1 /* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
2 * Copyright (c) 2016 Facebook
4 * This program is free software; you can redistribute it and/or
5 * modify it under the terms of version 2 of the GNU General Public
6 * License as published by the Free Software Foundation.
8 * This program is distributed in the hope that it will be useful, but
9 * WITHOUT ANY WARRANTY; without even the implied warranty of
10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
11 * General Public License for more details.
13 #include <linux/kernel.h>
14 #include <linux/types.h>
15 #include <linux/slab.h>
16 #include <linux/bpf.h>
17 #include <linux/bpf_verifier.h>
18 #include <linux/filter.h>
19 #include <net/netlink.h>
20 #include <linux/file.h>
21 #include <linux/vmalloc.h>
23 /* bpf_check() is a static code analyzer that walks eBPF program
24 * instruction by instruction and updates register/stack state.
25 * All paths of conditional branches are analyzed until 'bpf_exit' insn.
27 * The first pass is depth-first-search to check that the program is a DAG.
28 * It rejects the following programs:
29 * - larger than BPF_MAXINSNS insns
30 * - if loop is present (detected via back-edge)
31 * - unreachable insns exist (shouldn't be a forest. program = one function)
32 * - out of bounds or malformed jumps
33 * The second pass is all possible path descent from the 1st insn.
34 * Since it's analyzing all pathes through the program, the length of the
35 * analysis is limited to 32k insn, which may be hit even if total number of
36 * insn is less then 4K, but there are too many branches that change stack/regs.
37 * Number of 'branches to be analyzed' is limited to 1k
39 * On entry to each instruction, each register has a type, and the instruction
40 * changes the types of the registers depending on instruction semantics.
41 * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is
44 * All registers are 64-bit.
45 * R0 - return register
46 * R1-R5 argument passing registers
47 * R6-R9 callee saved registers
48 * R10 - frame pointer read-only
50 * At the start of BPF program the register R1 contains a pointer to bpf_context
51 * and has type PTR_TO_CTX.
53 * Verifier tracks arithmetic operations on pointers in case:
54 * BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
55 * BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20),
56 * 1st insn copies R10 (which has FRAME_PTR) type into R1
57 * and 2nd arithmetic instruction is pattern matched to recognize
58 * that it wants to construct a pointer to some element within stack.
59 * So after 2nd insn, the register R1 has type PTR_TO_STACK
60 * (and -20 constant is saved for further stack bounds checking).
61 * Meaning that this reg is a pointer to stack plus known immediate constant.
63 * Most of the time the registers have UNKNOWN_VALUE type, which
64 * means the register has some value, but it's not a valid pointer.
65 * (like pointer plus pointer becomes UNKNOWN_VALUE type)
67 * When verifier sees load or store instructions the type of base register
68 * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, FRAME_PTR. These are three pointer
69 * types recognized by check_mem_access() function.
71 * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value'
72 * and the range of [ptr, ptr + map's value_size) is accessible.
74 * registers used to pass values to function calls are checked against
75 * function argument constraints.
77 * ARG_PTR_TO_MAP_KEY is one of such argument constraints.
78 * It means that the register type passed to this function must be
79 * PTR_TO_STACK and it will be used inside the function as
80 * 'pointer to map element key'
82 * For example the argument constraints for bpf_map_lookup_elem():
83 * .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
84 * .arg1_type = ARG_CONST_MAP_PTR,
85 * .arg2_type = ARG_PTR_TO_MAP_KEY,
87 * ret_type says that this function returns 'pointer to map elem value or null'
88 * function expects 1st argument to be a const pointer to 'struct bpf_map' and
89 * 2nd argument should be a pointer to stack, which will be used inside
90 * the helper function as a pointer to map element key.
92 * On the kernel side the helper function looks like:
93 * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
95 * struct bpf_map *map = (struct bpf_map *) (unsigned long) r1;
96 * void *key = (void *) (unsigned long) r2;
99 * here kernel can access 'key' and 'map' pointers safely, knowing that
100 * [key, key + map->key_size) bytes are valid and were initialized on
101 * the stack of eBPF program.
104 * Corresponding eBPF program may look like:
105 * BPF_MOV64_REG(BPF_REG_2, BPF_REG_10), // after this insn R2 type is FRAME_PTR
106 * BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK
107 * BPF_LD_MAP_FD(BPF_REG_1, map_fd), // after this insn R1 type is CONST_PTR_TO_MAP
108 * BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
109 * here verifier looks at prototype of map_lookup_elem() and sees:
110 * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok,
111 * Now verifier knows that this map has key of R1->map_ptr->key_size bytes
113 * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far,
114 * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
115 * and were initialized prior to this call.
116 * If it's ok, then verifier allows this BPF_CALL insn and looks at
117 * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets
118 * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function
119 * returns ether pointer to map value or NULL.
121 * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off'
122 * insn, the register holding that pointer in the true branch changes state to
123 * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false
124 * branch. See check_cond_jmp_op().
126 * After the call R0 is set to return type of the function and registers R1-R5
127 * are set to NOT_INIT to indicate that they are no longer readable.
130 /* verifier_state + insn_idx are pushed to stack when branch is encountered */
131 struct bpf_verifier_stack_elem {
132 /* verifer state is 'st'
133 * before processing instruction 'insn_idx'
134 * and after processing instruction 'prev_insn_idx'
136 struct bpf_verifier_state st;
139 struct bpf_verifier_stack_elem *next;
142 #define BPF_COMPLEXITY_LIMIT_INSNS 98304
143 #define BPF_COMPLEXITY_LIMIT_STACK 1024
145 struct bpf_call_arg_meta {
146 struct bpf_map *map_ptr;
153 /* verbose verifier prints what it's seeing
154 * bpf_check() is called under lock, so no race to access these global vars
156 static u32 log_level, log_size, log_len;
157 static char *log_buf;
159 static DEFINE_MUTEX(bpf_verifier_lock);
161 /* log_level controls verbosity level of eBPF verifier.
162 * verbose() is used to dump the verification trace to the log, so the user
163 * can figure out what's wrong with the program
165 static __printf(1, 2) void verbose(const char *fmt, ...)
169 if (log_level == 0 || log_len >= log_size - 1)
173 log_len += vscnprintf(log_buf + log_len, log_size - log_len, fmt, args);
177 /* string representation of 'enum bpf_reg_type' */
178 static const char * const reg_type_str[] = {
180 [UNKNOWN_VALUE] = "inv",
181 [PTR_TO_CTX] = "ctx",
182 [CONST_PTR_TO_MAP] = "map_ptr",
183 [PTR_TO_MAP_VALUE] = "map_value",
184 [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null",
185 [PTR_TO_MAP_VALUE_ADJ] = "map_value_adj",
187 [PTR_TO_STACK] = "fp",
189 [PTR_TO_PACKET] = "pkt",
190 [PTR_TO_PACKET_END] = "pkt_end",
193 static void print_verifier_state(struct bpf_verifier_state *state)
195 struct bpf_reg_state *reg;
199 for (i = 0; i < MAX_BPF_REG; i++) {
200 reg = &state->regs[i];
204 verbose(" R%d=%s", i, reg_type_str[t]);
205 if (t == CONST_IMM || t == PTR_TO_STACK)
206 verbose("%lld", reg->imm);
207 else if (t == PTR_TO_PACKET)
208 verbose("(id=%d,off=%d,r=%d)",
209 reg->id, reg->off, reg->range);
210 else if (t == UNKNOWN_VALUE && reg->imm)
211 verbose("%lld", reg->imm);
212 else if (t == CONST_PTR_TO_MAP || t == PTR_TO_MAP_VALUE ||
213 t == PTR_TO_MAP_VALUE_OR_NULL ||
214 t == PTR_TO_MAP_VALUE_ADJ)
215 verbose("(ks=%d,vs=%d,id=%u)",
216 reg->map_ptr->key_size,
217 reg->map_ptr->value_size,
219 if (reg->min_value != BPF_REGISTER_MIN_RANGE)
220 verbose(",min_value=%lld",
221 (long long)reg->min_value);
222 if (reg->max_value != BPF_REGISTER_MAX_RANGE)
223 verbose(",max_value=%llu",
224 (unsigned long long)reg->max_value);
226 for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
227 if (state->stack_slot_type[i] == STACK_SPILL)
228 verbose(" fp%d=%s", -MAX_BPF_STACK + i,
229 reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]);
234 static const char *const bpf_class_string[] = {
242 [BPF_ALU64] = "alu64",
245 static const char *const bpf_alu_string[16] = {
246 [BPF_ADD >> 4] = "+=",
247 [BPF_SUB >> 4] = "-=",
248 [BPF_MUL >> 4] = "*=",
249 [BPF_DIV >> 4] = "/=",
250 [BPF_OR >> 4] = "|=",
251 [BPF_AND >> 4] = "&=",
252 [BPF_LSH >> 4] = "<<=",
253 [BPF_RSH >> 4] = ">>=",
254 [BPF_NEG >> 4] = "neg",
255 [BPF_MOD >> 4] = "%=",
256 [BPF_XOR >> 4] = "^=",
257 [BPF_MOV >> 4] = "=",
258 [BPF_ARSH >> 4] = "s>>=",
259 [BPF_END >> 4] = "endian",
262 static const char *const bpf_ldst_string[] = {
263 [BPF_W >> 3] = "u32",
264 [BPF_H >> 3] = "u16",
266 [BPF_DW >> 3] = "u64",
269 static const char *const bpf_jmp_string[16] = {
270 [BPF_JA >> 4] = "jmp",
271 [BPF_JEQ >> 4] = "==",
272 [BPF_JGT >> 4] = ">",
273 [BPF_JGE >> 4] = ">=",
274 [BPF_JSET >> 4] = "&",
275 [BPF_JNE >> 4] = "!=",
276 [BPF_JSGT >> 4] = "s>",
277 [BPF_JSGE >> 4] = "s>=",
278 [BPF_CALL >> 4] = "call",
279 [BPF_EXIT >> 4] = "exit",
282 static void print_bpf_insn(const struct bpf_verifier_env *env,
283 const struct bpf_insn *insn)
285 u8 class = BPF_CLASS(insn->code);
287 if (class == BPF_ALU || class == BPF_ALU64) {
288 if (BPF_SRC(insn->code) == BPF_X)
289 verbose("(%02x) %sr%d %s %sr%d\n",
290 insn->code, class == BPF_ALU ? "(u32) " : "",
292 bpf_alu_string[BPF_OP(insn->code) >> 4],
293 class == BPF_ALU ? "(u32) " : "",
296 verbose("(%02x) %sr%d %s %s%d\n",
297 insn->code, class == BPF_ALU ? "(u32) " : "",
299 bpf_alu_string[BPF_OP(insn->code) >> 4],
300 class == BPF_ALU ? "(u32) " : "",
302 } else if (class == BPF_STX) {
303 if (BPF_MODE(insn->code) == BPF_MEM)
304 verbose("(%02x) *(%s *)(r%d %+d) = r%d\n",
306 bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
308 insn->off, insn->src_reg);
309 else if (BPF_MODE(insn->code) == BPF_XADD)
310 verbose("(%02x) lock *(%s *)(r%d %+d) += r%d\n",
312 bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
313 insn->dst_reg, insn->off,
316 verbose("BUG_%02x\n", insn->code);
317 } else if (class == BPF_ST) {
318 if (BPF_MODE(insn->code) != BPF_MEM) {
319 verbose("BUG_st_%02x\n", insn->code);
322 verbose("(%02x) *(%s *)(r%d %+d) = %d\n",
324 bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
326 insn->off, insn->imm);
327 } else if (class == BPF_LDX) {
328 if (BPF_MODE(insn->code) != BPF_MEM) {
329 verbose("BUG_ldx_%02x\n", insn->code);
332 verbose("(%02x) r%d = *(%s *)(r%d %+d)\n",
333 insn->code, insn->dst_reg,
334 bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
335 insn->src_reg, insn->off);
336 } else if (class == BPF_LD) {
337 if (BPF_MODE(insn->code) == BPF_ABS) {
338 verbose("(%02x) r0 = *(%s *)skb[%d]\n",
340 bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
342 } else if (BPF_MODE(insn->code) == BPF_IND) {
343 verbose("(%02x) r0 = *(%s *)skb[r%d + %d]\n",
345 bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
346 insn->src_reg, insn->imm);
347 } else if (BPF_MODE(insn->code) == BPF_IMM &&
348 BPF_SIZE(insn->code) == BPF_DW) {
349 /* At this point, we already made sure that the second
350 * part of the ldimm64 insn is accessible.
352 u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
353 bool map_ptr = insn->src_reg == BPF_PSEUDO_MAP_FD;
355 if (map_ptr && !env->allow_ptr_leaks)
358 verbose("(%02x) r%d = 0x%llx\n", insn->code,
359 insn->dst_reg, (unsigned long long)imm);
361 verbose("BUG_ld_%02x\n", insn->code);
364 } else if (class == BPF_JMP) {
365 u8 opcode = BPF_OP(insn->code);
367 if (opcode == BPF_CALL) {
368 verbose("(%02x) call %d\n", insn->code, insn->imm);
369 } else if (insn->code == (BPF_JMP | BPF_JA)) {
370 verbose("(%02x) goto pc%+d\n",
371 insn->code, insn->off);
372 } else if (insn->code == (BPF_JMP | BPF_EXIT)) {
373 verbose("(%02x) exit\n", insn->code);
374 } else if (BPF_SRC(insn->code) == BPF_X) {
375 verbose("(%02x) if r%d %s r%d goto pc%+d\n",
376 insn->code, insn->dst_reg,
377 bpf_jmp_string[BPF_OP(insn->code) >> 4],
378 insn->src_reg, insn->off);
380 verbose("(%02x) if r%d %s 0x%x goto pc%+d\n",
381 insn->code, insn->dst_reg,
382 bpf_jmp_string[BPF_OP(insn->code) >> 4],
383 insn->imm, insn->off);
386 verbose("(%02x) %s\n", insn->code, bpf_class_string[class]);
390 static int pop_stack(struct bpf_verifier_env *env, int *prev_insn_idx)
392 struct bpf_verifier_stack_elem *elem;
395 if (env->head == NULL)
398 memcpy(&env->cur_state, &env->head->st, sizeof(env->cur_state));
399 insn_idx = env->head->insn_idx;
401 *prev_insn_idx = env->head->prev_insn_idx;
402 elem = env->head->next;
409 static struct bpf_verifier_state *push_stack(struct bpf_verifier_env *env,
410 int insn_idx, int prev_insn_idx)
412 struct bpf_verifier_stack_elem *elem;
414 elem = kmalloc(sizeof(struct bpf_verifier_stack_elem), GFP_KERNEL);
418 memcpy(&elem->st, &env->cur_state, sizeof(env->cur_state));
419 elem->insn_idx = insn_idx;
420 elem->prev_insn_idx = prev_insn_idx;
421 elem->next = env->head;
424 if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
425 verbose("BPF program is too complex\n");
430 /* pop all elements and return */
431 while (pop_stack(env, NULL) >= 0);
435 #define CALLER_SAVED_REGS 6
436 static const int caller_saved[CALLER_SAVED_REGS] = {
437 BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5
440 static void init_reg_state(struct bpf_reg_state *regs)
444 for (i = 0; i < MAX_BPF_REG; i++) {
445 regs[i].type = NOT_INIT;
447 regs[i].min_value = BPF_REGISTER_MIN_RANGE;
448 regs[i].max_value = BPF_REGISTER_MAX_RANGE;
452 regs[BPF_REG_FP].type = FRAME_PTR;
454 /* 1st arg to a function */
455 regs[BPF_REG_1].type = PTR_TO_CTX;
458 static void __mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno)
460 regs[regno].type = UNKNOWN_VALUE;
465 static void mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno)
467 BUG_ON(regno >= MAX_BPF_REG);
468 __mark_reg_unknown_value(regs, regno);
471 static void reset_reg_range_values(struct bpf_reg_state *regs, u32 regno)
473 regs[regno].min_value = BPF_REGISTER_MIN_RANGE;
474 regs[regno].max_value = BPF_REGISTER_MAX_RANGE;
478 SRC_OP, /* register is used as source operand */
479 DST_OP, /* register is used as destination operand */
480 DST_OP_NO_MARK /* same as above, check only, don't mark */
483 static int check_reg_arg(struct bpf_reg_state *regs, u32 regno,
486 if (regno >= MAX_BPF_REG) {
487 verbose("R%d is invalid\n", regno);
492 /* check whether register used as source operand can be read */
493 if (regs[regno].type == NOT_INIT) {
494 verbose("R%d !read_ok\n", regno);
498 /* check whether register used as dest operand can be written to */
499 if (regno == BPF_REG_FP) {
500 verbose("frame pointer is read only\n");
504 mark_reg_unknown_value(regs, regno);
509 static int bpf_size_to_bytes(int bpf_size)
511 if (bpf_size == BPF_W)
513 else if (bpf_size == BPF_H)
515 else if (bpf_size == BPF_B)
517 else if (bpf_size == BPF_DW)
523 static bool is_spillable_regtype(enum bpf_reg_type type)
526 case PTR_TO_MAP_VALUE:
527 case PTR_TO_MAP_VALUE_OR_NULL:
531 case PTR_TO_PACKET_END:
533 case CONST_PTR_TO_MAP:
540 /* check_stack_read/write functions track spill/fill of registers,
541 * stack boundary and alignment are checked in check_mem_access()
543 static int check_stack_write(struct bpf_verifier_env *env,
544 struct bpf_verifier_state *state, int off,
545 int size, int value_regno, int insn_idx)
547 int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE;
548 /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
549 * so it's aligned access and [off, off + size) are within stack limits
552 if (value_regno >= 0 &&
553 is_spillable_regtype(state->regs[value_regno].type)) {
555 /* register containing pointer is being spilled into stack */
556 if (size != BPF_REG_SIZE) {
557 verbose("invalid size of register spill\n");
561 /* save register state */
562 state->spilled_regs[spi] = state->regs[value_regno];
564 for (i = 0; i < BPF_REG_SIZE; i++) {
565 if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC &&
566 !env->allow_ptr_leaks) {
567 int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
568 int soff = (-spi - 1) * BPF_REG_SIZE;
570 /* detected reuse of integer stack slot with a pointer
571 * which means either llvm is reusing stack slot or
572 * an attacker is trying to exploit CVE-2018-3639
573 * (speculative store bypass)
574 * Have to sanitize that slot with preemptive
577 if (*poff && *poff != soff) {
578 /* disallow programs where single insn stores
579 * into two different stack slots, since verifier
580 * cannot sanitize them
582 verbose("insn %d cannot access two stack slots fp%d and fp%d",
583 insn_idx, *poff, soff);
588 state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL;
591 /* regular write of data into stack */
592 state->spilled_regs[spi] = (struct bpf_reg_state) {};
594 for (i = 0; i < size; i++)
595 state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_MISC;
600 static int check_stack_read(struct bpf_verifier_state *state, int off, int size,
606 slot_type = &state->stack_slot_type[MAX_BPF_STACK + off];
608 if (slot_type[0] == STACK_SPILL) {
609 if (size != BPF_REG_SIZE) {
610 verbose("invalid size of register spill\n");
613 for (i = 1; i < BPF_REG_SIZE; i++) {
614 if (slot_type[i] != STACK_SPILL) {
615 verbose("corrupted spill memory\n");
620 if (value_regno >= 0)
621 /* restore register state from stack */
622 state->regs[value_regno] =
623 state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE];
626 for (i = 0; i < size; i++) {
627 if (slot_type[i] != STACK_MISC) {
628 verbose("invalid read from stack off %d+%d size %d\n",
633 if (value_regno >= 0)
634 /* have read misc data from the stack */
635 mark_reg_unknown_value(state->regs, value_regno);
640 /* check read/write into map element returned by bpf_map_lookup_elem() */
641 static int check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
644 struct bpf_map *map = env->cur_state.regs[regno].map_ptr;
646 if (off < 0 || off + size > map->value_size) {
647 verbose("invalid access to map value, value_size=%d off=%d size=%d\n",
648 map->value_size, off, size);
654 #define MAX_PACKET_OFF 0xffff
656 static bool may_access_direct_pkt_data(struct bpf_verifier_env *env,
657 const struct bpf_call_arg_meta *meta)
659 switch (env->prog->type) {
660 case BPF_PROG_TYPE_SCHED_CLS:
661 case BPF_PROG_TYPE_SCHED_ACT:
662 case BPF_PROG_TYPE_XDP:
664 return meta->pkt_access;
666 env->seen_direct_write = true;
673 static int check_packet_access(struct bpf_verifier_env *env, u32 regno, int off,
676 struct bpf_reg_state *regs = env->cur_state.regs;
677 struct bpf_reg_state *reg = ®s[regno];
680 if (off < 0 || size <= 0 || off + size > reg->range) {
681 verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n",
682 off, size, regno, reg->id, reg->off, reg->range);
688 /* check access to 'struct bpf_context' fields */
689 static int check_ctx_access(struct bpf_verifier_env *env, int off, int size,
690 enum bpf_access_type t, enum bpf_reg_type *reg_type)
692 /* for analyzer ctx accesses are already validated and converted */
693 if (env->analyzer_ops)
696 if (env->prog->aux->ops->is_valid_access &&
697 env->prog->aux->ops->is_valid_access(off, size, t, reg_type)) {
698 /* remember the offset of last byte accessed in ctx */
699 if (env->prog->aux->max_ctx_offset < off + size)
700 env->prog->aux->max_ctx_offset = off + size;
704 verbose("invalid bpf_context access off=%d size=%d\n", off, size);
708 static bool __is_pointer_value(bool allow_ptr_leaks,
709 const struct bpf_reg_state *reg)
723 static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
725 return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]);
728 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
730 const struct bpf_reg_state *reg = &env->cur_state.regs[regno];
732 return reg->type == PTR_TO_CTX;
735 static int check_ptr_alignment(struct bpf_verifier_env *env,
736 struct bpf_reg_state *reg, int off, int size)
738 if (reg->type != PTR_TO_PACKET && reg->type != PTR_TO_MAP_VALUE_ADJ) {
739 if (off % size != 0) {
740 verbose("misaligned access off %d size %d\n",
748 if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
749 /* misaligned access to packet is ok on x86,arm,arm64 */
752 if (reg->id && size != 1) {
753 verbose("Unknown packet alignment. Only byte-sized access allowed\n");
757 /* skb->data is NET_IP_ALIGN-ed */
758 if (reg->type == PTR_TO_PACKET &&
759 (NET_IP_ALIGN + reg->off + off) % size != 0) {
760 verbose("misaligned packet access off %d+%d+%d size %d\n",
761 NET_IP_ALIGN, reg->off, off, size);
767 /* check whether memory at (regno + off) is accessible for t = (read | write)
768 * if t==write, value_regno is a register which value is stored into memory
769 * if t==read, value_regno is a register which will receive the value from memory
770 * if t==write && value_regno==-1, some unknown value is stored into memory
771 * if t==read && value_regno==-1, don't care what we read from memory
773 static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off,
774 int bpf_size, enum bpf_access_type t,
777 struct bpf_verifier_state *state = &env->cur_state;
778 struct bpf_reg_state *reg = &state->regs[regno];
781 if (reg->type == PTR_TO_STACK)
784 size = bpf_size_to_bytes(bpf_size);
788 err = check_ptr_alignment(env, reg, off, size);
792 if (reg->type == PTR_TO_MAP_VALUE ||
793 reg->type == PTR_TO_MAP_VALUE_ADJ) {
794 if (t == BPF_WRITE && value_regno >= 0 &&
795 is_pointer_value(env, value_regno)) {
796 verbose("R%d leaks addr into map\n", value_regno);
800 /* If we adjusted the register to this map value at all then we
801 * need to change off and size to min_value and max_value
802 * respectively to make sure our theoretical access will be
805 if (reg->type == PTR_TO_MAP_VALUE_ADJ) {
807 print_verifier_state(state);
808 env->varlen_map_value_access = true;
809 /* The minimum value is only important with signed
810 * comparisons where we can't assume the floor of a
811 * value is 0. If we are using signed variables for our
812 * index'es we need to make sure that whatever we use
813 * will have a set floor within our range.
815 if (reg->min_value < 0) {
816 verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
820 err = check_map_access(env, regno, reg->min_value + off,
823 verbose("R%d min value is outside of the array range\n",
828 /* If we haven't set a max value then we need to bail
829 * since we can't be sure we won't do bad things.
831 if (reg->max_value == BPF_REGISTER_MAX_RANGE) {
832 verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n",
836 off += reg->max_value;
838 err = check_map_access(env, regno, off, size);
839 if (!err && t == BPF_READ && value_regno >= 0)
840 mark_reg_unknown_value(state->regs, value_regno);
842 } else if (reg->type == PTR_TO_CTX) {
843 enum bpf_reg_type reg_type = UNKNOWN_VALUE;
845 if (t == BPF_WRITE && value_regno >= 0 &&
846 is_pointer_value(env, value_regno)) {
847 verbose("R%d leaks addr into ctx\n", value_regno);
850 err = check_ctx_access(env, off, size, t, ®_type);
851 if (!err && t == BPF_READ && value_regno >= 0) {
852 mark_reg_unknown_value(state->regs, value_regno);
853 /* note that reg.[id|off|range] == 0 */
854 state->regs[value_regno].type = reg_type;
857 } else if (reg->type == FRAME_PTR || reg->type == PTR_TO_STACK) {
858 if (off >= 0 || off < -MAX_BPF_STACK) {
859 verbose("invalid stack off=%d size=%d\n", off, size);
862 if (t == BPF_WRITE) {
863 if (!env->allow_ptr_leaks &&
864 state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL &&
865 size != BPF_REG_SIZE) {
866 verbose("attempt to corrupt spilled pointer on stack\n");
869 err = check_stack_write(env, state, off, size,
870 value_regno, insn_idx);
872 err = check_stack_read(state, off, size, value_regno);
874 } else if (state->regs[regno].type == PTR_TO_PACKET) {
875 if (t == BPF_WRITE && !may_access_direct_pkt_data(env, NULL)) {
876 verbose("cannot write into packet\n");
879 if (t == BPF_WRITE && value_regno >= 0 &&
880 is_pointer_value(env, value_regno)) {
881 verbose("R%d leaks addr into packet\n", value_regno);
884 err = check_packet_access(env, regno, off, size);
885 if (!err && t == BPF_READ && value_regno >= 0)
886 mark_reg_unknown_value(state->regs, value_regno);
888 verbose("R%d invalid mem access '%s'\n",
889 regno, reg_type_str[reg->type]);
893 if (!err && size <= 2 && value_regno >= 0 && env->allow_ptr_leaks &&
894 state->regs[value_regno].type == UNKNOWN_VALUE) {
895 /* 1 or 2 byte load zero-extends, determine the number of
896 * zero upper bits. Not doing it fo 4 byte load, since
897 * such values cannot be added to ptr_to_packet anyway.
899 state->regs[value_regno].imm = 64 - size * 8;
904 static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_insn *insn)
906 struct bpf_reg_state *regs = env->cur_state.regs;
909 if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) ||
911 verbose("BPF_XADD uses reserved fields\n");
915 /* check src1 operand */
916 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
920 /* check src2 operand */
921 err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
925 if (is_pointer_value(env, insn->src_reg)) {
926 verbose("R%d leaks addr into mem\n", insn->src_reg);
930 if (is_ctx_reg(env, insn->dst_reg)) {
931 verbose("BPF_XADD stores into R%d context is not allowed\n",
936 /* check whether atomic_add can read the memory */
937 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
938 BPF_SIZE(insn->code), BPF_READ, -1);
942 /* check whether atomic_add can write into the same memory */
943 return check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
944 BPF_SIZE(insn->code), BPF_WRITE, -1);
947 /* when register 'regno' is passed into function that will read 'access_size'
948 * bytes from that pointer, make sure that it's within stack boundary
949 * and all elements of stack are initialized
951 static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
952 int access_size, bool zero_size_allowed,
953 struct bpf_call_arg_meta *meta)
955 struct bpf_verifier_state *state = &env->cur_state;
956 struct bpf_reg_state *regs = state->regs;
959 if (regs[regno].type != PTR_TO_STACK) {
960 if (zero_size_allowed && access_size == 0 &&
961 regs[regno].type == CONST_IMM &&
962 regs[regno].imm == 0)
965 verbose("R%d type=%s expected=%s\n", regno,
966 reg_type_str[regs[regno].type],
967 reg_type_str[PTR_TO_STACK]);
971 off = regs[regno].imm;
972 if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
974 verbose("invalid stack type R%d off=%d access_size=%d\n",
975 regno, off, access_size);
979 if (meta && meta->raw_mode) {
980 meta->access_size = access_size;
985 for (i = 0; i < access_size; i++) {
986 if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) {
987 verbose("invalid indirect read from stack off %d+%d size %d\n",
988 off, i, access_size);
995 static int check_func_arg(struct bpf_verifier_env *env, u32 regno,
996 enum bpf_arg_type arg_type,
997 struct bpf_call_arg_meta *meta)
999 struct bpf_reg_state *regs = env->cur_state.regs, *reg = ®s[regno];
1000 enum bpf_reg_type expected_type, type = reg->type;
1003 if (arg_type == ARG_DONTCARE)
1006 if (type == NOT_INIT) {
1007 verbose("R%d !read_ok\n", regno);
1011 if (arg_type == ARG_ANYTHING) {
1012 if (is_pointer_value(env, regno)) {
1013 verbose("R%d leaks addr into helper function\n", regno);
1019 if (type == PTR_TO_PACKET && !may_access_direct_pkt_data(env, meta)) {
1020 verbose("helper access to the packet is not allowed\n");
1024 if (arg_type == ARG_PTR_TO_MAP_KEY ||
1025 arg_type == ARG_PTR_TO_MAP_VALUE) {
1026 expected_type = PTR_TO_STACK;
1027 if (type != PTR_TO_PACKET && type != expected_type)
1029 } else if (arg_type == ARG_CONST_STACK_SIZE ||
1030 arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {
1031 expected_type = CONST_IMM;
1032 if (type != expected_type)
1034 } else if (arg_type == ARG_CONST_MAP_PTR) {
1035 expected_type = CONST_PTR_TO_MAP;
1036 if (type != expected_type)
1038 } else if (arg_type == ARG_PTR_TO_CTX) {
1039 expected_type = PTR_TO_CTX;
1040 if (type != expected_type)
1042 } else if (arg_type == ARG_PTR_TO_STACK ||
1043 arg_type == ARG_PTR_TO_RAW_STACK) {
1044 expected_type = PTR_TO_STACK;
1045 /* One exception here. In case function allows for NULL to be
1046 * passed in as argument, it's a CONST_IMM type. Final test
1047 * happens during stack boundary checking.
1049 if (type == CONST_IMM && reg->imm == 0)
1050 /* final test in check_stack_boundary() */;
1051 else if (type != PTR_TO_PACKET && type != expected_type)
1053 meta->raw_mode = arg_type == ARG_PTR_TO_RAW_STACK;
1055 verbose("unsupported arg_type %d\n", arg_type);
1059 if (arg_type == ARG_CONST_MAP_PTR) {
1060 /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
1061 meta->map_ptr = reg->map_ptr;
1062 } else if (arg_type == ARG_PTR_TO_MAP_KEY) {
1063 /* bpf_map_xxx(..., map_ptr, ..., key) call:
1064 * check that [key, key + map->key_size) are within
1065 * stack limits and initialized
1067 if (!meta->map_ptr) {
1068 /* in function declaration map_ptr must come before
1069 * map_key, so that it's verified and known before
1070 * we have to check map_key here. Otherwise it means
1071 * that kernel subsystem misconfigured verifier
1073 verbose("invalid map_ptr to access map->key\n");
1076 if (type == PTR_TO_PACKET)
1077 err = check_packet_access(env, regno, 0,
1078 meta->map_ptr->key_size);
1080 err = check_stack_boundary(env, regno,
1081 meta->map_ptr->key_size,
1083 } else if (arg_type == ARG_PTR_TO_MAP_VALUE) {
1084 /* bpf_map_xxx(..., map_ptr, ..., value) call:
1085 * check [value, value + map->value_size) validity
1087 if (!meta->map_ptr) {
1088 /* kernel subsystem misconfigured verifier */
1089 verbose("invalid map_ptr to access map->value\n");
1092 if (type == PTR_TO_PACKET)
1093 err = check_packet_access(env, regno, 0,
1094 meta->map_ptr->value_size);
1096 err = check_stack_boundary(env, regno,
1097 meta->map_ptr->value_size,
1099 } else if (arg_type == ARG_CONST_STACK_SIZE ||
1100 arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {
1101 bool zero_size_allowed = (arg_type == ARG_CONST_STACK_SIZE_OR_ZERO);
1103 /* bpf_xxx(..., buf, len) call will access 'len' bytes
1104 * from stack pointer 'buf'. Check it
1105 * note: regno == len, regno - 1 == buf
1108 /* kernel subsystem misconfigured verifier */
1109 verbose("ARG_CONST_STACK_SIZE cannot be first argument\n");
1112 if (regs[regno - 1].type == PTR_TO_PACKET)
1113 err = check_packet_access(env, regno - 1, 0, reg->imm);
1115 err = check_stack_boundary(env, regno - 1, reg->imm,
1116 zero_size_allowed, meta);
1121 verbose("R%d type=%s expected=%s\n", regno,
1122 reg_type_str[type], reg_type_str[expected_type]);
1126 static int check_map_func_compatibility(struct bpf_map *map, int func_id)
1131 /* We need a two way check, first is from map perspective ... */
1132 switch (map->map_type) {
1133 case BPF_MAP_TYPE_PROG_ARRAY:
1134 if (func_id != BPF_FUNC_tail_call)
1137 case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
1138 if (func_id != BPF_FUNC_perf_event_read &&
1139 func_id != BPF_FUNC_perf_event_output)
1142 case BPF_MAP_TYPE_STACK_TRACE:
1143 if (func_id != BPF_FUNC_get_stackid)
1146 case BPF_MAP_TYPE_CGROUP_ARRAY:
1147 if (func_id != BPF_FUNC_skb_under_cgroup &&
1148 func_id != BPF_FUNC_current_task_under_cgroup)
1155 /* ... and second from the function itself. */
1157 case BPF_FUNC_tail_call:
1158 if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
1161 case BPF_FUNC_perf_event_read:
1162 case BPF_FUNC_perf_event_output:
1163 if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
1166 case BPF_FUNC_get_stackid:
1167 if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
1170 case BPF_FUNC_current_task_under_cgroup:
1171 case BPF_FUNC_skb_under_cgroup:
1172 if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)
1181 verbose("cannot pass map_type %d into func %d\n",
1182 map->map_type, func_id);
1186 static int check_raw_mode(const struct bpf_func_proto *fn)
1190 if (fn->arg1_type == ARG_PTR_TO_RAW_STACK)
1192 if (fn->arg2_type == ARG_PTR_TO_RAW_STACK)
1194 if (fn->arg3_type == ARG_PTR_TO_RAW_STACK)
1196 if (fn->arg4_type == ARG_PTR_TO_RAW_STACK)
1198 if (fn->arg5_type == ARG_PTR_TO_RAW_STACK)
1201 return count > 1 ? -EINVAL : 0;
1204 static void clear_all_pkt_pointers(struct bpf_verifier_env *env)
1206 struct bpf_verifier_state *state = &env->cur_state;
1207 struct bpf_reg_state *regs = state->regs, *reg;
1210 for (i = 0; i < MAX_BPF_REG; i++)
1211 if (regs[i].type == PTR_TO_PACKET ||
1212 regs[i].type == PTR_TO_PACKET_END)
1213 mark_reg_unknown_value(regs, i);
1215 for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
1216 if (state->stack_slot_type[i] != STACK_SPILL)
1218 reg = &state->spilled_regs[i / BPF_REG_SIZE];
1219 if (reg->type != PTR_TO_PACKET &&
1220 reg->type != PTR_TO_PACKET_END)
1222 reg->type = UNKNOWN_VALUE;
1227 static int check_call(struct bpf_verifier_env *env, int func_id, int insn_idx)
1229 struct bpf_verifier_state *state = &env->cur_state;
1230 const struct bpf_func_proto *fn = NULL;
1231 struct bpf_reg_state *regs = state->regs;
1232 struct bpf_reg_state *reg;
1233 struct bpf_call_arg_meta meta;
1237 /* find function prototype */
1238 if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) {
1239 verbose("invalid func %d\n", func_id);
1243 if (env->prog->aux->ops->get_func_proto)
1244 fn = env->prog->aux->ops->get_func_proto(func_id);
1247 verbose("unknown func %d\n", func_id);
1251 /* eBPF programs must be GPL compatible to use GPL-ed functions */
1252 if (!env->prog->gpl_compatible && fn->gpl_only) {
1253 verbose("cannot call GPL only function from proprietary program\n");
1257 changes_data = bpf_helper_changes_skb_data(fn->func);
1259 memset(&meta, 0, sizeof(meta));
1260 meta.pkt_access = fn->pkt_access;
1262 /* We only support one arg being in raw mode at the moment, which
1263 * is sufficient for the helper functions we have right now.
1265 err = check_raw_mode(fn);
1267 verbose("kernel subsystem misconfigured func %d\n", func_id);
1272 err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta);
1275 err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
1278 if (func_id == BPF_FUNC_tail_call) {
1279 if (meta.map_ptr == NULL) {
1280 verbose("verifier bug\n");
1283 env->insn_aux_data[insn_idx].map_ptr = meta.map_ptr;
1285 err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
1288 err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta);
1291 err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta);
1295 /* Mark slots with STACK_MISC in case of raw mode, stack offset
1296 * is inferred from register state.
1298 for (i = 0; i < meta.access_size; i++) {
1299 err = check_mem_access(env, insn_idx, meta.regno, i, BPF_B, BPF_WRITE, -1);
1304 /* reset caller saved regs */
1305 for (i = 0; i < CALLER_SAVED_REGS; i++) {
1306 reg = regs + caller_saved[i];
1307 reg->type = NOT_INIT;
1311 /* update return register */
1312 if (fn->ret_type == RET_INTEGER) {
1313 regs[BPF_REG_0].type = UNKNOWN_VALUE;
1314 } else if (fn->ret_type == RET_VOID) {
1315 regs[BPF_REG_0].type = NOT_INIT;
1316 } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) {
1317 regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
1318 regs[BPF_REG_0].max_value = regs[BPF_REG_0].min_value = 0;
1319 /* remember map_ptr, so that check_map_access()
1320 * can check 'value_size' boundary of memory access
1321 * to map element returned from bpf_map_lookup_elem()
1323 if (meta.map_ptr == NULL) {
1324 verbose("kernel subsystem misconfigured verifier\n");
1327 regs[BPF_REG_0].map_ptr = meta.map_ptr;
1328 regs[BPF_REG_0].id = ++env->id_gen;
1330 verbose("unknown return type %d of func %d\n",
1331 fn->ret_type, func_id);
1335 err = check_map_func_compatibility(meta.map_ptr, func_id);
1340 clear_all_pkt_pointers(env);
1344 static int check_packet_ptr_add(struct bpf_verifier_env *env,
1345 struct bpf_insn *insn)
1347 struct bpf_reg_state *regs = env->cur_state.regs;
1348 struct bpf_reg_state *dst_reg = ®s[insn->dst_reg];
1349 struct bpf_reg_state *src_reg = ®s[insn->src_reg];
1350 struct bpf_reg_state tmp_reg;
1353 if (BPF_SRC(insn->code) == BPF_K) {
1354 /* pkt_ptr += imm */
1359 verbose("addition of negative constant to packet pointer is not allowed\n");
1362 if (imm >= MAX_PACKET_OFF ||
1363 imm + dst_reg->off >= MAX_PACKET_OFF) {
1364 verbose("constant %d is too large to add to packet pointer\n",
1368 /* a constant was added to pkt_ptr.
1369 * Remember it while keeping the same 'id'
1371 dst_reg->off += imm;
1373 if (src_reg->type == PTR_TO_PACKET) {
1374 /* R6=pkt(id=0,off=0,r=62) R7=imm22; r7 += r6 */
1375 tmp_reg = *dst_reg; /* save r7 state */
1376 *dst_reg = *src_reg; /* copy pkt_ptr state r6 into r7 */
1377 src_reg = &tmp_reg; /* pretend it's src_reg state */
1378 /* if the checks below reject it, the copy won't matter,
1379 * since we're rejecting the whole program. If all ok,
1380 * then imm22 state will be added to r7
1381 * and r7 will be pkt(id=0,off=22,r=62) while
1382 * r6 will stay as pkt(id=0,off=0,r=62)
1386 if (src_reg->type == CONST_IMM) {
1387 /* pkt_ptr += reg where reg is known constant */
1391 /* disallow pkt_ptr += reg
1392 * if reg is not uknown_value with guaranteed zero upper bits
1393 * otherwise pkt_ptr may overflow and addition will become
1394 * subtraction which is not allowed
1396 if (src_reg->type != UNKNOWN_VALUE) {
1397 verbose("cannot add '%s' to ptr_to_packet\n",
1398 reg_type_str[src_reg->type]);
1401 if (src_reg->imm < 48) {
1402 verbose("cannot add integer value with %lld upper zero bits to ptr_to_packet\n",
1406 /* dst_reg stays as pkt_ptr type and since some positive
1407 * integer value was added to the pointer, increment its 'id'
1409 dst_reg->id = ++env->id_gen;
1411 /* something was added to pkt_ptr, set range and off to zero */
1418 static int evaluate_reg_alu(struct bpf_verifier_env *env, struct bpf_insn *insn)
1420 struct bpf_reg_state *regs = env->cur_state.regs;
1421 struct bpf_reg_state *dst_reg = ®s[insn->dst_reg];
1422 u8 opcode = BPF_OP(insn->code);
1425 /* for type == UNKNOWN_VALUE:
1426 * imm > 0 -> number of zero upper bits
1427 * imm == 0 -> don't track which is the same as all bits can be non-zero
1430 if (BPF_SRC(insn->code) == BPF_X) {
1431 struct bpf_reg_state *src_reg = ®s[insn->src_reg];
1433 if (src_reg->type == UNKNOWN_VALUE && src_reg->imm > 0 &&
1434 dst_reg->imm && opcode == BPF_ADD) {
1436 * where both have zero upper bits. Adding them
1437 * can only result making one more bit non-zero
1438 * in the larger value.
1439 * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47)
1440 * 0xffff (imm=48) + 0xffff = 0x1fffe (imm=47)
1442 dst_reg->imm = min(dst_reg->imm, src_reg->imm);
1446 if (src_reg->type == CONST_IMM && src_reg->imm > 0 &&
1447 dst_reg->imm && opcode == BPF_ADD) {
1449 * where dreg has zero upper bits and sreg is const.
1450 * Adding them can only result making one more bit
1451 * non-zero in the larger value.
1453 imm_log2 = __ilog2_u64((long long)src_reg->imm);
1454 dst_reg->imm = min(dst_reg->imm, 63 - imm_log2);
1458 /* all other cases non supported yet, just mark dst_reg */
1463 /* sign extend 32-bit imm into 64-bit to make sure that
1464 * negative values occupy bit 63. Note ilog2() would have
1465 * been incorrect, since sizeof(insn->imm) == 4
1467 imm_log2 = __ilog2_u64((long long)insn->imm);
1469 if (dst_reg->imm && opcode == BPF_LSH) {
1471 * if reg was a result of 2 byte load, then its imm == 48
1472 * which means that upper 48 bits are zero and shifting this reg
1473 * left by 4 would mean that upper 44 bits are still zero
1475 dst_reg->imm -= insn->imm;
1476 } else if (dst_reg->imm && opcode == BPF_MUL) {
1478 * if multiplying by 14 subtract 4
1479 * This is conservative calculation of upper zero bits.
1480 * It's not trying to special case insn->imm == 1 or 0 cases
1482 dst_reg->imm -= imm_log2 + 1;
1483 } else if (opcode == BPF_AND) {
1485 dst_reg->imm = 63 - imm_log2;
1486 } else if (dst_reg->imm && opcode == BPF_ADD) {
1488 dst_reg->imm = min(dst_reg->imm, 63 - imm_log2);
1490 } else if (opcode == BPF_RSH) {
1492 * which means that after right shift, upper bits will be zero
1493 * note that verifier already checked that
1494 * 0 <= imm < 64 for shift insn
1496 dst_reg->imm += insn->imm;
1497 if (unlikely(dst_reg->imm > 64))
1498 /* some dumb code did:
1501 * and all bits are zero now */
1504 /* all other alu ops, means that we don't know what will
1505 * happen to the value, mark it with unknown number of zero bits
1510 if (dst_reg->imm < 0) {
1511 /* all 64 bits of the register can contain non-zero bits
1512 * and such value cannot be added to ptr_to_packet, since it
1513 * may overflow, mark it as unknown to avoid further eval
1520 static int evaluate_reg_imm_alu_unknown(struct bpf_verifier_env *env,
1521 struct bpf_insn *insn)
1523 struct bpf_reg_state *regs = env->cur_state.regs;
1524 struct bpf_reg_state *dst_reg = ®s[insn->dst_reg];
1525 struct bpf_reg_state *src_reg = ®s[insn->src_reg];
1526 u8 opcode = BPF_OP(insn->code);
1527 s64 imm_log2 = __ilog2_u64((long long)dst_reg->imm);
1529 /* BPF_X code with src_reg->type UNKNOWN_VALUE here. */
1530 if (src_reg->imm > 0 && dst_reg->imm) {
1534 * where both have zero upper bits. Adding them
1535 * can only result making one more bit non-zero
1536 * in the larger value.
1537 * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47)
1538 * 0xffff (imm=48) + 0xffff = 0x1fffe (imm=47)
1540 dst_reg->imm = min(src_reg->imm, 63 - imm_log2);
1545 * AND can not extend zero bits only shrink
1546 * Ex. 0x00..00ffffff
1551 dst_reg->imm = max(src_reg->imm, 63 - imm_log2);
1555 * OR can only extend zero bits
1556 * Ex. 0x00..00ffffff
1561 dst_reg->imm = min(src_reg->imm, 63 - imm_log2);
1567 /* These may be flushed out later */
1569 mark_reg_unknown_value(regs, insn->dst_reg);
1572 mark_reg_unknown_value(regs, insn->dst_reg);
1575 dst_reg->type = UNKNOWN_VALUE;
1579 static int evaluate_reg_imm_alu(struct bpf_verifier_env *env,
1580 struct bpf_insn *insn)
1582 struct bpf_reg_state *regs = env->cur_state.regs;
1583 struct bpf_reg_state *dst_reg = ®s[insn->dst_reg];
1584 struct bpf_reg_state *src_reg = ®s[insn->src_reg];
1585 u8 opcode = BPF_OP(insn->code);
1587 if (BPF_SRC(insn->code) == BPF_X && src_reg->type == UNKNOWN_VALUE)
1588 return evaluate_reg_imm_alu_unknown(env, insn);
1590 /* dst_reg->type == CONST_IMM here, simulate execution of 'add' insn.
1591 * Don't care about overflow or negative values, just add them
1593 if (opcode == BPF_ADD && BPF_SRC(insn->code) == BPF_K)
1594 dst_reg->imm += insn->imm;
1595 else if (opcode == BPF_ADD && BPF_SRC(insn->code) == BPF_X &&
1596 src_reg->type == CONST_IMM)
1597 dst_reg->imm += src_reg->imm;
1599 mark_reg_unknown_value(regs, insn->dst_reg);
1603 static void check_reg_overflow(struct bpf_reg_state *reg)
1605 if (reg->max_value > BPF_REGISTER_MAX_RANGE)
1606 reg->max_value = BPF_REGISTER_MAX_RANGE;
1607 if (reg->min_value < BPF_REGISTER_MIN_RANGE ||
1608 reg->min_value > BPF_REGISTER_MAX_RANGE)
1609 reg->min_value = BPF_REGISTER_MIN_RANGE;
1612 static void adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1613 struct bpf_insn *insn)
1615 struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg;
1616 s64 min_val = BPF_REGISTER_MIN_RANGE;
1617 u64 max_val = BPF_REGISTER_MAX_RANGE;
1618 bool min_set = false, max_set = false;
1619 u8 opcode = BPF_OP(insn->code);
1621 dst_reg = ®s[insn->dst_reg];
1622 if (BPF_SRC(insn->code) == BPF_X) {
1623 check_reg_overflow(®s[insn->src_reg]);
1624 min_val = regs[insn->src_reg].min_value;
1625 max_val = regs[insn->src_reg].max_value;
1627 /* If the source register is a random pointer then the
1628 * min_value/max_value values represent the range of the known
1629 * accesses into that value, not the actual min/max value of the
1630 * register itself. In this case we have to reset the reg range
1631 * values so we know it is not safe to look at.
1633 if (regs[insn->src_reg].type != CONST_IMM &&
1634 regs[insn->src_reg].type != UNKNOWN_VALUE) {
1635 min_val = BPF_REGISTER_MIN_RANGE;
1636 max_val = BPF_REGISTER_MAX_RANGE;
1638 } else if (insn->imm < BPF_REGISTER_MAX_RANGE &&
1639 (s64)insn->imm > BPF_REGISTER_MIN_RANGE) {
1640 min_val = max_val = insn->imm;
1641 min_set = max_set = true;
1644 /* We don't know anything about what was done to this register, mark it
1645 * as unknown. Also, if both derived bounds came from signed/unsigned
1646 * mixed compares and one side is unbounded, we cannot really do anything
1647 * with them as boundaries cannot be trusted. Thus, arithmetic of two
1648 * regs of such kind will get invalidated bounds on the dst side.
1650 if ((min_val == BPF_REGISTER_MIN_RANGE &&
1651 max_val == BPF_REGISTER_MAX_RANGE) ||
1652 (BPF_SRC(insn->code) == BPF_X &&
1653 ((min_val != BPF_REGISTER_MIN_RANGE &&
1654 max_val == BPF_REGISTER_MAX_RANGE) ||
1655 (min_val == BPF_REGISTER_MIN_RANGE &&
1656 max_val != BPF_REGISTER_MAX_RANGE) ||
1657 (dst_reg->min_value != BPF_REGISTER_MIN_RANGE &&
1658 dst_reg->max_value == BPF_REGISTER_MAX_RANGE) ||
1659 (dst_reg->min_value == BPF_REGISTER_MIN_RANGE &&
1660 dst_reg->max_value != BPF_REGISTER_MAX_RANGE)) &&
1661 regs[insn->dst_reg].value_from_signed !=
1662 regs[insn->src_reg].value_from_signed)) {
1663 reset_reg_range_values(regs, insn->dst_reg);
1667 /* If one of our values was at the end of our ranges then we can't just
1668 * do our normal operations to the register, we need to set the values
1669 * to the min/max since they are undefined.
1671 if (opcode != BPF_SUB) {
1672 if (min_val == BPF_REGISTER_MIN_RANGE)
1673 dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1674 if (max_val == BPF_REGISTER_MAX_RANGE)
1675 dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1680 if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE)
1681 dst_reg->min_value += min_val;
1682 if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE)
1683 dst_reg->max_value += max_val;
1686 /* If one of our values was at the end of our ranges, then the
1687 * _opposite_ value in the dst_reg goes to the end of our range.
1689 if (min_val == BPF_REGISTER_MIN_RANGE)
1690 dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1691 if (max_val == BPF_REGISTER_MAX_RANGE)
1692 dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1693 if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE)
1694 dst_reg->min_value -= max_val;
1695 if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE)
1696 dst_reg->max_value -= min_val;
1699 if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE)
1700 dst_reg->min_value *= min_val;
1701 if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE)
1702 dst_reg->max_value *= max_val;
1705 /* Disallow AND'ing of negative numbers, ain't nobody got time
1706 * for that. Otherwise the minimum is 0 and the max is the max
1707 * value we could AND against.
1710 dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1712 dst_reg->min_value = 0;
1713 dst_reg->max_value = max_val;
1716 /* Gotta have special overflow logic here, if we're shifting
1717 * more than MAX_RANGE then just assume we have an invalid
1720 if (min_val > ilog2(BPF_REGISTER_MAX_RANGE))
1721 dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1722 else if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE)
1723 dst_reg->min_value <<= min_val;
1725 if (max_val > ilog2(BPF_REGISTER_MAX_RANGE))
1726 dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1727 else if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE)
1728 dst_reg->max_value <<= max_val;
1731 /* RSH by a negative number is undefined, and the BPF_RSH is an
1732 * unsigned shift, so make the appropriate casts.
1734 if (min_val < 0 || dst_reg->min_value < 0)
1735 reset_reg_range_values(regs, insn->dst_reg);
1737 dst_reg->min_value = (u64)(dst_reg->min_value) >> max_val;
1738 if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE)
1739 dst_reg->max_value >>= min_val;
1742 reset_reg_range_values(regs, insn->dst_reg);
1746 check_reg_overflow(dst_reg);
1749 /* check validity of 32-bit and 64-bit arithmetic operations */
1750 static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1752 struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg;
1753 u8 opcode = BPF_OP(insn->code);
1756 if (opcode == BPF_END || opcode == BPF_NEG) {
1757 if (opcode == BPF_NEG) {
1758 if (BPF_SRC(insn->code) != 0 ||
1759 insn->src_reg != BPF_REG_0 ||
1760 insn->off != 0 || insn->imm != 0) {
1761 verbose("BPF_NEG uses reserved fields\n");
1765 if (insn->src_reg != BPF_REG_0 || insn->off != 0 ||
1766 (insn->imm != 16 && insn->imm != 32 && insn->imm != 64) ||
1767 BPF_CLASS(insn->code) == BPF_ALU64) {
1768 verbose("BPF_END uses reserved fields\n");
1773 /* check src operand */
1774 err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
1778 if (is_pointer_value(env, insn->dst_reg)) {
1779 verbose("R%d pointer arithmetic prohibited\n",
1784 /* check dest operand */
1785 err = check_reg_arg(regs, insn->dst_reg, DST_OP);
1789 } else if (opcode == BPF_MOV) {
1791 if (BPF_SRC(insn->code) == BPF_X) {
1792 if (insn->imm != 0 || insn->off != 0) {
1793 verbose("BPF_MOV uses reserved fields\n");
1797 /* check src operand */
1798 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
1802 if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
1803 verbose("BPF_MOV uses reserved fields\n");
1808 /* check dest operand */
1809 err = check_reg_arg(regs, insn->dst_reg, DST_OP);
1813 /* we are setting our register to something new, we need to
1814 * reset its range values.
1816 reset_reg_range_values(regs, insn->dst_reg);
1818 if (BPF_SRC(insn->code) == BPF_X) {
1819 if (BPF_CLASS(insn->code) == BPF_ALU64) {
1821 * copy register state to dest reg
1823 regs[insn->dst_reg] = regs[insn->src_reg];
1825 if (is_pointer_value(env, insn->src_reg)) {
1826 verbose("R%d partial copy of pointer\n",
1830 mark_reg_unknown_value(regs, insn->dst_reg);
1834 * remember the value we stored into this reg
1838 if (BPF_CLASS(insn->code) == BPF_ALU64)
1841 imm = (u32)insn->imm;
1843 regs[insn->dst_reg].type = CONST_IMM;
1844 regs[insn->dst_reg].imm = imm;
1845 regs[insn->dst_reg].max_value = imm;
1846 regs[insn->dst_reg].min_value = imm;
1849 } else if (opcode > BPF_END) {
1850 verbose("invalid BPF_ALU opcode %x\n", opcode);
1853 } else { /* all other ALU ops: and, sub, xor, add, ... */
1855 if (BPF_SRC(insn->code) == BPF_X) {
1856 if (insn->imm != 0 || insn->off != 0) {
1857 verbose("BPF_ALU uses reserved fields\n");
1860 /* check src1 operand */
1861 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
1865 if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
1866 verbose("BPF_ALU uses reserved fields\n");
1871 /* check src2 operand */
1872 err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
1876 if ((opcode == BPF_MOD || opcode == BPF_DIV) &&
1877 BPF_SRC(insn->code) == BPF_K && insn->imm == 0) {
1878 verbose("div by zero\n");
1882 if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
1883 verbose("BPF_ARSH not supported for 32 bit ALU\n");
1887 if ((opcode == BPF_LSH || opcode == BPF_RSH ||
1888 opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
1889 int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
1891 if (insn->imm < 0 || insn->imm >= size) {
1892 verbose("invalid shift %d\n", insn->imm);
1897 /* check dest operand */
1898 err = check_reg_arg(regs, insn->dst_reg, DST_OP_NO_MARK);
1902 dst_reg = ®s[insn->dst_reg];
1904 /* first we want to adjust our ranges. */
1905 adjust_reg_min_max_vals(env, insn);
1907 /* pattern match 'bpf_add Rx, imm' instruction */
1908 if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
1909 dst_reg->type == FRAME_PTR && BPF_SRC(insn->code) == BPF_K) {
1910 dst_reg->type = PTR_TO_STACK;
1911 dst_reg->imm = insn->imm;
1913 } else if (opcode == BPF_ADD &&
1914 BPF_CLASS(insn->code) == BPF_ALU64 &&
1915 dst_reg->type == PTR_TO_STACK &&
1916 ((BPF_SRC(insn->code) == BPF_X &&
1917 regs[insn->src_reg].type == CONST_IMM) ||
1918 BPF_SRC(insn->code) == BPF_K)) {
1919 if (BPF_SRC(insn->code) == BPF_X) {
1920 /* check in case the register contains a big
1923 if (regs[insn->src_reg].imm < -MAX_BPF_STACK ||
1924 regs[insn->src_reg].imm > MAX_BPF_STACK) {
1925 verbose("R%d value too big in R%d pointer arithmetic\n",
1926 insn->src_reg, insn->dst_reg);
1929 dst_reg->imm += regs[insn->src_reg].imm;
1931 /* safe against overflow: addition of 32-bit
1932 * numbers in 64-bit representation
1934 dst_reg->imm += insn->imm;
1936 if (dst_reg->imm > 0 || dst_reg->imm < -MAX_BPF_STACK) {
1937 verbose("R%d out-of-bounds pointer arithmetic\n",
1942 } else if (opcode == BPF_ADD &&
1943 BPF_CLASS(insn->code) == BPF_ALU64 &&
1944 (dst_reg->type == PTR_TO_PACKET ||
1945 (BPF_SRC(insn->code) == BPF_X &&
1946 regs[insn->src_reg].type == PTR_TO_PACKET))) {
1947 /* ptr_to_packet += K|X */
1948 return check_packet_ptr_add(env, insn);
1949 } else if (BPF_CLASS(insn->code) == BPF_ALU64 &&
1950 dst_reg->type == UNKNOWN_VALUE &&
1951 env->allow_ptr_leaks) {
1952 /* unknown += K|X */
1953 return evaluate_reg_alu(env, insn);
1954 } else if (BPF_CLASS(insn->code) == BPF_ALU64 &&
1955 dst_reg->type == CONST_IMM &&
1956 env->allow_ptr_leaks) {
1957 /* reg_imm += K|X */
1958 return evaluate_reg_imm_alu(env, insn);
1959 } else if (is_pointer_value(env, insn->dst_reg)) {
1960 verbose("R%d pointer arithmetic prohibited\n",
1963 } else if (BPF_SRC(insn->code) == BPF_X &&
1964 is_pointer_value(env, insn->src_reg)) {
1965 verbose("R%d pointer arithmetic prohibited\n",
1970 /* If we did pointer math on a map value then just set it to our
1971 * PTR_TO_MAP_VALUE_ADJ type so we can deal with any stores or
1972 * loads to this register appropriately, otherwise just mark the
1973 * register as unknown.
1975 if (env->allow_ptr_leaks &&
1976 BPF_CLASS(insn->code) == BPF_ALU64 && opcode == BPF_ADD &&
1977 (dst_reg->type == PTR_TO_MAP_VALUE ||
1978 dst_reg->type == PTR_TO_MAP_VALUE_ADJ))
1979 dst_reg->type = PTR_TO_MAP_VALUE_ADJ;
1981 mark_reg_unknown_value(regs, insn->dst_reg);
1987 static void find_good_pkt_pointers(struct bpf_verifier_state *state,
1988 struct bpf_reg_state *dst_reg)
1990 struct bpf_reg_state *regs = state->regs, *reg;
1993 /* LLVM can generate two kind of checks:
1999 * if (r2 > pkt_end) goto <handle exception>
2003 * r2 == dst_reg, pkt_end == src_reg
2004 * r2=pkt(id=n,off=8,r=0)
2005 * r3=pkt(id=n,off=0,r=0)
2011 * if (pkt_end >= r2) goto <access okay>
2012 * <handle exception>
2015 * pkt_end == dst_reg, r2 == src_reg
2016 * r2=pkt(id=n,off=8,r=0)
2017 * r3=pkt(id=n,off=0,r=0)
2019 * Find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)
2020 * so that range of bytes [r3, r3 + 8) is safe to access.
2023 for (i = 0; i < MAX_BPF_REG; i++)
2024 if (regs[i].type == PTR_TO_PACKET && regs[i].id == dst_reg->id)
2025 /* keep the maximum range already checked */
2026 regs[i].range = max(regs[i].range, dst_reg->off);
2028 for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
2029 if (state->stack_slot_type[i] != STACK_SPILL)
2031 reg = &state->spilled_regs[i / BPF_REG_SIZE];
2032 if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id)
2033 reg->range = max(reg->range, dst_reg->off);
2037 /* Adjusts the register min/max values in the case that the dst_reg is the
2038 * variable register that we are working on, and src_reg is a constant or we're
2039 * simply doing a BPF_K check.
2041 static void reg_set_min_max(struct bpf_reg_state *true_reg,
2042 struct bpf_reg_state *false_reg, u64 val,
2045 bool value_from_signed = true;
2046 bool is_range = true;
2050 /* If this is false then we know nothing Jon Snow, but if it is
2051 * true then we know for sure.
2053 true_reg->max_value = true_reg->min_value = val;
2057 /* If this is true we know nothing Jon Snow, but if it is false
2058 * we know the value for sure;
2060 false_reg->max_value = false_reg->min_value = val;
2064 value_from_signed = false;
2067 if (true_reg->value_from_signed != value_from_signed)
2068 reset_reg_range_values(true_reg, 0);
2069 if (false_reg->value_from_signed != value_from_signed)
2070 reset_reg_range_values(false_reg, 0);
2071 if (opcode == BPF_JGT) {
2072 /* Unsigned comparison, the minimum value is 0. */
2073 false_reg->min_value = 0;
2075 /* If this is false then we know the maximum val is val,
2076 * otherwise we know the min val is val+1.
2078 false_reg->max_value = val;
2079 false_reg->value_from_signed = value_from_signed;
2080 true_reg->min_value = val + 1;
2081 true_reg->value_from_signed = value_from_signed;
2084 value_from_signed = false;
2087 if (true_reg->value_from_signed != value_from_signed)
2088 reset_reg_range_values(true_reg, 0);
2089 if (false_reg->value_from_signed != value_from_signed)
2090 reset_reg_range_values(false_reg, 0);
2091 if (opcode == BPF_JGE) {
2092 /* Unsigned comparison, the minimum value is 0. */
2093 false_reg->min_value = 0;
2095 /* If this is false then we know the maximum value is val - 1,
2096 * otherwise we know the mimimum value is val.
2098 false_reg->max_value = val - 1;
2099 false_reg->value_from_signed = value_from_signed;
2100 true_reg->min_value = val;
2101 true_reg->value_from_signed = value_from_signed;
2107 check_reg_overflow(false_reg);
2108 check_reg_overflow(true_reg);
2110 if (__is_pointer_value(false, false_reg))
2111 reset_reg_range_values(false_reg, 0);
2112 if (__is_pointer_value(false, true_reg))
2113 reset_reg_range_values(true_reg, 0);
2117 /* Same as above, but for the case that dst_reg is a CONST_IMM reg and src_reg
2118 * is the variable reg.
2120 static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
2121 struct bpf_reg_state *false_reg, u64 val,
2124 bool value_from_signed = true;
2125 bool is_range = true;
2129 /* If this is false then we know nothing Jon Snow, but if it is
2130 * true then we know for sure.
2132 true_reg->max_value = true_reg->min_value = val;
2136 /* If this is true we know nothing Jon Snow, but if it is false
2137 * we know the value for sure;
2139 false_reg->max_value = false_reg->min_value = val;
2143 value_from_signed = false;
2146 if (true_reg->value_from_signed != value_from_signed)
2147 reset_reg_range_values(true_reg, 0);
2148 if (false_reg->value_from_signed != value_from_signed)
2149 reset_reg_range_values(false_reg, 0);
2150 if (opcode == BPF_JGT) {
2151 /* Unsigned comparison, the minimum value is 0. */
2152 true_reg->min_value = 0;
2155 * If this is false, then the val is <= the register, if it is
2156 * true the register <= to the val.
2158 false_reg->min_value = val;
2159 false_reg->value_from_signed = value_from_signed;
2160 true_reg->max_value = val - 1;
2161 true_reg->value_from_signed = value_from_signed;
2164 value_from_signed = false;
2167 if (true_reg->value_from_signed != value_from_signed)
2168 reset_reg_range_values(true_reg, 0);
2169 if (false_reg->value_from_signed != value_from_signed)
2170 reset_reg_range_values(false_reg, 0);
2171 if (opcode == BPF_JGE) {
2172 /* Unsigned comparison, the minimum value is 0. */
2173 true_reg->min_value = 0;
2175 /* If this is false then constant < register, if it is true then
2176 * the register < constant.
2178 false_reg->min_value = val + 1;
2179 false_reg->value_from_signed = value_from_signed;
2180 true_reg->max_value = val;
2181 true_reg->value_from_signed = value_from_signed;
2187 check_reg_overflow(false_reg);
2188 check_reg_overflow(true_reg);
2190 if (__is_pointer_value(false, false_reg))
2191 reset_reg_range_values(false_reg, 0);
2192 if (__is_pointer_value(false, true_reg))
2193 reset_reg_range_values(true_reg, 0);
2197 static void mark_map_reg(struct bpf_reg_state *regs, u32 regno, u32 id,
2198 enum bpf_reg_type type)
2200 struct bpf_reg_state *reg = ®s[regno];
2202 if (reg->type == PTR_TO_MAP_VALUE_OR_NULL && reg->id == id) {
2204 /* We don't need id from this point onwards anymore, thus we
2205 * should better reset it, so that state pruning has chances
2209 if (type == UNKNOWN_VALUE)
2210 __mark_reg_unknown_value(regs, regno);
2214 /* The logic is similar to find_good_pkt_pointers(), both could eventually
2215 * be folded together at some point.
2217 static void mark_map_regs(struct bpf_verifier_state *state, u32 regno,
2218 enum bpf_reg_type type)
2220 struct bpf_reg_state *regs = state->regs;
2221 u32 id = regs[regno].id;
2224 for (i = 0; i < MAX_BPF_REG; i++)
2225 mark_map_reg(regs, i, id, type);
2227 for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
2228 if (state->stack_slot_type[i] != STACK_SPILL)
2230 mark_map_reg(state->spilled_regs, i / BPF_REG_SIZE, id, type);
2234 static int check_cond_jmp_op(struct bpf_verifier_env *env,
2235 struct bpf_insn *insn, int *insn_idx)
2237 struct bpf_verifier_state *other_branch, *this_branch = &env->cur_state;
2238 struct bpf_reg_state *regs = this_branch->regs, *dst_reg;
2239 u8 opcode = BPF_OP(insn->code);
2242 if (opcode > BPF_EXIT) {
2243 verbose("invalid BPF_JMP opcode %x\n", opcode);
2247 if (BPF_SRC(insn->code) == BPF_X) {
2248 if (insn->imm != 0) {
2249 verbose("BPF_JMP uses reserved fields\n");
2253 /* check src1 operand */
2254 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
2258 if (is_pointer_value(env, insn->src_reg)) {
2259 verbose("R%d pointer comparison prohibited\n",
2264 if (insn->src_reg != BPF_REG_0) {
2265 verbose("BPF_JMP uses reserved fields\n");
2270 /* check src2 operand */
2271 err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
2275 dst_reg = ®s[insn->dst_reg];
2277 /* detect if R == 0 where R was initialized to zero earlier */
2278 if (BPF_SRC(insn->code) == BPF_K &&
2279 (opcode == BPF_JEQ || opcode == BPF_JNE) &&
2280 dst_reg->type == CONST_IMM && dst_reg->imm == insn->imm) {
2281 if (opcode == BPF_JEQ) {
2282 /* if (imm == imm) goto pc+off;
2283 * only follow the goto, ignore fall-through
2285 *insn_idx += insn->off;
2288 /* if (imm != imm) goto pc+off;
2289 * only follow fall-through branch, since
2290 * that's where the program will go
2296 other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx);
2300 /* detect if we are comparing against a constant value so we can adjust
2301 * our min/max values for our dst register.
2303 if (BPF_SRC(insn->code) == BPF_X) {
2304 if (regs[insn->src_reg].type == CONST_IMM)
2305 reg_set_min_max(&other_branch->regs[insn->dst_reg],
2306 dst_reg, regs[insn->src_reg].imm,
2308 else if (dst_reg->type == CONST_IMM)
2309 reg_set_min_max_inv(&other_branch->regs[insn->src_reg],
2310 ®s[insn->src_reg], dst_reg->imm,
2313 reg_set_min_max(&other_branch->regs[insn->dst_reg],
2314 dst_reg, insn->imm, opcode);
2317 /* detect if R == 0 where R is returned from bpf_map_lookup_elem() */
2318 if (BPF_SRC(insn->code) == BPF_K &&
2319 insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
2320 dst_reg->type == PTR_TO_MAP_VALUE_OR_NULL) {
2321 /* Mark all identical map registers in each branch as either
2322 * safe or unknown depending R == 0 or R != 0 conditional.
2324 mark_map_regs(this_branch, insn->dst_reg,
2325 opcode == BPF_JEQ ? PTR_TO_MAP_VALUE : UNKNOWN_VALUE);
2326 mark_map_regs(other_branch, insn->dst_reg,
2327 opcode == BPF_JEQ ? UNKNOWN_VALUE : PTR_TO_MAP_VALUE);
2328 } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT &&
2329 dst_reg->type == PTR_TO_PACKET &&
2330 regs[insn->src_reg].type == PTR_TO_PACKET_END) {
2331 find_good_pkt_pointers(this_branch, dst_reg);
2332 } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGE &&
2333 dst_reg->type == PTR_TO_PACKET_END &&
2334 regs[insn->src_reg].type == PTR_TO_PACKET) {
2335 find_good_pkt_pointers(other_branch, ®s[insn->src_reg]);
2336 } else if (is_pointer_value(env, insn->dst_reg)) {
2337 verbose("R%d pointer comparison prohibited\n", insn->dst_reg);
2341 print_verifier_state(this_branch);
2345 /* return the map pointer stored inside BPF_LD_IMM64 instruction */
2346 static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn)
2348 u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32;
2350 return (struct bpf_map *) (unsigned long) imm64;
2353 /* verify BPF_LD_IMM64 instruction */
2354 static int check_ld_imm(struct bpf_verifier_env *env, struct bpf_insn *insn)
2356 struct bpf_reg_state *regs = env->cur_state.regs;
2359 if (BPF_SIZE(insn->code) != BPF_DW) {
2360 verbose("invalid BPF_LD_IMM insn\n");
2363 if (insn->off != 0) {
2364 verbose("BPF_LD_IMM64 uses reserved fields\n");
2368 err = check_reg_arg(regs, insn->dst_reg, DST_OP);
2372 if (insn->src_reg == 0) {
2373 /* generic move 64-bit immediate into a register,
2374 * only analyzer needs to collect the ld_imm value.
2376 u64 imm = ((u64)(insn + 1)->imm << 32) | (u32)insn->imm;
2378 if (!env->analyzer_ops)
2381 regs[insn->dst_reg].type = CONST_IMM;
2382 regs[insn->dst_reg].imm = imm;
2386 /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */
2387 BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD);
2389 regs[insn->dst_reg].type = CONST_PTR_TO_MAP;
2390 regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn);
2394 static bool may_access_skb(enum bpf_prog_type type)
2397 case BPF_PROG_TYPE_SOCKET_FILTER:
2398 case BPF_PROG_TYPE_SCHED_CLS:
2399 case BPF_PROG_TYPE_SCHED_ACT:
2406 /* verify safety of LD_ABS|LD_IND instructions:
2407 * - they can only appear in the programs where ctx == skb
2408 * - since they are wrappers of function calls, they scratch R1-R5 registers,
2409 * preserve R6-R9, and store return value into R0
2412 * ctx == skb == R6 == CTX
2415 * SRC == any register
2416 * IMM == 32-bit immediate
2419 * R0 - 8/16/32-bit skb data converted to cpu endianness
2421 static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
2423 struct bpf_reg_state *regs = env->cur_state.regs;
2424 u8 mode = BPF_MODE(insn->code);
2425 struct bpf_reg_state *reg;
2428 if (!may_access_skb(env->prog->type)) {
2429 verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type\n");
2433 if (insn->dst_reg != BPF_REG_0 || insn->off != 0 ||
2434 BPF_SIZE(insn->code) == BPF_DW ||
2435 (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) {
2436 verbose("BPF_LD_[ABS|IND] uses reserved fields\n");
2440 /* check whether implicit source operand (register R6) is readable */
2441 err = check_reg_arg(regs, BPF_REG_6, SRC_OP);
2445 if (regs[BPF_REG_6].type != PTR_TO_CTX) {
2446 verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
2450 if (mode == BPF_IND) {
2451 /* check explicit source operand */
2452 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
2457 /* reset caller saved regs to unreadable */
2458 for (i = 0; i < CALLER_SAVED_REGS; i++) {
2459 reg = regs + caller_saved[i];
2460 reg->type = NOT_INIT;
2464 /* mark destination R0 register as readable, since it contains
2465 * the value fetched from the packet
2467 regs[BPF_REG_0].type = UNKNOWN_VALUE;
2471 /* non-recursive DFS pseudo code
2472 * 1 procedure DFS-iterative(G,v):
2473 * 2 label v as discovered
2474 * 3 let S be a stack
2476 * 5 while S is not empty
2478 * 7 if t is what we're looking for:
2480 * 9 for all edges e in G.adjacentEdges(t) do
2481 * 10 if edge e is already labelled
2482 * 11 continue with the next edge
2483 * 12 w <- G.adjacentVertex(t,e)
2484 * 13 if vertex w is not discovered and not explored
2485 * 14 label e as tree-edge
2486 * 15 label w as discovered
2489 * 18 else if vertex w is discovered
2490 * 19 label e as back-edge
2492 * 21 // vertex w is explored
2493 * 22 label e as forward- or cross-edge
2494 * 23 label t as explored
2499 * 0x11 - discovered and fall-through edge labelled
2500 * 0x12 - discovered and fall-through and branch edges labelled
2511 #define STATE_LIST_MARK ((struct bpf_verifier_state_list *) -1L)
2513 static int *insn_stack; /* stack of insns to process */
2514 static int cur_stack; /* current stack index */
2515 static int *insn_state;
2517 /* t, w, e - match pseudo-code above:
2518 * t - index of current instruction
2519 * w - next instruction
2522 static int push_insn(int t, int w, int e, struct bpf_verifier_env *env)
2524 if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH))
2527 if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH))
2530 if (w < 0 || w >= env->prog->len) {
2531 verbose("jump out of range from insn %d to %d\n", t, w);
2536 /* mark branch target for state pruning */
2537 env->explored_states[w] = STATE_LIST_MARK;
2539 if (insn_state[w] == 0) {
2541 insn_state[t] = DISCOVERED | e;
2542 insn_state[w] = DISCOVERED;
2543 if (cur_stack >= env->prog->len)
2545 insn_stack[cur_stack++] = w;
2547 } else if ((insn_state[w] & 0xF0) == DISCOVERED) {
2548 verbose("back-edge from insn %d to %d\n", t, w);
2550 } else if (insn_state[w] == EXPLORED) {
2551 /* forward- or cross-edge */
2552 insn_state[t] = DISCOVERED | e;
2554 verbose("insn state internal bug\n");
2560 /* non-recursive depth-first-search to detect loops in BPF program
2561 * loop == back-edge in directed graph
2563 static int check_cfg(struct bpf_verifier_env *env)
2565 struct bpf_insn *insns = env->prog->insnsi;
2566 int insn_cnt = env->prog->len;
2570 insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
2574 insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
2580 insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */
2581 insn_stack[0] = 0; /* 0 is the first instruction */
2587 t = insn_stack[cur_stack - 1];
2589 if (BPF_CLASS(insns[t].code) == BPF_JMP) {
2590 u8 opcode = BPF_OP(insns[t].code);
2592 if (opcode == BPF_EXIT) {
2594 } else if (opcode == BPF_CALL) {
2595 ret = push_insn(t, t + 1, FALLTHROUGH, env);
2600 if (t + 1 < insn_cnt)
2601 env->explored_states[t + 1] = STATE_LIST_MARK;
2602 } else if (opcode == BPF_JA) {
2603 if (BPF_SRC(insns[t].code) != BPF_K) {
2607 /* unconditional jump with single edge */
2608 ret = push_insn(t, t + insns[t].off + 1,
2614 /* tell verifier to check for equivalent states
2615 * after every call and jump
2617 if (t + 1 < insn_cnt)
2618 env->explored_states[t + 1] = STATE_LIST_MARK;
2620 /* conditional jump with two edges */
2621 env->explored_states[t] = STATE_LIST_MARK;
2622 ret = push_insn(t, t + 1, FALLTHROUGH, env);
2628 ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
2635 /* all other non-branch instructions with single
2638 ret = push_insn(t, t + 1, FALLTHROUGH, env);
2646 insn_state[t] = EXPLORED;
2647 if (cur_stack-- <= 0) {
2648 verbose("pop stack internal bug\n");
2655 for (i = 0; i < insn_cnt; i++) {
2656 if (insn_state[i] != EXPLORED) {
2657 verbose("unreachable insn %d\n", i);
2662 ret = 0; /* cfg looks good */
2670 /* the following conditions reduce the number of explored insns
2671 * from ~140k to ~80k for ultra large programs that use a lot of ptr_to_packet
2673 static bool compare_ptrs_to_packet(struct bpf_reg_state *old,
2674 struct bpf_reg_state *cur)
2676 if (old->id != cur->id)
2679 /* old ptr_to_packet is more conservative, since it allows smaller
2681 * old(off=0,r=10) is equal to cur(off=0,r=20), because
2682 * old(off=0,r=10) means that with range=10 the verifier proceeded
2683 * further and found no issues with the program. Now we're in the same
2684 * spot with cur(off=0,r=20), so we're safe too, since anything further
2685 * will only be looking at most 10 bytes after this pointer.
2687 if (old->off == cur->off && old->range < cur->range)
2690 /* old(off=20,r=10) is equal to cur(off=22,re=22 or 5 or 0)
2691 * since both cannot be used for packet access and safe(old)
2692 * pointer has smaller off that could be used for further
2693 * 'if (ptr > data_end)' check
2695 * old(off=20,r=10) and cur(off=22,r=22) and cur(off=22,r=0) mean
2696 * that we cannot access the packet.
2697 * The safe range is:
2698 * [ptr, ptr + range - off)
2699 * so whenever off >=range, it means no safe bytes from this pointer.
2700 * When comparing old->off <= cur->off, it means that older code
2701 * went with smaller offset and that offset was later
2702 * used to figure out the safe range after 'if (ptr > data_end)' check
2703 * Say, 'old' state was explored like:
2704 * ... R3(off=0, r=0)
2706 * ... now R4(off=20,r=0) <-- here
2707 * if (R4 > data_end)
2708 * ... R4(off=20,r=20), R3(off=0,r=20) and R3 can be used to access.
2709 * ... the code further went all the way to bpf_exit.
2710 * Now the 'cur' state at the mark 'here' has R4(off=30,r=0).
2711 * old_R4(off=20,r=0) equal to cur_R4(off=30,r=0), since if the verifier
2712 * goes further, such cur_R4 will give larger safe packet range after
2713 * 'if (R4 > data_end)' and all further insn were already good with r=20,
2714 * so they will be good with r=30 and we can prune the search.
2716 if (old->off <= cur->off &&
2717 old->off >= old->range && cur->off >= cur->range)
2723 /* compare two verifier states
2725 * all states stored in state_list are known to be valid, since
2726 * verifier reached 'bpf_exit' instruction through them
2728 * this function is called when verifier exploring different branches of
2729 * execution popped from the state stack. If it sees an old state that has
2730 * more strict register state and more strict stack state then this execution
2731 * branch doesn't need to be explored further, since verifier already
2732 * concluded that more strict state leads to valid finish.
2734 * Therefore two states are equivalent if register state is more conservative
2735 * and explored stack state is more conservative than the current one.
2738 * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC)
2739 * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC)
2741 * In other words if current stack state (one being explored) has more
2742 * valid slots than old one that already passed validation, it means
2743 * the verifier can stop exploring and conclude that current state is valid too
2745 * Similarly with registers. If explored state has register type as invalid
2746 * whereas register type in current state is meaningful, it means that
2747 * the current state will reach 'bpf_exit' instruction safely
2749 static bool states_equal(struct bpf_verifier_env *env,
2750 struct bpf_verifier_state *old,
2751 struct bpf_verifier_state *cur)
2753 bool varlen_map_access = env->varlen_map_value_access;
2754 struct bpf_reg_state *rold, *rcur;
2757 for (i = 0; i < MAX_BPF_REG; i++) {
2758 rold = &old->regs[i];
2759 rcur = &cur->regs[i];
2761 if (memcmp(rold, rcur, sizeof(*rold)) == 0)
2764 /* If the ranges were not the same, but everything else was and
2765 * we didn't do a variable access into a map then we are a-ok.
2767 if (!varlen_map_access &&
2768 memcmp(rold, rcur, offsetofend(struct bpf_reg_state, id)) == 0)
2771 /* If we didn't map access then again we don't care about the
2772 * mismatched range values and it's ok if our old type was
2773 * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
2775 if (rold->type == NOT_INIT ||
2776 (!varlen_map_access && rold->type == UNKNOWN_VALUE &&
2777 rcur->type != NOT_INIT &&
2778 !__is_pointer_value(env->allow_ptr_leaks, rcur)))
2781 /* Don't care about the reg->id in this case. */
2782 if (rold->type == PTR_TO_MAP_VALUE_OR_NULL &&
2783 rcur->type == PTR_TO_MAP_VALUE_OR_NULL &&
2784 rold->map_ptr == rcur->map_ptr)
2787 if (rold->type == PTR_TO_PACKET && rcur->type == PTR_TO_PACKET &&
2788 compare_ptrs_to_packet(rold, rcur))
2794 for (i = 0; i < MAX_BPF_STACK; i++) {
2795 if (old->stack_slot_type[i] == STACK_INVALID)
2797 if (old->stack_slot_type[i] != cur->stack_slot_type[i])
2798 /* Ex: old explored (safe) state has STACK_SPILL in
2799 * this stack slot, but current has has STACK_MISC ->
2800 * this verifier states are not equivalent,
2801 * return false to continue verification of this path
2804 if (i % BPF_REG_SIZE)
2806 if (memcmp(&old->spilled_regs[i / BPF_REG_SIZE],
2807 &cur->spilled_regs[i / BPF_REG_SIZE],
2808 sizeof(old->spilled_regs[0])))
2809 /* when explored and current stack slot types are
2810 * the same, check that stored pointers types
2811 * are the same as well.
2812 * Ex: explored safe path could have stored
2813 * (bpf_reg_state) {.type = PTR_TO_STACK, .imm = -8}
2814 * but current path has stored:
2815 * (bpf_reg_state) {.type = PTR_TO_STACK, .imm = -16}
2816 * such verifier states are not equivalent.
2817 * return false to continue verification of this path
2826 static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
2828 struct bpf_verifier_state_list *new_sl;
2829 struct bpf_verifier_state_list *sl;
2831 sl = env->explored_states[insn_idx];
2833 /* this 'insn_idx' instruction wasn't marked, so we will not
2834 * be doing state search here
2838 while (sl != STATE_LIST_MARK) {
2839 if (states_equal(env, &sl->state, &env->cur_state))
2840 /* reached equivalent register/stack state,
2847 /* there were no equivalent states, remember current one.
2848 * technically the current state is not proven to be safe yet,
2849 * but it will either reach bpf_exit (which means it's safe) or
2850 * it will be rejected. Since there are no loops, we won't be
2851 * seeing this 'insn_idx' instruction again on the way to bpf_exit
2853 new_sl = kmalloc(sizeof(struct bpf_verifier_state_list), GFP_USER);
2857 /* add new state to the head of linked list */
2858 memcpy(&new_sl->state, &env->cur_state, sizeof(env->cur_state));
2859 new_sl->next = env->explored_states[insn_idx];
2860 env->explored_states[insn_idx] = new_sl;
2864 static int ext_analyzer_insn_hook(struct bpf_verifier_env *env,
2865 int insn_idx, int prev_insn_idx)
2867 if (!env->analyzer_ops || !env->analyzer_ops->insn_hook)
2870 return env->analyzer_ops->insn_hook(env, insn_idx, prev_insn_idx);
2873 static int do_check(struct bpf_verifier_env *env)
2875 struct bpf_verifier_state *state = &env->cur_state;
2876 struct bpf_insn *insns = env->prog->insnsi;
2877 struct bpf_reg_state *regs = state->regs;
2878 int insn_cnt = env->prog->len;
2879 int insn_idx, prev_insn_idx = 0;
2880 int insn_processed = 0;
2881 bool do_print_state = false;
2883 init_reg_state(regs);
2885 env->varlen_map_value_access = false;
2887 struct bpf_insn *insn;
2891 if (insn_idx >= insn_cnt) {
2892 verbose("invalid insn idx %d insn_cnt %d\n",
2893 insn_idx, insn_cnt);
2897 insn = &insns[insn_idx];
2898 class = BPF_CLASS(insn->code);
2900 if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
2901 verbose("BPF program is too large. Proccessed %d insn\n",
2906 err = is_state_visited(env, insn_idx);
2910 /* found equivalent state, can prune the search */
2913 verbose("\nfrom %d to %d: safe\n",
2914 prev_insn_idx, insn_idx);
2916 verbose("%d: safe\n", insn_idx);
2918 goto process_bpf_exit;
2921 if (signal_pending(current))
2927 if (log_level && do_print_state) {
2928 verbose("\nfrom %d to %d:", prev_insn_idx, insn_idx);
2929 print_verifier_state(&env->cur_state);
2930 do_print_state = false;
2934 verbose("%d: ", insn_idx);
2935 print_bpf_insn(env, insn);
2938 err = ext_analyzer_insn_hook(env, insn_idx, prev_insn_idx);
2942 env->insn_aux_data[insn_idx].seen = true;
2943 if (class == BPF_ALU || class == BPF_ALU64) {
2944 err = check_alu_op(env, insn);
2948 } else if (class == BPF_LDX) {
2949 enum bpf_reg_type *prev_src_type, src_reg_type;
2951 /* check for reserved fields is already done */
2953 /* check src operand */
2954 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
2958 err = check_reg_arg(regs, insn->dst_reg, DST_OP_NO_MARK);
2962 src_reg_type = regs[insn->src_reg].type;
2964 /* check that memory (src_reg + off) is readable,
2965 * the state of dst_reg will be updated by this func
2967 err = check_mem_access(env, insn_idx, insn->src_reg, insn->off,
2968 BPF_SIZE(insn->code), BPF_READ,
2973 reset_reg_range_values(regs, insn->dst_reg);
2974 if (BPF_SIZE(insn->code) != BPF_W &&
2975 BPF_SIZE(insn->code) != BPF_DW) {
2980 prev_src_type = &env->insn_aux_data[insn_idx].ptr_type;
2982 if (*prev_src_type == NOT_INIT) {
2984 * dst_reg = *(u32 *)(src_reg + off)
2985 * save type to validate intersecting paths
2987 *prev_src_type = src_reg_type;
2989 } else if (src_reg_type != *prev_src_type &&
2990 (src_reg_type == PTR_TO_CTX ||
2991 *prev_src_type == PTR_TO_CTX)) {
2992 /* ABuser program is trying to use the same insn
2993 * dst_reg = *(u32*) (src_reg + off)
2994 * with different pointer types:
2995 * src_reg == ctx in one branch and
2996 * src_reg == stack|map in some other branch.
2999 verbose("same insn cannot be used with different pointers\n");
3003 } else if (class == BPF_STX) {
3004 enum bpf_reg_type *prev_dst_type, dst_reg_type;
3006 if (BPF_MODE(insn->code) == BPF_XADD) {
3007 err = check_xadd(env, insn_idx, insn);
3014 /* check src1 operand */
3015 err = check_reg_arg(regs, insn->src_reg, SRC_OP);
3018 /* check src2 operand */
3019 err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
3023 dst_reg_type = regs[insn->dst_reg].type;
3025 /* check that memory (dst_reg + off) is writeable */
3026 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
3027 BPF_SIZE(insn->code), BPF_WRITE,
3032 prev_dst_type = &env->insn_aux_data[insn_idx].ptr_type;
3034 if (*prev_dst_type == NOT_INIT) {
3035 *prev_dst_type = dst_reg_type;
3036 } else if (dst_reg_type != *prev_dst_type &&
3037 (dst_reg_type == PTR_TO_CTX ||
3038 *prev_dst_type == PTR_TO_CTX)) {
3039 verbose("same insn cannot be used with different pointers\n");
3043 } else if (class == BPF_ST) {
3044 if (BPF_MODE(insn->code) != BPF_MEM ||
3045 insn->src_reg != BPF_REG_0) {
3046 verbose("BPF_ST uses reserved fields\n");
3049 /* check src operand */
3050 err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
3054 if (is_ctx_reg(env, insn->dst_reg)) {
3055 verbose("BPF_ST stores into R%d context is not allowed\n",
3060 /* check that memory (dst_reg + off) is writeable */
3061 err = check_mem_access(env, insn_idx, insn->dst_reg, insn->off,
3062 BPF_SIZE(insn->code), BPF_WRITE,
3067 } else if (class == BPF_JMP) {
3068 u8 opcode = BPF_OP(insn->code);
3070 if (opcode == BPF_CALL) {
3071 if (BPF_SRC(insn->code) != BPF_K ||
3073 insn->src_reg != BPF_REG_0 ||
3074 insn->dst_reg != BPF_REG_0) {
3075 verbose("BPF_CALL uses reserved fields\n");
3079 err = check_call(env, insn->imm, insn_idx);
3083 } else if (opcode == BPF_JA) {
3084 if (BPF_SRC(insn->code) != BPF_K ||
3086 insn->src_reg != BPF_REG_0 ||
3087 insn->dst_reg != BPF_REG_0) {
3088 verbose("BPF_JA uses reserved fields\n");
3092 insn_idx += insn->off + 1;
3095 } else if (opcode == BPF_EXIT) {
3096 if (BPF_SRC(insn->code) != BPF_K ||
3098 insn->src_reg != BPF_REG_0 ||
3099 insn->dst_reg != BPF_REG_0) {
3100 verbose("BPF_EXIT uses reserved fields\n");
3104 /* eBPF calling convetion is such that R0 is used
3105 * to return the value from eBPF program.
3106 * Make sure that it's readable at this time
3107 * of bpf_exit, which means that program wrote
3108 * something into it earlier
3110 err = check_reg_arg(regs, BPF_REG_0, SRC_OP);
3114 if (is_pointer_value(env, BPF_REG_0)) {
3115 verbose("R0 leaks addr as return value\n");
3120 insn_idx = pop_stack(env, &prev_insn_idx);
3124 do_print_state = true;
3128 err = check_cond_jmp_op(env, insn, &insn_idx);
3132 } else if (class == BPF_LD) {
3133 u8 mode = BPF_MODE(insn->code);
3135 if (mode == BPF_ABS || mode == BPF_IND) {
3136 err = check_ld_abs(env, insn);
3140 } else if (mode == BPF_IMM) {
3141 err = check_ld_imm(env, insn);
3146 env->insn_aux_data[insn_idx].seen = true;
3148 verbose("invalid BPF_LD mode\n");
3151 reset_reg_range_values(regs, insn->dst_reg);
3153 verbose("unknown insn class %d\n", class);
3160 verbose("processed %d insns\n", insn_processed);
3164 static int check_map_prog_compatibility(struct bpf_map *map,
3165 struct bpf_prog *prog)
3168 if (prog->type == BPF_PROG_TYPE_PERF_EVENT &&
3169 (map->map_type == BPF_MAP_TYPE_HASH ||
3170 map->map_type == BPF_MAP_TYPE_PERCPU_HASH) &&
3171 (map->map_flags & BPF_F_NO_PREALLOC)) {
3172 verbose("perf_event programs can only use preallocated hash map\n");
3178 /* look for pseudo eBPF instructions that access map FDs and
3179 * replace them with actual map pointers
3181 static int replace_map_fd_with_map_ptr(struct bpf_verifier_env *env)
3183 struct bpf_insn *insn = env->prog->insnsi;
3184 int insn_cnt = env->prog->len;
3187 for (i = 0; i < insn_cnt; i++, insn++) {
3188 if (BPF_CLASS(insn->code) == BPF_LDX &&
3189 (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {
3190 verbose("BPF_LDX uses reserved fields\n");
3194 if (BPF_CLASS(insn->code) == BPF_STX &&
3195 ((BPF_MODE(insn->code) != BPF_MEM &&
3196 BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
3197 verbose("BPF_STX uses reserved fields\n");
3201 if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
3202 struct bpf_map *map;
3205 if (i == insn_cnt - 1 || insn[1].code != 0 ||
3206 insn[1].dst_reg != 0 || insn[1].src_reg != 0 ||
3208 verbose("invalid bpf_ld_imm64 insn\n");
3212 if (insn->src_reg == 0)
3213 /* valid generic load 64-bit imm */
3216 if (insn->src_reg != BPF_PSEUDO_MAP_FD) {
3217 verbose("unrecognized bpf_ld_imm64 insn\n");
3221 f = fdget(insn->imm);
3222 map = __bpf_map_get(f);
3224 verbose("fd %d is not pointing to valid bpf_map\n",
3226 return PTR_ERR(map);
3229 err = check_map_prog_compatibility(map, env->prog);
3235 /* store map pointer inside BPF_LD_IMM64 instruction */
3236 insn[0].imm = (u32) (unsigned long) map;
3237 insn[1].imm = ((u64) (unsigned long) map) >> 32;
3239 /* check whether we recorded this map already */
3240 for (j = 0; j < env->used_map_cnt; j++)
3241 if (env->used_maps[j] == map) {
3246 if (env->used_map_cnt >= MAX_USED_MAPS) {
3251 /* hold the map. If the program is rejected by verifier,
3252 * the map will be released by release_maps() or it
3253 * will be used by the valid program until it's unloaded
3254 * and all maps are released in free_used_maps()
3256 map = bpf_map_inc(map, false);
3259 return PTR_ERR(map);
3261 env->used_maps[env->used_map_cnt++] = map;
3270 /* now all pseudo BPF_LD_IMM64 instructions load valid
3271 * 'struct bpf_map *' into a register instead of user map_fd.
3272 * These pointers will be used later by verifier to validate map access.
3277 /* drop refcnt of maps used by the rejected program */
3278 static void release_maps(struct bpf_verifier_env *env)
3282 for (i = 0; i < env->used_map_cnt; i++)
3283 bpf_map_put(env->used_maps[i]);
3286 /* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */
3287 static void convert_pseudo_ld_imm64(struct bpf_verifier_env *env)
3289 struct bpf_insn *insn = env->prog->insnsi;
3290 int insn_cnt = env->prog->len;
3293 for (i = 0; i < insn_cnt; i++, insn++)
3294 if (insn->code == (BPF_LD | BPF_IMM | BPF_DW))
3298 /* single env->prog->insni[off] instruction was replaced with the range
3299 * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
3300 * [0, off) and [off, end) to new locations, so the patched range stays zero
3302 static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len,
3305 struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
3310 new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len);
3313 memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
3314 memcpy(new_data + off + cnt - 1, old_data + off,
3315 sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
3316 for (i = off; i < off + cnt - 1; i++)
3317 new_data[i].seen = true;
3318 env->insn_aux_data = new_data;
3323 static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 off,
3324 const struct bpf_insn *patch, u32 len)
3326 struct bpf_prog *new_prog;
3328 new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
3331 if (adjust_insn_aux_data(env, new_prog->len, off, len))
3336 /* The verifier does more data flow analysis than llvm and will not explore
3337 * branches that are dead at run time. Malicious programs can have dead code
3338 * too. Therefore replace all dead at-run-time code with nops.
3340 static void sanitize_dead_code(struct bpf_verifier_env *env)
3342 struct bpf_insn_aux_data *aux_data = env->insn_aux_data;
3343 struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0);
3344 struct bpf_insn *insn = env->prog->insnsi;
3345 const int insn_cnt = env->prog->len;
3348 for (i = 0; i < insn_cnt; i++) {
3349 if (aux_data[i].seen)
3351 memcpy(insn + i, &nop, sizeof(nop));
3355 /* convert load instructions that access fields of 'struct __sk_buff'
3356 * into sequence of instructions that access fields of 'struct sk_buff'
3358 static int convert_ctx_accesses(struct bpf_verifier_env *env)
3360 const struct bpf_verifier_ops *ops = env->prog->aux->ops;
3361 const int insn_cnt = env->prog->len;
3362 struct bpf_insn insn_buf[16], *insn;
3363 struct bpf_prog *new_prog;
3364 enum bpf_access_type type;
3365 int i, cnt, delta = 0;
3367 if (ops->gen_prologue) {
3368 cnt = ops->gen_prologue(insn_buf, env->seen_direct_write,
3370 if (cnt >= ARRAY_SIZE(insn_buf)) {
3371 verbose("bpf verifier is misconfigured\n");
3374 new_prog = bpf_patch_insn_data(env, 0, insn_buf, cnt);
3378 env->prog = new_prog;
3383 if (!ops->convert_ctx_access)
3386 insn = env->prog->insnsi + delta;
3388 for (i = 0; i < insn_cnt; i++, insn++) {
3389 if (insn->code == (BPF_LDX | BPF_MEM | BPF_W) ||
3390 insn->code == (BPF_LDX | BPF_MEM | BPF_DW))
3392 else if (insn->code == (BPF_STX | BPF_MEM | BPF_W) ||
3393 insn->code == (BPF_STX | BPF_MEM | BPF_DW))
3398 if (type == BPF_WRITE &&
3399 env->insn_aux_data[i + delta].sanitize_stack_off) {
3400 struct bpf_insn patch[] = {
3401 /* Sanitize suspicious stack slot with zero.
3402 * There are no memory dependencies for this store,
3403 * since it's only using frame pointer and immediate
3406 BPF_ST_MEM(BPF_DW, BPF_REG_FP,
3407 env->insn_aux_data[i + delta].sanitize_stack_off,
3409 /* the original STX instruction will immediately
3410 * overwrite the same stack slot with appropriate value
3415 cnt = ARRAY_SIZE(patch);
3416 new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
3421 env->prog = new_prog;
3422 insn = new_prog->insnsi + i + delta;
3426 if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
3429 cnt = ops->convert_ctx_access(type, insn->dst_reg, insn->src_reg,
3430 insn->off, insn_buf, env->prog);
3431 if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {
3432 verbose("bpf verifier is misconfigured\n");
3436 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
3442 /* keep walking new program and skip insns we just inserted */
3443 env->prog = new_prog;
3444 insn = new_prog->insnsi + i + delta;
3450 /* fixup insn->imm field of bpf_call instructions
3452 * this function is called after eBPF program passed verification
3454 static int fixup_bpf_calls(struct bpf_verifier_env *env)
3456 struct bpf_prog *prog = env->prog;
3457 struct bpf_insn *insn = prog->insnsi;
3458 const struct bpf_func_proto *fn;
3459 const int insn_cnt = prog->len;
3460 struct bpf_insn insn_buf[16];
3461 struct bpf_prog *new_prog;
3462 struct bpf_map *map_ptr;
3463 int i, cnt, delta = 0;
3466 for (i = 0; i < insn_cnt; i++, insn++) {
3467 if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
3468 insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
3469 /* due to JIT bugs clear upper 32-bits of src register
3470 * before div/mod operation
3472 insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
3473 insn_buf[1] = *insn;
3475 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
3480 env->prog = prog = new_prog;
3481 insn = new_prog->insnsi + i + delta;
3485 if (insn->code != (BPF_JMP | BPF_CALL))
3488 if (insn->imm == BPF_FUNC_get_route_realm)
3489 prog->dst_needed = 1;
3490 if (insn->imm == BPF_FUNC_get_prandom_u32)
3491 bpf_user_rnd_init_once();
3492 if (insn->imm == BPF_FUNC_tail_call) {
3493 /* mark bpf_tail_call as different opcode to avoid
3494 * conditional branch in the interpeter for every normal
3495 * call and to prevent accidental JITing by JIT compiler
3496 * that doesn't support bpf_tail_call yet
3499 insn->code |= BPF_X;
3501 /* instead of changing every JIT dealing with tail_call
3502 * emit two extra insns:
3503 * if (index >= max_entries) goto out;
3504 * index &= array->index_mask;
3505 * to avoid out-of-bounds cpu speculation
3507 map_ptr = env->insn_aux_data[i + delta].map_ptr;
3508 if (!map_ptr->unpriv_array)
3510 insn_buf[0] = BPF_JMP_IMM(BPF_JGE, BPF_REG_3,
3511 map_ptr->max_entries, 2);
3512 insn_buf[1] = BPF_ALU32_IMM(BPF_AND, BPF_REG_3,
3513 container_of(map_ptr,
3516 insn_buf[2] = *insn;
3518 new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
3523 env->prog = prog = new_prog;
3524 insn = new_prog->insnsi + i + delta;
3528 fn = prog->aux->ops->get_func_proto(insn->imm);
3529 /* all functions that have prototype and verifier allowed
3530 * programs to call them, must be real in-kernel functions
3533 verbose("kernel subsystem misconfigured func %d\n",
3537 insn->imm = fn->func - __bpf_call_base;
3543 static void free_states(struct bpf_verifier_env *env)
3545 struct bpf_verifier_state_list *sl, *sln;
3548 if (!env->explored_states)
3551 for (i = 0; i < env->prog->len; i++) {
3552 sl = env->explored_states[i];
3555 while (sl != STATE_LIST_MARK) {
3562 kfree(env->explored_states);
3565 int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
3567 char __user *log_ubuf = NULL;
3568 struct bpf_verifier_env *env;
3571 if ((*prog)->len <= 0 || (*prog)->len > BPF_MAXINSNS)
3574 /* 'struct bpf_verifier_env' can be global, but since it's not small,
3575 * allocate/free it every time bpf_check() is called
3577 env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);
3581 env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) *
3584 if (!env->insn_aux_data)
3588 /* grab the mutex to protect few globals used by verifier */
3589 mutex_lock(&bpf_verifier_lock);
3591 if (attr->log_level || attr->log_buf || attr->log_size) {
3592 /* user requested verbose verifier output
3593 * and supplied buffer to store the verification trace
3595 log_level = attr->log_level;
3596 log_ubuf = (char __user *) (unsigned long) attr->log_buf;
3597 log_size = attr->log_size;
3601 /* log_* values have to be sane */
3602 if (log_size < 128 || log_size > UINT_MAX >> 8 ||
3603 log_level == 0 || log_ubuf == NULL)
3607 log_buf = vmalloc(log_size);
3614 ret = replace_map_fd_with_map_ptr(env);
3616 goto skip_full_check;
3618 env->explored_states = kcalloc(env->prog->len,
3619 sizeof(struct bpf_verifier_state_list *),
3622 if (!env->explored_states)
3623 goto skip_full_check;
3625 ret = check_cfg(env);
3627 goto skip_full_check;
3629 env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
3631 ret = do_check(env);
3634 while (pop_stack(env, NULL) >= 0);
3638 sanitize_dead_code(env);
3641 /* program is valid, convert *(u32*)(ctx + off) accesses */
3642 ret = convert_ctx_accesses(env);
3645 ret = fixup_bpf_calls(env);
3647 if (log_level && log_len >= log_size - 1) {
3648 BUG_ON(log_len >= log_size);
3649 /* verifier log exceeded user supplied buffer */
3651 /* fall through to return what was recorded */
3654 /* copy verifier log back to user space including trailing zero */
3655 if (log_level && copy_to_user(log_ubuf, log_buf, log_len + 1) != 0) {
3660 if (ret == 0 && env->used_map_cnt) {
3661 /* if program passed verifier, update used_maps in bpf_prog_info */
3662 env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,
3663 sizeof(env->used_maps[0]),
3666 if (!env->prog->aux->used_maps) {
3671 memcpy(env->prog->aux->used_maps, env->used_maps,
3672 sizeof(env->used_maps[0]) * env->used_map_cnt);
3673 env->prog->aux->used_map_cnt = env->used_map_cnt;
3675 /* program is valid. Convert pseudo bpf_ld_imm64 into generic
3676 * bpf_ld_imm64 instructions
3678 convert_pseudo_ld_imm64(env);
3684 if (!env->prog->aux->used_maps)
3685 /* if we didn't copy map pointers into bpf_prog_info, release
3686 * them now. Otherwise free_used_maps() will release them.
3691 mutex_unlock(&bpf_verifier_lock);
3692 vfree(env->insn_aux_data);
3698 int bpf_analyzer(struct bpf_prog *prog, const struct bpf_ext_analyzer_ops *ops,
3701 struct bpf_verifier_env *env;
3704 env = kzalloc(sizeof(struct bpf_verifier_env), GFP_KERNEL);
3708 env->insn_aux_data = vzalloc(sizeof(struct bpf_insn_aux_data) *
3711 if (!env->insn_aux_data)
3714 env->analyzer_ops = ops;
3715 env->analyzer_priv = priv;
3717 /* grab the mutex to protect few globals used by verifier */
3718 mutex_lock(&bpf_verifier_lock);
3722 env->explored_states = kcalloc(env->prog->len,
3723 sizeof(struct bpf_verifier_state_list *),
3726 if (!env->explored_states)
3727 goto skip_full_check;
3729 ret = check_cfg(env);
3731 goto skip_full_check;
3733 env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
3735 ret = do_check(env);
3738 while (pop_stack(env, NULL) >= 0);
3741 mutex_unlock(&bpf_verifier_lock);
3742 vfree(env->insn_aux_data);
3747 EXPORT_SYMBOL_GPL(bpf_analyzer);