Commit d6c2308c authored by Jiong Wang's avatar Jiong Wang Committed by Alexei Starovoitov
Browse files

bpf: verifier: randomize high 32-bit when BPF_F_TEST_RND_HI32 is set 



This patch randomizes high 32-bit of a definition when BPF_F_TEST_RND_HI32
is set.

Suggested-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarJiong Wang <jiong.wang@netronome.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 9ce33e33

kernel/bpf/verifier.c

+57 −11
Original line number Diff line number Diff line
@@ -7640,33 +7640,79 @@ static int opt_remove_nops(struct bpf_verifier_env *env) 
	return 0;

}



static int opt_subreg_zext_lo32(struct bpf_verifier_env *env)

static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,

					 const union bpf_attr *attr)

{

	struct bpf_insn *patch, zext_patch[2], rnd_hi32_patch[4];

	struct bpf_insn_aux_data *aux = env->insn_aux_data;

	int i, patch_len, delta = 0, len = env->prog->len;

	struct bpf_insn *insns = env->prog->insnsi;

	int i, delta = 0, len = env->prog->len;

	struct bpf_insn zext_patch[2];

	struct bpf_prog *new_prog;

	bool rnd_hi32;



	rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;

	zext_patch[1] = BPF_ZEXT_REG(0);

	rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);

	rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);

	rnd_hi32_patch[3] = BPF_ALU64_REG(BPF_OR, 0, BPF_REG_AX);

	for (i = 0; i < len; i++) {

		int adj_idx = i + delta;

		struct bpf_insn insn;



		if (!aux[adj_idx].zext_dst)

		insn = insns[adj_idx];

		if (!aux[adj_idx].zext_dst) {

			u8 code, class;

			u32 imm_rnd;



			if (!rnd_hi32)

				continue;



			code = insn.code;

			class = BPF_CLASS(code);

			if (insn_no_def(&insn))

				continue;



			/* NOTE: arg "reg" (the fourth one) is only used for

			 *       BPF_STX which has been ruled out in above

			 *       check, it is safe to pass NULL here.

			 */

			if (is_reg64(env, &insn, insn.dst_reg, NULL, DST_OP)) {

				if (class == BPF_LD &&

				    BPF_MODE(code) == BPF_IMM)

					i++;

				continue;

			}



			/* ctx load could be transformed into wider load. */

			if (class == BPF_LDX &&

			    aux[adj_idx].ptr_type == PTR_TO_CTX)

				continue;



			imm_rnd = get_random_int();

			rnd_hi32_patch[0] = insn;

			rnd_hi32_patch[1].imm = imm_rnd;

			rnd_hi32_patch[3].dst_reg = insn.dst_reg;

			patch = rnd_hi32_patch;

			patch_len = 4;

			goto apply_patch_buffer;

		}



		if (!bpf_jit_needs_zext())

			continue;



		insn = insns[adj_idx];

		zext_patch[0] = insn;

		zext_patch[1].dst_reg = insn.dst_reg;

		zext_patch[1].src_reg = insn.dst_reg;

		new_prog = bpf_patch_insn_data(env, adj_idx, zext_patch, 2);

		patch = zext_patch;

		patch_len = 2;

apply_patch_buffer:

		new_prog = bpf_patch_insn_data(env, adj_idx, patch, patch_len);

		if (!new_prog)

			return -ENOMEM;

		env->prog = new_prog;

		insns = new_prog->insnsi;

		aux = env->insn_aux_data;

		delta += 2;

		delta += patch_len - 1;

	}



	return 0;
@@ -8525,10 +8571,10 @@ skip_full_check: 
	/* do 32-bit optimization after insn patching has done so those patched

	 * insns could be handled correctly.

	 */

	if (ret == 0 && bpf_jit_needs_zext() &&

	    !bpf_prog_is_dev_bound(env->prog->aux)) {

		ret = opt_subreg_zext_lo32(env);

		env->prog->aux->verifier_zext = !ret;

	if (ret == 0 && !bpf_prog_is_dev_bound(env->prog->aux)) {

		ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);

		env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret

								     : false;

	}



	if (ret == 0)

CRA Git | Maintained and supported by SUSTech CRA and CCSE