bpf, verifier: fix register type dump in xadd and st

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Using reg_type_str[insn->dst_reg] is incorrect since insn->dst_reg
contains the register number but not the actual register type. Add
a small reg_state() helper and use it to get to the type. Also fix
up the test_verifier test cases that have an incorrect errstr.

Fixes: 9d2be44a7f33 ("bpf: Reuse canonical string formatter for ctx errs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Daniel Borkmann and committed by

Alexei Starovoitov 7 years ago 2a159c6f c16ee04c

+18 -11

2 changed files

expand all

kernel

bpf

verifier.c

tools

testing

selftests

bpf

test_verifier.c

+13 -6

kernel/bpf/verifier.c

··· 1528 1528 return reg->type != SCALAR_VALUE; 1529 1529 } 1530 1530 1531 + static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno) 1532 + { 1533 + return cur_regs(env) + regno; 1534 + } 1535 + 1531 1536 static bool is_pointer_value(struct bpf_verifier_env *env, int regno) 1532 1537 { 1533 - return __is_pointer_value(env->allow_ptr_leaks, cur_regs(env) + regno); 1538 + return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno)); 1534 1539 } 1535 1540 1536 1541 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) 1537 1542 { 1538 - const struct bpf_reg_state *reg = cur_regs(env) + regno; 1543 + const struct bpf_reg_state *reg = reg_state(env, regno); 1539 1544 1540 1545 return reg->type == PTR_TO_CTX || 1541 1546 reg->type == PTR_TO_SOCKET; ··· 1548 1543 1549 1544 static bool is_pkt_reg(struct bpf_verifier_env *env, int regno) 1550 1545 { 1551 - const struct bpf_reg_state *reg = cur_regs(env) + regno; 1546 + const struct bpf_reg_state *reg = reg_state(env, regno); 1552 1547 1553 1548 return type_is_pkt_pointer(reg->type); 1554 1549 } ··· 1963 1958 if (is_ctx_reg(env, insn->dst_reg) || 1964 1959 is_pkt_reg(env, insn->dst_reg)) { 1965 1960 verbose(env, "BPF_XADD stores into R%d %s is not allowed\n", 1966 - insn->dst_reg, reg_type_str[insn->dst_reg]); 1961 + insn->dst_reg, 1962 + reg_type_str[reg_state(env, insn->dst_reg)->type]); 1967 1963 return -EACCES; 1968 1964 } 1969 1965 ··· 1989 1983 int access_size, bool zero_size_allowed, 1990 1984 struct bpf_call_arg_meta *meta) 1991 1985 { 1992 - struct bpf_reg_state *reg = cur_regs(env) + regno; 1986 + struct bpf_reg_state *reg = reg_state(env, regno); 1993 1987 struct bpf_func_state *state = func(env, reg); 1994 1988 int off, i, slot, spi; 1995 1989 ··· 5270 5264 5271 5265 if (is_ctx_reg(env, insn->dst_reg)) { 5272 5266 verbose(env, "BPF_ST stores into R%d %s is not allowed\n", 5273 - insn->dst_reg, reg_type_str[insn->dst_reg]); 5267 + insn->dst_reg, 5268 + reg_type_str[reg_state(env, insn->dst_reg)->type]); 5274 5269 return -EACCES; 5275 5270 } 5276 5271

+5 -5

tools/testing/selftests/bpf/test_verifier.c

··· 3430 3430 BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0), 3431 3431 BPF_EXIT_INSN(), 3432 3432 }, 3433 - .errstr = "BPF_ST stores into R1 inv is not allowed", 3433 + .errstr = "BPF_ST stores into R1 ctx is not allowed", 3434 3434 .result = REJECT, 3435 3435 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3436 3436 }, ··· 3442 3442 BPF_REG_0, offsetof(struct __sk_buff, mark), 0), 3443 3443 BPF_EXIT_INSN(), 3444 3444 }, 3445 - .errstr = "BPF_XADD stores into R1 inv is not allowed", 3445 + .errstr = "BPF_XADD stores into R1 ctx is not allowed", 3446 3446 .result = REJECT, 3447 3447 .prog_type = BPF_PROG_TYPE_SCHED_CLS, 3448 3448 }, ··· 5670 5670 .errstr_unpriv = "R2 leaks addr into mem", 5671 5671 .result_unpriv = REJECT, 5672 5672 .result = REJECT, 5673 - .errstr = "BPF_XADD stores into R1 inv is not allowed", 5673 + .errstr = "BPF_XADD stores into R1 ctx is not allowed", 5674 5674 }, 5675 5675 { 5676 5676 "leak pointer into ctx 2", ··· 5685 5685 .errstr_unpriv = "R10 leaks addr into mem", 5686 5686 .result_unpriv = REJECT, 5687 5687 .result = REJECT, 5688 - .errstr = "BPF_XADD stores into R1 inv is not allowed", 5688 + .errstr = "BPF_XADD stores into R1 ctx is not allowed", 5689 5689 }, 5690 5690 { 5691 5691 "leak pointer into ctx 3", ··· 12634 12634 BPF_EXIT_INSN(), 12635 12635 }, 12636 12636 .result = REJECT, 12637 - .errstr = "BPF_XADD stores into R2 ctx", 12637 + .errstr = "BPF_XADD stores into R2 pkt is not allowed", 12638 12638 .prog_type = BPF_PROG_TYPE_XDP, 12639 12639 }, 12640 12640 {