (ret == 1) |
| goto peek_stack; |
| else if (ret < 0) |
| goto err_free; |
| } |
| } else { |
| /* all other non-branch instructions with single |
| * fall-through edge |
| */ |
| ret = push_insn(t, t + 1, FALLTHROUGH, env); |
| if (ret == 1) |
| goto peek_stack; |
| else if (ret < 0) |
| goto err_free; |
| } |
| |
| mark_explored: |
| insn_state[t] = EXPLORED; |
| if (cur_stack-- <= 0) { |
| verbose("pop stack internal bug\n"); |
| ret = -EFAULT; |
| goto err_free; |
| } |
| goto peek_stack; |
| |
| check_state: |
| for (i = 0; i < insn_cnt; i++) { |
| if (insn_state[i] != EXPLORED) { |
| verbose("unreachable insn %d\n", i); |
| ret = -EINVAL; |
| goto err_free; |
| } |
| } |
| ret = 0; /* cfg looks good */ |
| |
| err_free: |
| kfree(insn_state); |
| kfree(insn_stack); |
| return ret; |
| } |
| |
| /* the following conditions reduce the number of explored insns |
| * from ~140k to ~80k for ultra large programs that use a lot of ptr_to_packet |
| */ |
| static bool compare_ptrs_to_packet(struct bpf_reg_state *old, |
| struct bpf_reg_state *cur) |
| { |
| if (old->id != cur->id) |
| return false; |
| |
| /* old ptr_to_packet is more conservative, since it allows smaller |
| * range. Ex: |
| * old(off=0,r=10) is equal to cur(off=0,r=20), because |
| * old(off=0,r=10) means that with range=10 the verifier proceeded |
| * further and found no issues with the program. Now we're in the same |
| * spot with cur(off=0,r=20), so we're safe too, since anything further |
| * will only be looking at most 10 bytes after this pointer. |
| */ |
| if (old->off == cur->off && old->range < cur->range) |
| return true; |
| |
| /* old(off=20,r=10) is equal to cur(off=22,re=22 or 5 or 0) |
| * since both cannot be used for packet access and safe(old) |
| * pointer has smaller off that could be used for further |
| * 'if (ptr > data_end)' check |
| * Ex: |
| * old(off=20,r=10) and cur(off=22,r=22) and cur(off=22,r=0) mean |
| * that we cannot access the packet. |
| * The safe range is: |
| * [ptr, ptr + range - off) |
| * so whenever off >=range, it means no safe bytes from this pointer. |
| * When comparing old->off <= cur->off, it means that older code |
| * went with smaller offset and that offset was later |
| * used to figure out the safe range after 'if (ptr > data_end)' check |
| * Say, 'old' state was explored like: |
| * ... R3(off=0, r=0) |
| * R4 = R3 + 20 |
| * ... now R4(off=20,r=0) <-- here |
| * if (R4 > data_end) |
| * ... R4(off=20,r=20), R3(off=0,r=20) and R3 can be used to access. |
| * ... the code further went all the way to bpf_exit. |
| * Now the 'cur' state at the mark 'here' has R4(off=30,r=0). |
| * old_R4(off=20,r=0) equal to cur_R4(off=30,r=0), since if the verifier |
| * goes further, such cur_R4 will give larger safe packet range after |
| * 'if (R4 > data_end)' and all further insn were already good with r=20, |
| * so they will be good with r=30 and we can prune the search. |
| */ |
| if (old->off <= cur->off && |
| old->off >= old->range && cur->off >= cur->range) |
| return true; |
| |
| return false; |
| } |
| |
| /* compare two verifier states |
| * |
| * all states stored in state_list are known to be valid, since |
| * verifier reached 'bpf_exit' instruction through them |
| * |
| * this function is called when verifier exploring different branches of |
| * execution popped from the state stack. If it sees an old state that has |
| * more strict register state and more strict stack state then this execution |
| * branch doesn't need to be explored further, since verifier already |
| * concluded that more strict state leads to valid finish. |
| * |
| * Therefore two states are equivalent if register state is more conservative |
| * and explored stack state is more conservative than the current one. |
| * Example: |
| * explored current |
| * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC) |
| * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC) |
| * |
| * In other words if current stack state (one being explored) has more |
| * valid slots than old one that already passed validation, it means |
| * the verifier can stop exploring and conclude that current state is valid too |
| * |
| * Similarly with registers. If explored state has register type as invalid |
| * whereas register type in current state is meaningful, it means that |
| * the current state will reach 'bpf_exit' instruction safely |
| */ |
| static bool states_equal(struct bpf_verifier_env *env, |
| struct bpf_verifier_state *old, |
| struct bpf_verifier_state *cur) |
| { |
| bool varlen_map_access = env->varlen_map_value_access; |
| struct bpf_reg_state *rold, *rcur; |
| int i; |
| |
| for (i = 0; i < MAX_BPF_REG; i++) { |
| rold = &old->regs[i]; |
| rcur = &cur->regs[i]; |
| |
| if (memcmp(rold, rcur, sizeof(*rold)) == 0) |
| continue; |
| |
| /* If the ranges were not the same, but everything else was and |
| * we didn't do a variable access into a map then we are a-ok. |
| */ |
| if (!varlen_map_access && |
| memcmp(rold, rcur, offsetofend(struct bpf_reg_state, id)) == 0) |
| continue; |
| |
| /* If we didn't map access then again we don't care about the |
| * mismatched range values and it's ok if our old type was |
| * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg. |
| */ |
| if (rold->type == NOT_INIT || |
| (!varlen_map_access && rold->type == UNKNOWN_VALUE && |
| rcur->type != NOT_INIT && |
| !__is_pointer_value(env->allow_ptr_leaks, rcur))) |
| continue; |
| |
| /* Don't care about the reg->id in this case. */ |
| if (rold->type == PTR_TO_MAP_VALUE_OR_NULL && |
| rcur->type == PTR_TO_MAP_VALUE_OR_NULL && |
| rold->map_ptr == rcur->map_ptr) |
| continue; |
| |
| if (rold->type == PTR_TO_PACKET && rcur->type == PTR_TO_PACKET && |
| compare_ptrs_to_packet(rold, rcur)) |
| continue; |
| |
| return false; |
| } |
| |
| for (i = 0; i < MAX_BPF_STACK; i++) { |
| if (old->stack_slot_type[i] == STACK_INVALID) |
| continue; |
| if (old->stack_slot_type[i] != cur->stack_slot_type[i]) |
| /* Ex: old explored (safe) state has STACK_SPILL in |
| * this stack slot, but current has has STACK_MISC -> |
| * this verifier states are not equivalent, |
| * return false to continue verification of this path |
| */ |
| return false; |
| if (i % BPF_REG_SIZE) |
| continue; |
| if (memcmp(&old->spilled_regs[i / BPF_REG_SIZE], |
| &cur->spilled_regs[i / BPF_REG_SIZE], |
| sizeof(old->spilled_regs[0]))) |
| /* when explored and current stack slot types are |
| * the same, check that stored pointers types |
| * are the same as well. |
| * Ex: explored safe path could have stored |
| * (bpf_reg_state) {.type = PTR_TO_STACK, .imm = -8} |
| * but current path has stored: |
| * (bpf_reg_state) {.type = PTR_TO_STACK, .imm = -16} |
| * such verifier states are not equivalent. |
| * return false to continue verification of this path |
| */ |
| return false; |
| else |
| continue; |
| } |
| return true; |
| } |
| |
| static int is_state_visited(struct bpf_verifier_env *env, int insn_idx) |
| { |
| struct bpf_verifier_state_list *new_sl; |
| struct bpf_verifier_state_list *sl; |
| |
| sl = env->explored_states[insn_idx]; |
| if (!sl) |
| /* this 'insn_idx' instruction wasn't marked, so we will not |
| * be doing state search here |
| */ |
| return 0; |
| |
| while (sl != STATE_LIST_MARK) { |
| if (states_equal(env, &sl->state, &env->cur_state)) |
| /* reached equivalent register/stack state, |
| * prune the search |
| */ |
| return 1; |
| sl = sl->next; |
| } |
| |
| /* there were no equivalent states, remember current one. |
| * technically the current state is not proven to be safe yet, |
| * but it will either reach bpf_exit (which means it's safe) or |
| * it will be rejected. Since there are no loops, we won't be |
| * seeing this 'insn_idx' instruction again on the way to bpf_exit |
| */ |
| new_sl = kmalloc(sizeof(struct bpf_verifier_state_list), GFP_USER); |
| if (!new_sl) |
| return -ENOMEM; |
| |
| /* add new state to the head of linked list */ |
| memcpy(&new_sl->state, &env->cur_state, sizeof(env->cur_state)); |
| new_sl->next = env->explored_states[insn_idx]; |
| env->explored_states[insn_idx] = new_sl; |
| return 0; |
| } |
| |
| static int ext_analyzer_insn_hook(struct bpf_verifier_env *env, |
| int insn_idx, int prev_insn_idx) |
| { |
| if (!env->analyzer_ops || !env->analyzer_ops->insn_hook) |
| return 0; |
| |
| return env->analyzer_ops->insn_hook(env, insn_idx, prev_insn_idx); |
| } |
| |
| static int do_check(struct bpf_verifier_env *env) |
| { |
| struct bpf_verifier_state *state = &env->cur_state; |
| struct bpf_insn *insns = env->prog->insnsi; |
| struct bpf_reg_state *regs = state->regs; |
| int insn_cnt = env->prog->len; |
| int insn_idx, prev_insn_idx = 0; |
| int insn_processed = 0; |
| bool do_print_state = false; |
| |
| init_reg_state(regs); |
| insn_idx = 0; |
| env->varlen_map_value_access = false; |
| for (;;) { |
| struct bpf_insn *insn; |
| u8 class; |
| int err; |
| |
| if (insn_idx >= insn_cnt) { |
| verbose("invalid insn idx %d insn_cnt %d\n", |
| insn_idx, insn_cnt); |
| return -EFAULT; |
| } |
| |
| insn = &insns[insn_idx]; |
| class = BPF_CLASS(insn->code); |
| |
| if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) { |
| verbose("BPF program is too large. Proccessed %d insn\n", |
| insn_processed); |
| return -E2BIG; |
| } |
| |
| err = is_state_visited(env, insn_idx); |
| if (err < 0) |
| return err; |
| if (err == 1) { |
| /* found equivalent state, can prune the search */ |
| if (log_level) { |
| if (do_print_state) |
| verbose("\nfrom %d to %d: safe\n", |
| prev_insn_idx, insn_idx); |
| else |
| verbose("%d: safe\n", insn_idx); |
| } |
| goto process_bpf_exit; |
| } |
| |
| if (signal_pending(current)) |
| return -EAGAIN; |
| |
| if (need_resched()) |
| cond_resched(); |
| |
| if (log_level && do_print_state) { |
| verbose("\nfrom %d to %d:", prev_insn_idx, insn_idx); |
| print_verifier_state(&env->cur_state); |
| do_print_state = false; |
| } |
| |
| if (log_level) { |
| verbose("%d: ", insn_idx); |
| print_bpf_insn(env, insn); |
| } |
| |
| err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx); |
| if (err) |
| return err; |
| |
| env->insn_aux_data[insn_idx].seen = true; |
| if (class == BPF_ALU || class == BPF_ALU64) { |
| err = check_alu_op(env, insn); |
| if (err) |
| return err; |
| |
| } else if (class == BPF_LDX) { |
| enum bpf_reg_type *prev_src_type, src_reg_type; |
| |
| /* check for reserved fields is already done */ |
| |
| /* check src operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| err = check_reg_arg(regs, insn->dst_reg, DST_OP_NO_MARK); |
| if (err) |
| return err; |
| |
| src_reg_type = regs[insn->src_reg].type; |
| |
| /* check that memory (src_reg + off) is readable, |
| * the state of dst_reg will be updated by this func |
| */ |
| err = check_mem_access(env, insn_idx, insn->src_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_READ, |
| insn->dst_reg); |
| if (err) |
| return err; |
| |
| reset_reg_range_values(regs, insn->dst_reg); |
| if (BPF_SIZE(insn->code) != BPF_W && |
| BPF_SIZE(insn->code) != BPF_DW) { |
| insn_idx++; |
| continue; |
| } |
| |
| prev_src_type = &env->insn_aux_data[insn_idx].ptr_type; |
| |
| if (*prev_src_type == NOT_INIT) { |
| /* saw a valid insn |
| * dst_reg = *(u32 *)(src_reg + off) |
| * save type to validate intersecting paths |
| */ |
| *prev_src_type = src_reg_type; |
| |
| } else if (src_reg_type != *prev_src_type && |
| (src_reg_type == PTR_TO_CTX || |
| *prev_src_type == PTR_TO_CTX)) { |
| /* ABuser program is trying to use the same insn |
| * dst_reg = *(u32*) (src_reg + off) |
| * with different pointer types: |
| * src_reg == ctx in one branch and |
| * src_reg == stack|map in some other branch. |
| * Reject it. |
| */ |
| verbose("same insn cannot be used with different pointers\n"); |
| return -EINVAL; |
| } |
| |
| } else if (class == BPF_STX) { |
| enum bpf_reg_type *prev_dst_type, dst_reg_type; |
| |
| if (BPF_MODE(insn->code) == BPF_XADD) { |
| err = check_xadd(env, insn_idx, insn); |
| if (err) |
| return err; |
| insn_idx++; |
| continue; |
| } |
| |
| /* check src1 operand */ |
| err = check_reg_arg(regs, insn->src_reg, SRC_OP); |
| if (err) |
| return err; |
| /* check src2 operand */ |
| err = check_reg_arg(regs, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| dst_reg_type = regs[insn->dst_reg].type; |
| |
| /* check that memory (dst_reg + off) is writeable */ |
| err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_WRITE, |
| insn->src_reg); |
| if (err) |
| return err; |
| |
| prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type; |
| |
| if (*prev_dst_type == NOT_INIT) { |
| *prev_dst_type = dst_reg_type; |
| } else if (dst_reg_type != *prev_dst_type && |
| (dst_reg_type == PTR_TO_CTX || |
| *prev_dst_type == PTR_TO_CTX)) { |
| verbose("same insn cannot be used with different pointers\n"); |
| return -EINVAL; |
| } |
| |
| } else if (class == BPF_ST) { |
| if (BPF_MODE(insn->code) != BPF_MEM || |
| insn->src_reg != BPF_REG_0) { |
| verbose("BPF_ST uses reserved fields\n"); |
| return -EINVAL; |
| } |
| /* check src operand */ |
| err = check_reg_arg(regs, insn->dst_reg, SRC_OP); |
| if (err) |
| return err; |
| |
| if (is_ctx_reg(env, insn->dst_reg)) { |
| verbose("BPF_ST stores into R%d context is not allowed\n", |
| insn->dst_reg); |
| return -EACCES; |
| } |
| |
| /* check that memory (dst_reg + off) is writeable */ |
| err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off, |
| BPF_SIZE(insn->code), BPF_WRITE, |
| -1); |
| if (err) |
| return err; |
| |
| } else if (class == BPF_JMP) { |
| u8 opcode = BPF_OP(insn->code); |
| |
| if (opcode == BPF_CALL) { |
| if (BPF_SRC(insn->code) != BPF_K || |
| insn->off != 0 || |
| insn->src_reg != BPF_REG_0 || |
| insn->dst_reg != BPF_REG_0) { |
| verbose("BPF_CALL uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| err = check_call(env, insn->imm, insn_idx); |
| if (err) |
| return err; |
| |
| } else if (opcode == BPF_JA) { |
| if (BPF_SRC(insn->code) != BPF_K || |
| insn->imm != 0 || |
| insn->src_reg != BPF_REG_0 || |
| insn->dst_reg != BPF_REG_0) { |
| verbose("BPF_JA uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| insn_idx += insn->off + 1; |
| continue; |
| |
| } else if (opcode == BPF_EXIT) { |
| if (BPF_SRC(insn->code) != BPF_K || |
| insn->imm != 0 || |
| insn->src_reg != BPF_REG_0 || |
| insn->dst_reg != BPF_REG_0) { |
| verbose("BPF_EXIT uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| /* eBPF calling convetion is such that R0 is used |
| * to return the value from eBPF program. |
| * Make sure that it's readable at this time |
| * of bpf_exit, which means that program wrote |
| * something into it earlier |
| */ |
| err = check_reg_arg(regs, BPF_REG_0, SRC_OP); |
| if (err) |
| return err; |
| |
| if (is_pointer_value(env, BPF_REG_0)) { |
| verbose("R0 leaks addr as return value\n"); |
| return -EACCES; |
| } |
| |
| process_bpf_exit: |
| insn_idx = pop_stack(env, &prev_insn_idx); |
| if (insn_idx < 0) { |
| break; |
| } else { |
| do_print_state = true; |
| continue; |
| } |
| } else { |
| err = check_cond_jmp_op(env, insn, &insn_idx); |
| if (err) |
| return err; |
| } |
| } else if (class == BPF_LD) { |
| u8 mode = BPF_MODE(insn->code); |
| |
| if (mode == BPF_ABS || mode == BPF_IND) { |
| err = check_ld_abs(env, insn); |
| if (err) |
| return err; |
| |
| } else if (mode == BPF_IMM) { |
| err = check_ld_imm(env, insn); |
| if (err) |
| return err; |
| |
| insn_idx++; |
| env->insn_aux_data[insn_idx].seen = true; |
| } else { |
| verbose("invalid BPF_LD mode\n"); |
| return -EINVAL; |
| } |
| reset_reg_range_values(regs, insn->dst_reg); |
| } else { |
| verbose("unknown insn class %d\n", class); |
| return -EINVAL; |
| } |
| |
| insn_idx++; |
| } |
| |
| verbose("processed %d insns\n", insn_processed); |
| return 0; |
| } |
| |
| static int check_map_prog_compatibility(struct bpf_map *map, |
| struct bpf_prog *prog) |
| |
| { |
| if (prog->type == BPF_PROG_TYPE_PERF_EVENT && |
| (map->map_type == BPF_MAP_TYPE_HASH || |
| map->map_type == BPF_MAP_TYPE_PERCPU_HASH) && |
| (map->map_flags & BPF_F_NO_PREALLOC)) { |
| verbose("perf_event programs can only use preallocated hash map\n"); |
| return -EINVAL; |
| } |
| return 0; |
| } |
| |
| /* look for pseudo eBPF instructions that access map FDs and |
| * replace them with actual map pointers |
| */ |
| static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env) |
| { |
| struct bpf_insn *insn = env->prog->insnsi; |
| int insn_cnt = env->prog->len; |
| int i, j, err; |
| |
| for (i = 0; i < insn_cnt; i++, insn++) { |
| if (BPF_CLASS(insn->code) == BPF_LDX && |
| (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) { |
| verbose("BPF_LDX uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| if (BPF_CLASS(insn->code) == BPF_STX && |
| ((BPF_MODE(insn->code) != BPF_MEM && |
| BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) { |
| verbose("BPF_STX uses reserved fields\n"); |
| return -EINVAL; |
| } |
| |
| if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) { |
| struct bpf_map *map; |
| struct fd f; |
| |
| if (i == insn_cnt - 1 || insn[1].code != 0 || |
| insn[1].dst_reg != 0 || insn[1].src_reg != 0 || |
| insn[1].off != 0) { |
| verbose("invalid bpf_ld_imm64 insn\n"); |
| return -EINVAL; |
| } |
| |
| if (insn->src_reg == 0) |
| /* valid generic load 64-bit imm */ |
| goto next_insn; |
| |
| if (insn->src_reg != BPF_PSEUDO_MAP_FD) { |
| verbose("unrecognized bpf_ld_imm64 insn\n"); |
| return -EINVAL; |
| } |
| |
| f = fdget(insn->imm); |
| map = __bpf_map_get(f); |
| if (IS_ERR(map)) { |
| verbose("fd %d is not pointing to valid bpf_map\n", |
| insn->imm); |
| return PTR_ERR(map); |
| } |
| |
| err = check_map_prog_compatibility(map, env->prog); |
| if (err) { |
| fdput(f); |
| return err; |
| } |
| |
| /* store map pointer inside BPF_LD_IMM64 instruction */ |
| insn[0].imm = (u32) (unsigned long) map; |
| insn[1].imm = ((u64) (unsigned long) map) >> 32; |
| |
| /* check whether we recorded this map already */ |
| for (j = 0; j < env->used_map_cnt; j++) |
| if (env->used_maps[j] == map) { |
| fdput(f); |
| goto next_insn; |
| } |
| |
| if (env->used_map_cnt >= MAX_USED_MAPS) { |
| fdput(f); |
| return -E2BIG; |
| } |
| |
| /* hold the map. If the program is rejected by verifier, |
| * the map will be released by release_maps() or it |
| * will be used by the valid program until it's unloaded |
| * and all maps are released in free_used_maps() |
| */ |
| map = bpf_map_inc(map, false); |
| if (IS_ERR(map)) { |
| fdput(f); |
| return PTR_ERR(map); |
| } |
| env->used_maps[env->used_map_cnt++] = map; |
| |
| fdput(f); |
| next_insn: |
| insn++; |
| i++; |
| } |
| } |
| |
| /* now all pseudo BPF_LD_IMM64 instructions load valid |
| * 'struct bpf_map *' into a register instead of user map_fd. |
| * These pointers will be used later by verifier to validate map access. |
| */ |
| return 0; |
| } |
| |
| /* drop refcnt of maps used by the rejected program */ |
| static void release_maps(struct bpf_verifier_env *env) |
| { |
| int i; |
| |
| for (i = 0; i < env->used_map_cnt; i++) |
| bpf_map_put(env->used_maps[i]); |
| } |
| |
| /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */ |
| static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env) |
| { |
| struct bpf_insn *insn = env->prog->insnsi; |
| int insn_cnt = env->prog->len; |
| int i; |
| |
| for (i = 0; i < insn_cnt; i++, insn++) |
| if (insn->code == (BPF_LD | BPF_IMM | BPF_DW)) |
| insn->src_reg = 0; |
| } |
| |
| /* single env->prog->insni[off] instruction was replaced with the range |
| * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying |
| * [0, off) and [off, end) to new locations, so the patched range stays zero |
| */ |
| static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, |
| u32 off, u32 cnt) |
| { |
| struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; |
| int i; |
| |
| if (cnt == 1) |
| return 0; |
| new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len); |
| if (!new_data) |
| return -ENOMEM; |
| memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); |
| memcpy(new_data + off + cnt - 1, old_data + off, |
| sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); |
| for (i = off; i < off + cnt - 1; i++) |
| new_data[i].seen = true; |
| env->insn_aux_data = new_data; |
| vfree(old_data); |
| return 0; |
| } |
| |
| static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off, |
| const struct bpf_insn *patch, u32 len) |
| { |
| struct bpf_prog *new_prog; |
| |
| new_prog = bpf_patch_insn_single(env->prog, off, patch, len); |
| if (!new_prog) |
| return NULL; |
| if (adjust_insn_aux_data(env, new_prog->len, off, len)) |
| return NULL; |
| return new_prog; |
| } |
| |
| /* The verifier does more data flow analysis than llvm and will not explore |
| * branches that are dead at run time. Malicious programs can have dead code |
| * too. Therefore replace all dead at-run-time code with nops. |
| */ |
| static void sanitize_dead_code(struct bpf_verifier_env *env) |
| { |
| struct bpf_insn_aux_data *aux_data = env->insn_aux_data; |
| struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0); |
| struct bpf_insn *insn = env->prog->insnsi; |
| const int insn_cnt = env->prog->len; |
| int i; |
| |
| for (i = 0; i < insn_cnt; i++) { |
| if (aux_data[i].seen) |
| continue; |
| memcpy(insn + i, &nop, sizeof(nop)); |
| } |
| } |
| |
| /* convert load instructions that access fields of 'struct __sk_buff' |
| * into sequence of instructions that access fields of 'struct sk_buff' |
| */ |
| static int convert_ctx_accesses(struct bpf_verifier_env *env) |
| { |
| const struct bpf_verifier_ops *ops = env->prog->aux->ops; |
| const int insn_cnt = env->prog->len; |
| struct bpf_insn insn_buf[16], *insn; |
| struct bpf_prog *new_prog; |
| enum bpf_access_type type; |
| int i, cnt, delta = 0; |
| |
| if (ops->gen_prologue) { |
| cnt = ops->gen_prologue(insn_buf, env->seen_direct_write, |
| env->prog); |
| if (cnt >= ARRAY_SIZE(insn_buf)) { |
| verbose("bpf verifier is misconfigured\n"); |
| return -EINVAL; |
| } else if (cnt) { |
| new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt); |
| if (!new_prog) |
| return -ENOMEM; |
| |
| env->prog = new_prog; |
| delta += cnt - 1; |
| } |
| } |
| |
| if (!ops->convert_ctx_access) |
| return 0; |
| |
| insn = env->prog->insnsi + delta; |
| |
| for (i = 0; i < insn_cnt; i++, insn++) { |
| if (insn->code == (BPF_LDX | BPF_MEM | BPF_W) || |
| insn->code == (BPF_LDX | BPF_MEM | BPF_DW)) |
| type = BPF_READ; |
| else if (insn->code == (BPF_STX | BPF_MEM | BPF_W) || |
| insn->code == (BPF_STX | BPF_MEM | BPF_DW)) |
| type = BPF_WRITE; |
| else |
| continue; |
| |
| if (type == BPF_WRITE && |
| env->insn_aux_data[i + delta].sanitize_stack_off) { |
| struct bpf_insn patch[] = { |
| /* Sanitize suspicious stack slot with zero. |
| * There are no memory dependencies for this store, |
| * since it's only using frame pointer and immediate |
| * constant of zero |
| */ |
| BPF_ST_MEM(BPF_DW, BPF_REG_FP, |
| env->insn_aux_data[i + delta].sanitize_stack_off, |
| 0), |
| /* the original STX instruction will immediately |
| * overwrite the same stack slot with appropriate value |
| */ |
| *insn, |
| }; |
| |
| cnt = ARRAY_SIZE(patch); |
| new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt); |
| if (!new_prog) |
| return -ENOMEM; |
| |
| delta += cnt - 1; |
| env->prog = new_prog; |
| insn = new_prog->insnsi + i + delta; |
| continue; |
| } |
| |
| if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX) |
| continue; |
| |
| cnt = ops->convert_ctx_access(type, insn->dst_reg, insn->src_reg, |
| insn->off, insn_buf, env->prog); |
| if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) { |
| verbose("bpf verifier is misconfigured\n"); |
| return -EINVAL; |
| } |
| |
| new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
| if (!new_prog) |
| return -ENOMEM; |
| |
| delta += cnt - 1; |
| |
| /* keep walking new program and skip insns we just inserted */ |
| env->prog = new_prog; |
| insn = new_prog->insnsi + i + delta; |
| } |
| |
| return 0; |
| } |
| |
| /* fixup insn->imm field of bpf_call instructions |
| * |
| * this function is called after eBPF program passed verification |
| */ |
| static int fixup_bpf_calls(struct bpf_verifier_env *env) |
| { |
| struct bpf_prog *prog = env->prog; |
| struct bpf_insn *insn = prog->insnsi; |
| const struct bpf_func_proto *fn; |
| const int insn_cnt = prog->len; |
| struct bpf_insn insn_buf[16]; |
| struct bpf_prog *new_prog; |
| struct bpf_map *map_ptr; |
| int i, cnt, delta = 0; |
| |
| |
| for (i = 0; i < insn_cnt; i++, insn++) { |
| if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) || |
| insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { |
| /* due to JIT bugs clear upper 32-bits of src register |
| * before div/mod operation |
| */ |
| insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg); |
| insn_buf[1] = *insn; |
| cnt = 2; |
| new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
| if (!new_prog) |
| return -ENOMEM; |
| |
| delta += cnt - 1; |
| env->prog = prog = new_prog; |
| insn = new_prog->insnsi + i + delta; |
| continue; |
| } |
| |
| if (insn->code != (BPF_JMP | BPF_CALL)) |
| continue; |
| |
| if (insn->imm == BPF_FUNC_get_route_realm) |
| prog->dst_needed = 1; |
| if (insn->imm == BPF_FUNC_get_prandom_u32) |
| bpf_user_rnd_init_once(); |
| if (insn->imm == BPF_FUNC_tail_call) { |
| /* mark bpf_tail_call as different opcode to avoid |
| * conditional branch in the interpeter for every normal |
| * call and to prevent accidental JITing by JIT compiler |
| * that doesn't support bpf_tail_call yet |
| */ |
| insn->imm = 0; |
| insn->code |= BPF_X; |
| |
| /* instead of changing every JIT dealing with tail_call |
| * emit two extra insns: |
| * if (index >= max_entries) goto out; |
| * index &= array->index_mask; |
| * to avoid out-of-bounds cpu speculation |
| */ |
| map_ptr = env->insn_aux_data[i + delta].map_ptr; |
| if (!map_ptr->unpriv_array) |
| continue; |
| insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3, |
| map_ptr->max_entries, 2); |
| insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3, |
| container_of(map_ptr, |
| struct bpf_array, |
| map)->index_mask); |
| insn_buf[2] = *insn; |
| cnt = 3; |
| new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); |
| if (!new_prog) |
| return -ENOMEM; |
| |
| delta += cnt - 1; |
| env->prog = prog = new_prog; |
| insn = new_prog->insnsi + i + delta; |
| continue; |
| } |
| |
| fn = prog->aux->ops->get_func_proto(insn->imm); |
| /* all functions that have prototype and verifier allowed |
| * programs to call them, must be real in-kernel functions |
| */ |
| if (!fn->func) { |
| verbose("kernel subsystem misconfigured func %d\n", |
| insn->imm); |
| return -EFAULT; |
| } |
| insn->imm = fn->func - __bpf_call_base; |
| } |
| |
| return 0; |
| } |
| |
| static void free_states(struct bpf_verifier_env *env) |
| { |
| struct bpf_verifier_state_list *sl, *sln; |
| int i; |
| |
| if (!env->explored_states) |
| return; |
| |
| for (i = 0; i < env->prog->len; i++) { |
| sl = env->explored_states[i]; |
| |
| if (sl) |
| while (sl != STATE_LIST_MARK) { |
| sln = sl->next; |
| kfree(sl); |
| sl = sln; |
| } |
| } |
| |
| kfree(env->explored_states); |
| } |
| |
| int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) |
| { |
| char __user *log_ubuf = NULL; |
| struct bpf_verifier_env *env; |
| int ret = -EINVAL; |
| |
| if ((*prog)->len <= 0 || (*prog)->len > BPF_MAXINSNS) |
| return -E2BIG; |
| |
| /* 'struct bpf_verifier_env' can be global, but since it's not small, |
| * allocate/free it every time bpf_check() is called |
| */ |
| env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); |
| if (!env) |
| return -ENOMEM; |
| |
| env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * |
| (*prog)->len); |
| ret = -ENOMEM; |
| if (!env->insn_aux_data) |
| goto err_free_env; |
| env->prog = *prog; |
| |
| /* grab the mutex to protect few globals used by verifier */ |
| mutex_lock(&bpf_verifier_lock); |
| |
| if (attr->log_level || attr->log_buf || attr->log_size) { |
| /* user requested verbose verifier output |
| * and supplied buffer to store the verification trace |
| */ |
| log_level = attr->log_level; |
| log_ubuf = (char __user *) (unsigned long) attr->log_buf; |
| log_size = attr->log_size; |
| log_len = 0; |
| |
| ret = -EINVAL; |
| /* log_* values have to be sane */ |
| if (log_size < 128 || log_size > UINT_MAX >> 8 || |
| log_level == 0 || log_ubuf == NULL) |
| goto err_unlock; |
| |
| ret = -ENOMEM; |
| log_buf = vmalloc(log_size); |
| if (!log_buf) |
| goto err_unlock; |
| } else { |
| log_level = 0; |
| } |
| |
| ret = replace_map_fd_with_map_ptr(env); |
| if (ret < 0) |
| goto skip_full_check; |
| |
| env->explored_states = kcalloc(env->prog->len, |
| sizeof(struct bpf_verifier_state_list *), |
| GFP_USER); |
| ret = -ENOMEM; |
| if (!env->explored_states) |
| goto skip_full_check; |
| |
| ret = check_cfg(env); |
| if (ret < 0) |
| goto skip_full_check; |
| |
| env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); |
| |
| ret = do_check(env); |
| |
| skip_full_check: |
| while (pop_stack(env, NULL) >= 0); |
| free_states(env); |
| |
| if (ret == 0) |
| sanitize_dead_code(env); |
| |
| if (ret == 0) |
| /* program is valid, convert *(u32*)(ctx + off) accesses */ |
| ret = convert_ctx_accesses(env); |
| |
| if (ret == 0) |
| ret = fixup_bpf_calls(env); |
| |
| if (log_level && log_len >= log_size - 1) { |
| BUG_ON(log_len >= log_size); |
| /* verifier log exceeded user supplied buffer */ |
| ret = -ENOSPC; |
| /* fall through to return what was recorded */ |
| } |
| |
| /* copy verifier log back to user space including trailing zero */ |
| if (log_level && copy_to_user(log_ubuf, log_buf, log_len + 1) != 0) { |
| ret = -EFAULT; |
| goto free_log_buf; |
| } |
| |
| if (ret == 0 && env->used_map_cnt) { |
| /* if program passed verifier, update used_maps in bpf_prog_info */ |
| env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt, |
| sizeof(env->used_maps[0]), |
| GFP_KERNEL); |
| |
| if (!env->prog->aux->used_maps) { |
| ret = -ENOMEM; |
| goto free_log_buf; |
| } |
| |
| memcpy(env->prog->aux->used_maps, env->used_maps, |
| sizeof(env->used_maps[0]) * env->used_map_cnt); |
| env->prog->aux->used_map_cnt = env->used_map_cnt; |
| |
| /* program is valid. Convert pseudo bpf_ld_imm64 into generic |
| * bpf_ld_imm64 instructions |
| */ |
| convert_pseudo_ld_imm64(env); |
| } |
| |
| free_log_buf: |
| if (log_level) |
| vfree(log_buf); |
| if (!env->prog->aux->used_maps) |
| /* if we didn't copy map pointers into bpf_prog_info, release |
| * them now. Otherwise free_used_maps() will release them. |
| */ |
| release_maps(env); |
| *prog = env->prog; |
| err_unlock: |
| mutex_unlock(&bpf_verifier_lock); |
| vfree(env->insn_aux_data); |
| err_free_env: |
| kfree(env); |
| return ret; |
| } |
| |
| int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops, |
| void *priv) |
| { |
| struct bpf_verifier_env *env; |
| int ret; |
| |
| env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL); |
| if (!env) |
| return -ENOMEM; |
| |
| env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) * |
| prog->len); |
| ret = -ENOMEM; |
| if (!env->insn_aux_data) |
| goto err_free_env; |
| env->prog = prog; |
| env->analyzer_ops = ops; |
| env->analyzer_priv = priv; |
| |
| /* grab the mutex to protect few globals used by verifier */ |
| mutex_lock(&bpf_verifier_lock); |
| |
| log_level = 0; |
| |
| env->explored_states = kcalloc(env->prog->len, |
| sizeof(struct bpf_verifier_state_list *), |
| GFP_KERNEL); |
| ret = -ENOMEM; |
| if (!env->explored_states) |
| goto skip_full_check; |
| |
| ret = check_cfg(env); |
| if (ret < 0) |
| goto skip_full_check; |
| |
| env->allow_ptr_leaks = capable(CAP_SYS_ADMIN); |
| |
| ret = do_check(env); |
| |
| skip_full_check: |
| while (pop_stack(env, NULL) >= 0); |
| free_states(env); |
| |
| mutex_unlock(&bpf_verifier_lock); |
| vfree(env->insn_aux_data); |
| err_free_env: |
| kfree(env); |
| return ret; |
| } |
| EXPORT_SYMBOL_GPL(bpf_analyzer); |