• Andrii Nakryiko's avatar
    bpf: Ensure proper register state printing for cond jumps · 1a8a315f
    Andrii Nakryiko authored
    Verifier emits relevant register state involved in any given instruction
    next to it after `;` to the right, if possible. Or, worst case, on the
    separate line repeating instruction index.
    
    E.g., a nice and simple case would be:
    
      2: (d5) if r0 s<= 0x0 goto pc+1       ; R0_w=0
    
    But if there is some intervening extra output (e.g., precision
    backtracking log) involved, we are supposed to see the state after the
    precision backtrack log:
    
      4: (75) if r0 s>= 0x0 goto pc+1
      mark_precise: frame0: last_idx 4 first_idx 0 subseq_idx -1
      mark_precise: frame0: regs=r0 stack= before 2: (d5) if r0 s<= 0x0 goto pc+1
      mark_precise: frame0: regs=r0 stack= before 1: (b7) r0 = 0
      6: R0_w=0
    
    First off, note that in `6: R0_w=0` instruction index corresponds to the
    next instruction, not to the conditional jump instruction itself, which
    is wrong and we'll get to that.
    
    But besides that, the above is a happy case that does work today. Yet,
    if it so happens that precision backtracking had to traverse some of the
    parent states, this `6: R0_w=0` state output would be missing.
    
    This is due to a quirk of print_verifier_state() routine, which performs
    mark_verifier_state_clean(env) at the end. This marks all registers as
    "non-scratched", which means that subsequent logic to print *relevant*
    registers (that is, "scratched ones") fails and doesn't see anything
    relevant to print and skips the output altogether.
    
    print_verifier_state() is used both to print instruction context, but
    also to print an **entire** verifier state indiscriminately, e.g.,
    during precision backtracking (and in a few other situations, like
    during entering or exiting subprogram).  Which means if we have to print
    entire parent state before getting to printing instruction context
    state, instruction context is marked as clean and is omitted.
    
    Long story short, this is definitely not intentional. So we fix this
    behavior in this patch by teaching print_verifier_state() to clear
    scratch state only if it was used to print instruction state, not the
    parent/callback state. This is determined by print_all option, so if
    it's not set, we don't clear scratch state. This fixes missing
    instruction state for these cases.
    
    As for the mismatched instruction index, we fix that by making sure we
    call print_insn_state() early inside check_cond_jmp_op() before we
    adjusted insn_idx based on jump branch taken logic. And with that we get
    desired correct information:
    
      9: (16) if w4 == 0x1 goto pc+9
      mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1
      mark_precise: frame0: parent state regs=r4 stack=: R2_w=1944 R4_rw=P1 R10=fp0
      mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx 9
      mark_precise: frame0: regs=r4 stack= before 8: (66) if w4 s> 0x3 goto pc+5
      mark_precise: frame0: regs=r4 stack= before 7: (b7) r4 = 1
      9: R4=1
    Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
    Acked-by: default avatarEduard Zingerman <eddyz87@gmail.com>
    Link: https://lore.kernel.org/bpf/20231011223728.3188086-6-andrii@kernel.org
    1a8a315f
verifier.c 595 KB