[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAADnVQ+BOBh-XnsCPWHUCkwhAe41TxPRm9Nqi2r39WnJh3iF6g@mail.gmail.com>
Date: Tue, 9 Jan 2024 17:06:57 -0800
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: Barret Rhoden <brho@...gle.com>
Cc: Yonghong Song <yonghong.song@...ux.dev>, Eddy Z <eddyz87@...il.com>,
Jiri Olsa <olsajiri@...il.com>, Andrii Nakryiko <andrii@...nel.org>,
Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Song Liu <song@...nel.org>,
Matt Bobrowski <mattbobrowski@...gle.com>, bpf <bpf@...r.kernel.org>,
LKML <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH v2 bpf-next 2/2] selftests/bpf: add inline assembly
helpers to access array elements
On Tue, Jan 9, 2024 at 5:02 PM Barret Rhoden <brho@...gle.com> wrote:
>
> On 1/4/24 16:30, Barret Rhoden wrote:
> [snip]
> >>
> >> The LLVM bpf backend has made some improvement to handle the case like
> >> r1 = ...
> >> r2 = r1 + 1
> >> if (r2 < num) ...
> >> using r1
> >> by preventing generating the above code pattern.
> >>
> >> The implementation is a pattern matching style so surely it won't be
> >> able to cover all cases.
> >>
> >> Do you have specific examples which has verification failure due to
> >> false array out of bound access?
> >
> [ snip ]
>
> >
> > I'll play around and see if I can come up with a selftest that can run
> > into any of these "you did the check, but threw the check away" scenarios.
>
> I got an example for this, and will include it in my next patch version,
> which I'll CC you on.
>
> If we can get the compiler to spill the register r1 to the stack (L11 in
> the asm below), it might spill it before doing the bounds check. Then
> it checks the register (L12), but the verifier doesn't know that applies
> to the stack variable too. Later, we refill r1 from the stack (L21).
This is a known issue.
It's addressed as part of Maxim's series:
https://patchwork.kernel.org/user/todo/netdevbpf/?series=815208
Powered by blists - more mailing lists