bpf: Relax return code check for subprograms

Currently verifier enforces return code checks for subprograms in the
same manner as it does for program entry points. This prevents returning
arbitrary scalar values from subprograms. Scalar type of returned values
is checked by btf_prepare_func_args() and hence it should be safe to
allow only scalars for now. Relax return code checks for subprograms and
allow any correct scalar values.

Fixes: 51c39bb1d5 (bpf: Introduce function-by-function verification)
Signed-off-by: Dmitrii Banshchikov <me@ubique.spb.ru>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20201113171756.90594-1-me@ubique.spb.ru
This commit is contained in:
Dmitrii Banshchikov 2020-11-13 17:17:56 +00:00 committed by Alexei Starovoitov
parent 50431b4568
commit f782e2c300
3 changed files with 33 additions and 2 deletions

View File

@ -7786,9 +7786,11 @@ static int check_return_code(struct bpf_verifier_env *env)
struct tnum range = tnum_range(0, 1); struct tnum range = tnum_range(0, 1);
enum bpf_prog_type prog_type = resolve_prog_type(env->prog); enum bpf_prog_type prog_type = resolve_prog_type(env->prog);
int err; int err;
const bool is_subprog = env->cur_state->frame[0]->subprogno;
/* LSM and struct_ops func-ptr's return type could be "void" */ /* LSM and struct_ops func-ptr's return type could be "void" */
if ((prog_type == BPF_PROG_TYPE_STRUCT_OPS || if (!is_subprog &&
(prog_type == BPF_PROG_TYPE_STRUCT_OPS ||
prog_type == BPF_PROG_TYPE_LSM) && prog_type == BPF_PROG_TYPE_LSM) &&
!prog->aux->attach_func_proto->type) !prog->aux->attach_func_proto->type)
return 0; return 0;
@ -7808,6 +7810,16 @@ static int check_return_code(struct bpf_verifier_env *env)
return -EACCES; return -EACCES;
} }
reg = cur_regs(env) + BPF_REG_0;
if (is_subprog) {
if (reg->type != SCALAR_VALUE) {
verbose(env, "At subprogram exit the register R0 is not a scalar value (%s)\n",
reg_type_str[reg->type]);
return -EINVAL;
}
return 0;
}
switch (prog_type) { switch (prog_type) {
case BPF_PROG_TYPE_CGROUP_SOCK_ADDR: case BPF_PROG_TYPE_CGROUP_SOCK_ADDR:
if (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG || if (env->prog->expected_attach_type == BPF_CGROUP_UDP4_RECVMSG ||
@ -7861,7 +7873,6 @@ static int check_return_code(struct bpf_verifier_env *env)
return 0; return 0;
} }
reg = cur_regs(env) + BPF_REG_0;
if (reg->type != SCALAR_VALUE) { if (reg->type != SCALAR_VALUE) {
verbose(env, "At program exit the register R0 is not a known value (%s)\n", verbose(env, "At program exit the register R0 is not a known value (%s)\n",
reg_type_str[reg->type]); reg_type_str[reg->type]);

View File

@ -60,6 +60,7 @@ void test_test_global_funcs(void)
{ "test_global_func5.o" , "expected pointer to ctx, but got PTR" }, { "test_global_func5.o" , "expected pointer to ctx, but got PTR" },
{ "test_global_func6.o" , "modified ctx ptr R2" }, { "test_global_func6.o" , "modified ctx ptr R2" },
{ "test_global_func7.o" , "foo() doesn't return scalar" }, { "test_global_func7.o" , "foo() doesn't return scalar" },
{ "test_global_func8.o" },
}; };
libbpf_print_fn_t old_print_fn = NULL; libbpf_print_fn_t old_print_fn = NULL;
int err, i, duration = 0; int err, i, duration = 0;

View File

@ -0,0 +1,19 @@
// SPDX-License-Identifier: GPL-2.0-only
/* Copyright (c) 2020 Facebook */
#include <stddef.h>
#include <linux/bpf.h>
#include <bpf/bpf_helpers.h>
__noinline int foo(struct __sk_buff *skb)
{
return bpf_get_prandom_u32();
}
SEC("cgroup_skb/ingress")
int test_cls(struct __sk_buff *skb)
{
if (!foo(skb))
return 0;
return 1;
}