bpf: Ensure precise is reset to false in __mark_reg_const_zero()

author Andrii Nakryiko <andrii@kernel.org>

Mon, 18 Dec 2023 17:36:01 +0000 (09:36 -0800)

committer Daniel Borkmann <daniel@iogearbox.net>

Mon, 18 Dec 2023 22:54:21 +0000 (23:54 +0100)
author Andrii Nakryiko <andrii@kernel.org>
Mon, 18 Dec 2023 17:36:01 +0000 (09:36 -0800)
committer Daniel Borkmann <daniel@iogearbox.net>
Mon, 18 Dec 2023 22:54:21 +0000 (23:54 +0100)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c

index 1863826a4ac38951751d1a0d0b24707ab709b85a..9456ee0ad129af2f715d23eb297bff2e406da1d4 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1777,10 +1777,14 @@ static void __mark_reg_known_zero(struct bpf_reg_state *reg)
         __mark_reg_known(reg, 0);
  }
  
-static void __mark_reg_const_zero(struct bpf_reg_state *reg)
+static void __mark_reg_const_zero(const struct bpf_verifier_env *env, struct bpf_reg_state *reg)
  {
         __mark_reg_known(reg, 0);
         reg->type = SCALAR_VALUE;
+       /* all scalars are assumed imprecise initially (unless unprivileged,
+        * in which case everything is forced to be precise)
+        */
+       reg->precise = !env->bpf_capable;
  }
  
  static void mark_reg_known_zero(struct bpf_verifier_env *env,
@@ -4706,21 +4710,10 @@ static void mark_reg_stack_read(struct bpf_verifier_env *env,
                 zeros++;
         }
         if (zeros == max_off - min_off) {
-               /* any access_size read into register is zero extended,
-                * so the whole register == const_zero
-                */
-               __mark_reg_const_zero(&state->regs[dst_regno]);
-               /* backtracking doesn't support STACK_ZERO yet,
-                * so mark it precise here, so that later
-                * backtracking can stop here.
-                * Backtracking may not need this if this register
-                * doesn't participate in pointer adjustment.
-                * Forward propagation of precise flag is not
-                * necessary either. This mark is only to stop
-                * backtracking. Any register that contributed
-                * to const 0 was marked precise before spill.
+               /* Any access_size read into register is zero extended,
+                * so the whole register == const_zero.
                  */
-               state->regs[dst_regno].precise = true;
+               __mark_reg_const_zero(env, &state->regs[dst_regno]);
         } else {
                 /* have read misc data from the stack */
                 mark_reg_unknown(env, state->regs, dst_regno);
@@ -4803,11 +4796,11 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
  
                                 if (spill_cnt == size &&
                                     tnum_is_const(reg->var_off) && reg->var_off.value == 0) {
-                                       __mark_reg_const_zero(&state->regs[dst_regno]);
+                                       __mark_reg_const_zero(env, &state->regs[dst_regno]);
                                         /* this IS register fill, so keep insn_flags */
                                 } else if (zero_cnt == size) {
                                         /* similarly to mark_reg_stack_read(), preserve zeroes */
-                                       __mark_reg_const_zero(&state->regs[dst_regno]);
+                                       __mark_reg_const_zero(env, &state->regs[dst_regno]);
                                         insn_flags = 0; /* not restoring original register state */
                                 } else {
                                         mark_reg_unknown(env, state->regs, dst_regno);
@@ -7963,7 +7956,7 @@ static int process_iter_next_call(struct bpf_verifier_env *env, int insn_idx,
         /* switch to DRAINED state, but keep the depth unchanged */
         /* mark current iter state as drained and assume returned NULL */
         cur_iter->iter.state = BPF_ITER_STATE_DRAINED;
-       __mark_reg_const_zero(&cur_fr->regs[BPF_REG_0]);
+       __mark_reg_const_zero(env, &cur_fr->regs[BPF_REG_0]);
  
         return 0;
  }
diff --git a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c

index 508f5d6c73478da8990787528f42db655c260f3a..39fe3372e0e0e7276bc5e6c5c814a6e2fc2b58da 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+++ b/tools/testing/selftests/bpf/progs/verifier_spill_fill.c
@@ -499,8 +499,14 @@ __success
  __msg("2: (7a) *(u64 *)(r10 -8) = 0          ; R10=fp0 fp-8_w=00000000")
  /* but fp-16 is spilled IMPRECISE zero const reg */
  __msg("4: (7b) *(u64 *)(r10 -16) = r0        ; R0_w=0 R10=fp0 fp-16_w=0")
-/* and now check that precision propagation works even for such tricky case */
-__msg("10: (71) r2 = *(u8 *)(r10 -9)         ; R2_w=P0 R10=fp0 fp-16_w=0")
+/* validate that assigning R2 from STACK_ZERO doesn't mark register
+ * precise immediately; if necessary, it will be marked precise later
+ */
+__msg("6: (71) r2 = *(u8 *)(r10 -1)          ; R2_w=0 R10=fp0 fp-8_w=00000000")
+/* similarly, when R2 is assigned from spilled register, it is initially
+ * imprecise, but will be marked precise later once it is used in precise context
+ */
+__msg("10: (71) r2 = *(u8 *)(r10 -9)         ; R2_w=0 R10=fp0 fp-16_w=0")
  __msg("11: (0f) r1 += r2")
  __msg("mark_precise: frame0: last_idx 11 first_idx 0 subseq_idx -1")
  __msg("mark_precise: frame0: regs=r2 stack= before 10: (71) r2 = *(u8 *)(r10 -9)")
author	Andrii Nakryiko <andrii@kernel.org>
	Mon, 18 Dec 2023 17:36:01 +0000 (09:36 -0800)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 18 Dec 2023 22:54:21 +0000 (23:54 +0100)
kernel/bpf/verifier.c		patch \| blob \| history
tools/testing/selftests/bpf/progs/verifier_spill_fill.c		patch \| blob \| history