• Alexei Starovoitov's avatar
    bpf: fix precision tracking of stack slots · 2339cd6c
    Alexei Starovoitov authored
    The problem can be seen in the following two tests:
    0: (bf) r3 = r10
    1: (55) if r3 != 0x7b goto pc+0
    2: (7a) *(u64 *)(r3 -8) = 0
    3: (79) r4 = *(u64 *)(r10 -8)
    ..
    0: (85) call bpf_get_prandom_u32#7
    1: (bf) r3 = r10
    2: (55) if r3 != 0x7b goto pc+0
    3: (7b) *(u64 *)(r3 -8) = r0
    4: (79) r4 = *(u64 *)(r10 -8)
    
    When backtracking need to mark R4 it will mark slot fp-8.
    But ST or STX into fp-8 could belong to the same block of instructions.
    When backtracing is done the parent state may have fp-8 slot
    as "unallocated stack". Which will cause verifier to warn
    and incorrectly reject such programs.
    
    Writes into stack via non-R10 register are rare. llvm always
    generates canonical stack spill/fill.
    For such pathological case fall back to conservative precision
    tracking instead of rejecting.
    
    Reported-by: syzbot+c8d66267fd2b5955287e@syzkaller.appspotmail.com
    Fixes: b5dc0163 ("bpf: precise scalar_value tracking")
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    2339cd6c
verifier.c 268 KB