diff options
author | Alexei Starovoitov <ast@kernel.org> | 2019-09-03 15:16:17 -0700 |
---|---|---|
committer | Daniel Borkmann <daniel@iogearbox.net> | 2019-09-05 14:06:58 +0200 |
commit | 2339cd6cd0b5401fa3fe886bf1c0cb8822041957 (patch) | |
tree | bf43566d1a375cbc7ebff8e0b946b72f246e0c1b /arch/nds32 | |
parent | 44580a0118d3ede95fec4dce32df5f75f73cd663 (diff) | |
download | lwn-2339cd6cd0b5401fa3fe886bf1c0cb8822041957.tar.gz lwn-2339cd6cd0b5401fa3fe886bf1c0cb8822041957.zip |
bpf: fix precision tracking of stack slots
The problem can be seen in the following two tests:
0: (bf) r3 = r10
1: (55) if r3 != 0x7b goto pc+0
2: (7a) *(u64 *)(r3 -8) = 0
3: (79) r4 = *(u64 *)(r10 -8)
..
0: (85) call bpf_get_prandom_u32#7
1: (bf) r3 = r10
2: (55) if r3 != 0x7b goto pc+0
3: (7b) *(u64 *)(r3 -8) = r0
4: (79) r4 = *(u64 *)(r10 -8)
When backtracking need to mark R4 it will mark slot fp-8.
But ST or STX into fp-8 could belong to the same block of instructions.
When backtracing is done the parent state may have fp-8 slot
as "unallocated stack". Which will cause verifier to warn
and incorrectly reject such programs.
Writes into stack via non-R10 register are rare. llvm always
generates canonical stack spill/fill.
For such pathological case fall back to conservative precision
tracking instead of rejecting.
Reported-by: syzbot+c8d66267fd2b5955287e@syzkaller.appspotmail.com
Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'arch/nds32')
0 files changed, 0 insertions, 0 deletions