Author | Tokens | Token Proportion | Commits | Commit Proportion |
---|---|---|---|---|
Andrii Nakryiko | 1232 | 87.81% | 7 | 77.78% |
Eduard Zingerman | 171 | 12.19% | 2 | 22.22% |
Total | 1403 | 9 |
// SPDX-License-Identifier: GPL-2.0 /* Copyright (c) 2023 Meta Platforms, Inc. and affiliates. */ #include <errno.h> #include <string.h> #include <linux/bpf.h> #include <bpf/bpf_helpers.h> #include "bpf_misc.h" #include <../../../tools/include/linux/filter.h> int vals[] SEC(".data.vals") = {1, 2, 3, 4}; __naked __noinline __used static unsigned long identity_subprog() { /* the simplest *static* 64-bit identity function */ asm volatile ( "r0 = r1;" "exit;" ); } __noinline __used unsigned long global_identity_subprog(__u64 x) { /* the simplest *global* 64-bit identity function */ return x; } __naked __noinline __used static unsigned long callback_subprog() { /* the simplest callback function */ asm volatile ( "r0 = 0;" "exit;" ); } SEC("?raw_tp") __success __log_level(2) __msg("7: (0f) r1 += r0") __msg("mark_precise: frame0: regs=r0 stack= before 6: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r0 stack= before 5: (27) r0 *= 4") __msg("mark_precise: frame0: regs=r0 stack= before 11: (95) exit") __msg("mark_precise: frame1: regs=r0 stack= before 10: (bf) r0 = r1") __msg("mark_precise: frame1: regs=r1 stack= before 4: (85) call pc+5") __msg("mark_precise: frame0: regs=r1 stack= before 3: (bf) r1 = r6") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 3") __naked int subprog_result_precise(void) { asm volatile ( "r6 = 3;" /* pass r6 through r1 into subprog to get it back as r0; * this whole chain will have to be marked as precise later */ "r1 = r6;" "call identity_subprog;" /* now use subprog's returned value (which is a * r6 -> r1 -> r0 chain), as index into vals array, forcing * all of that to be known precisely */ "r0 *= 4;" "r1 = %[vals];" /* here r0->r1->r6 chain is forced to be precise and has to be * propagated back to the beginning, including through the * subprog call */ "r1 += r0;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6" ); } __naked __noinline __used static unsigned long fp_leaking_subprog() { asm volatile ( ".8byte %[r0_eq_r10_cast_s8];" "exit;" :: __imm_insn(r0_eq_r10_cast_s8, BPF_MOVSX64_REG(BPF_REG_0, BPF_REG_10, 8)) ); } __naked __noinline __used static unsigned long sneaky_fp_leaking_subprog() { asm volatile ( "r1 = r10;" ".8byte %[r0_eq_r1_cast_s8];" "exit;" :: __imm_insn(r0_eq_r1_cast_s8, BPF_MOVSX64_REG(BPF_REG_0, BPF_REG_1, 8)) ); } SEC("?raw_tp") __success __log_level(2) __msg("6: (0f) r1 += r0") __msg("mark_precise: frame0: last_idx 6 first_idx 0 subseq_idx -1") __msg("mark_precise: frame0: regs=r0 stack= before 5: (bf) r1 = r6") __msg("mark_precise: frame0: regs=r0 stack= before 4: (27) r0 *= 4") __msg("mark_precise: frame0: regs=r0 stack= before 3: (57) r0 &= 3") __msg("mark_precise: frame0: regs=r0 stack= before 10: (95) exit") __msg("mark_precise: frame1: regs=r0 stack= before 9: (bf) r0 = (s8)r10") __msg("7: R0_w=scalar") __naked int fp_precise_subprog_result(void) { asm volatile ( "call fp_leaking_subprog;" /* use subprog's returned value (which is derived from r10=fp * register), as index into vals array, forcing all of that to * be known precisely */ "r0 &= 3;" "r0 *= 4;" "r1 = %[vals];" /* force precision marking */ "r1 += r0;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common ); } SEC("?raw_tp") __success __log_level(2) __msg("6: (0f) r1 += r0") __msg("mark_precise: frame0: last_idx 6 first_idx 0 subseq_idx -1") __msg("mark_precise: frame0: regs=r0 stack= before 5: (bf) r1 = r6") __msg("mark_precise: frame0: regs=r0 stack= before 4: (27) r0 *= 4") __msg("mark_precise: frame0: regs=r0 stack= before 3: (57) r0 &= 3") __msg("mark_precise: frame0: regs=r0 stack= before 11: (95) exit") __msg("mark_precise: frame1: regs=r0 stack= before 10: (bf) r0 = (s8)r1") /* here r1 is marked precise, even though it's fp register, but that's fine * because by the time we get out of subprogram it has to be derived from r10 * anyways, at which point we'll break precision chain */ __msg("mark_precise: frame1: regs=r1 stack= before 9: (bf) r1 = r10") __msg("7: R0_w=scalar") __naked int sneaky_fp_precise_subprog_result(void) { asm volatile ( "call sneaky_fp_leaking_subprog;" /* use subprog's returned value (which is derived from r10=fp * register), as index into vals array, forcing all of that to * be known precisely */ "r0 &= 3;" "r0 *= 4;" "r1 = %[vals];" /* force precision marking */ "r1 += r0;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common ); } SEC("?raw_tp") __success __log_level(2) __msg("9: (0f) r1 += r0") __msg("mark_precise: frame0: last_idx 9 first_idx 0") __msg("mark_precise: frame0: regs=r0 stack= before 8: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r0 stack= before 7: (27) r0 *= 4") __msg("mark_precise: frame0: regs=r0 stack= before 5: (a5) if r0 < 0x4 goto pc+1") __msg("mark_precise: frame0: regs=r0 stack= before 4: (85) call pc+7") __naked int global_subprog_result_precise(void) { asm volatile ( "r6 = 3;" /* pass r6 through r1 into subprog to get it back as r0; * given global_identity_subprog is global, precision won't * propagate all the way back to r6 */ "r1 = r6;" "call global_identity_subprog;" /* now use subprog's returned value (which is unknown now, so * we need to clamp it), as index into vals array, forcing r0 * to be marked precise (with no effect on r6, though) */ "if r0 < %[vals_arr_sz] goto 1f;" "r0 = %[vals_arr_sz] - 1;" "1:" "r0 *= 4;" "r1 = %[vals];" /* here r0 is forced to be precise and has to be * propagated back to the global subprog call, but it * shouldn't go all the way to mark r6 as precise */ "r1 += r0;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals), __imm_const(vals_arr_sz, ARRAY_SIZE(vals)) : __clobber_common, "r6" ); } __naked __noinline __used static unsigned long loop_callback_bad() { /* bpf_loop() callback that can return values outside of [0, 1] range */ asm volatile ( "call %[bpf_get_prandom_u32];" "if r0 s> 1000 goto 1f;" "r0 = 0;" "1:" "goto +0;" /* checkpoint */ /* bpf_loop() expects [0, 1] values, so branch above skipping * r0 = 0; should lead to a failure, but if exit instruction * doesn't enforce r0's precision, this callback will be * successfully verified */ "exit;" : : __imm(bpf_get_prandom_u32) : __clobber_common ); } SEC("?raw_tp") __failure __log_level(2) __flag(BPF_F_TEST_STATE_FREQ) /* check that fallthrough code path marks r0 as precise */ __msg("mark_precise: frame1: regs=r0 stack= before 11: (b7) r0 = 0") /* check that we have branch code path doing its own validation */ __msg("from 10 to 12: frame1: R0=scalar(smin=umin=1001") /* check that branch code path marks r0 as precise, before failing */ __msg("mark_precise: frame1: regs=r0 stack= before 9: (85) call bpf_get_prandom_u32#7") __msg("At callback return the register R0 has smin=1001 should have been in [0, 1]") __naked int callback_precise_return_fail(void) { asm volatile ( "r1 = 1;" /* nr_loops */ "r2 = %[loop_callback_bad];" /* callback_fn */ "r3 = 0;" /* callback_ctx */ "r4 = 0;" /* flags */ "call %[bpf_loop];" "r0 = 0;" "exit;" : : __imm_ptr(loop_callback_bad), __imm(bpf_loop) : __clobber_common ); } SEC("?raw_tp") __success __log_level(2) /* First simulated path does not include callback body, * r1 and r4 are always precise for bpf_loop() calls. */ __msg("9: (85) call bpf_loop#181") __msg("mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1") __msg("mark_precise: frame0: parent state regs=r4 stack=:") __msg("mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx 9") __msg("mark_precise: frame0: regs=r4 stack= before 8: (b7) r4 = 0") __msg("mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1") __msg("mark_precise: frame0: parent state regs=r1 stack=:") __msg("mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx 9") __msg("mark_precise: frame0: regs=r1 stack= before 8: (b7) r4 = 0") __msg("mark_precise: frame0: regs=r1 stack= before 7: (b7) r3 = 0") __msg("mark_precise: frame0: regs=r1 stack= before 6: (bf) r2 = r8") __msg("mark_precise: frame0: regs=r1 stack= before 5: (bf) r1 = r6") __msg("mark_precise: frame0: regs=r6 stack= before 4: (b7) r6 = 3") /* r6 precision propagation */ __msg("14: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 14 first_idx 9") __msg("mark_precise: frame0: regs=r6 stack= before 13: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 12: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 11: (25) if r6 > 0x3 goto pc+4") __msg("mark_precise: frame0: regs=r6 stack= before 10: (bf) r6 = r0") __msg("mark_precise: frame0: regs=r0 stack= before 9: (85) call bpf_loop") /* State entering callback body popped from states stack */ __msg("from 9 to 17: frame1:") __msg("17: frame1: R1=scalar() R2=0 R10=fp0 cb") __msg("17: (b7) r0 = 0") __msg("18: (95) exit") __msg("returning from callee:") __msg("to caller at 9:") __msg("frame 0: propagating r1,r4") __msg("mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1") __msg("mark_precise: frame0: regs=r1,r4 stack= before 18: (95) exit") __msg("from 18 to 9: safe") __naked int callback_result_precise(void) { asm volatile ( "r6 = 3;" /* call subprog and use result; r0 shouldn't propagate back to * callback_subprog */ "r1 = r6;" /* nr_loops */ "r2 = %[callback_subprog];" /* callback_fn */ "r3 = 0;" /* callback_ctx */ "r4 = 0;" /* flags */ "call %[bpf_loop];" "r6 = r0;" "if r6 > 3 goto 1f;" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the bpf_loop() call, but not beyond */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "1:" "exit;" : : __imm_ptr(vals), __imm_ptr(callback_subprog), __imm(bpf_loop) : __clobber_common, "r6" ); } SEC("?raw_tp") __success __log_level(2) __msg("7: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 7 first_idx 0") __msg("mark_precise: frame0: regs=r6 stack= before 6: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 5: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 11: (95) exit") __msg("mark_precise: frame1: regs= stack= before 10: (bf) r0 = r1") __msg("mark_precise: frame1: regs= stack= before 4: (85) call pc+5") __msg("mark_precise: frame0: regs=r6 stack= before 3: (b7) r1 = 0") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 3") __naked int parent_callee_saved_reg_precise(void) { asm volatile ( "r6 = 3;" /* call subprog and ignore result; we need this call only to * complicate jump history */ "r1 = 0;" "call identity_subprog;" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the beginning, handling (and ignoring) subprog call */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6" ); } SEC("?raw_tp") __success __log_level(2) __msg("7: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 7 first_idx 0") __msg("mark_precise: frame0: regs=r6 stack= before 6: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 5: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 4: (85) call pc+5") __msg("mark_precise: frame0: regs=r6 stack= before 3: (b7) r1 = 0") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 3") __naked int parent_callee_saved_reg_precise_global(void) { asm volatile ( "r6 = 3;" /* call subprog and ignore result; we need this call only to * complicate jump history */ "r1 = 0;" "call global_identity_subprog;" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the beginning, handling (and ignoring) subprog call */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6" ); } SEC("?raw_tp") __success __log_level(2) /* First simulated path does not include callback body */ __msg("12: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 12 first_idx 9") __msg("mark_precise: frame0: regs=r6 stack= before 11: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 10: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 9: (85) call bpf_loop") __msg("mark_precise: frame0: parent state regs=r6 stack=:") __msg("mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx 9") __msg("mark_precise: frame0: regs=r6 stack= before 8: (b7) r4 = 0") __msg("mark_precise: frame0: regs=r6 stack= before 7: (b7) r3 = 0") __msg("mark_precise: frame0: regs=r6 stack= before 6: (bf) r2 = r8") __msg("mark_precise: frame0: regs=r6 stack= before 5: (b7) r1 = 1") __msg("mark_precise: frame0: regs=r6 stack= before 4: (b7) r6 = 3") /* State entering callback body popped from states stack */ __msg("from 9 to 15: frame1:") __msg("15: frame1: R1=scalar() R2=0 R10=fp0 cb") __msg("15: (b7) r0 = 0") __msg("16: (95) exit") __msg("returning from callee:") __msg("to caller at 9:") /* r1, r4 are always precise for bpf_loop(), * r6 was marked before backtracking to callback body. */ __msg("frame 0: propagating r1,r4,r6") __msg("mark_precise: frame0: last_idx 9 first_idx 9 subseq_idx -1") __msg("mark_precise: frame0: regs=r1,r4,r6 stack= before 16: (95) exit") __msg("mark_precise: frame1: regs= stack= before 15: (b7) r0 = 0") __msg("mark_precise: frame1: regs= stack= before 9: (85) call bpf_loop") __msg("mark_precise: frame0: parent state regs= stack=:") __msg("from 16 to 9: safe") __naked int parent_callee_saved_reg_precise_with_callback(void) { asm volatile ( "r6 = 3;" /* call subprog and ignore result; we need this call only to * complicate jump history */ "r1 = 1;" /* nr_loops */ "r2 = %[callback_subprog];" /* callback_fn */ "r3 = 0;" /* callback_ctx */ "r4 = 0;" /* flags */ "call %[bpf_loop];" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the beginning, handling (and ignoring) callback call */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals), __imm_ptr(callback_subprog), __imm(bpf_loop) : __clobber_common, "r6" ); } SEC("?raw_tp") __success __log_level(2) __msg("9: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 9 first_idx 6") __msg("mark_precise: frame0: regs=r6 stack= before 8: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 7: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 6: (79) r6 = *(u64 *)(r10 -8)") __msg("mark_precise: frame0: parent state regs= stack=-8:") __msg("mark_precise: frame0: last_idx 13 first_idx 0") __msg("mark_precise: frame0: regs= stack=-8 before 13: (95) exit") __msg("mark_precise: frame1: regs= stack= before 12: (bf) r0 = r1") __msg("mark_precise: frame1: regs= stack= before 5: (85) call pc+6") __msg("mark_precise: frame0: regs= stack=-8 before 4: (b7) r1 = 0") __msg("mark_precise: frame0: regs= stack=-8 before 3: (7b) *(u64 *)(r10 -8) = r6") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 3") __naked int parent_stack_slot_precise(void) { asm volatile ( /* spill reg */ "r6 = 3;" "*(u64 *)(r10 - 8) = r6;" /* call subprog and ignore result; we need this call only to * complicate jump history */ "r1 = 0;" "call identity_subprog;" /* restore reg from stack; in this case we'll be carrying * stack mask when going back into subprog through jump * history */ "r6 = *(u64 *)(r10 - 8);" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the beginning, handling (and ignoring) subprog call */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6" ); } SEC("?raw_tp") __success __log_level(2) __msg("9: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 9 first_idx 0") __msg("mark_precise: frame0: regs=r6 stack= before 8: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 7: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 6: (79) r6 = *(u64 *)(r10 -8)") __msg("mark_precise: frame0: regs= stack=-8 before 5: (85) call pc+6") __msg("mark_precise: frame0: regs= stack=-8 before 4: (b7) r1 = 0") __msg("mark_precise: frame0: regs= stack=-8 before 3: (7b) *(u64 *)(r10 -8) = r6") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 3") __naked int parent_stack_slot_precise_global(void) { asm volatile ( /* spill reg */ "r6 = 3;" "*(u64 *)(r10 - 8) = r6;" /* call subprog and ignore result; we need this call only to * complicate jump history */ "r1 = 0;" "call global_identity_subprog;" /* restore reg from stack; in this case we'll be carrying * stack mask when going back into subprog through jump * history */ "r6 = *(u64 *)(r10 - 8);" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the beginning, handling (and ignoring) subprog call */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6" ); } SEC("?raw_tp") __success __log_level(2) /* First simulated path does not include callback body */ __msg("14: (0f) r1 += r6") __msg("mark_precise: frame0: last_idx 14 first_idx 10") __msg("mark_precise: frame0: regs=r6 stack= before 13: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r6 stack= before 12: (27) r6 *= 4") __msg("mark_precise: frame0: regs=r6 stack= before 11: (79) r6 = *(u64 *)(r10 -8)") __msg("mark_precise: frame0: regs= stack=-8 before 10: (85) call bpf_loop") __msg("mark_precise: frame0: parent state regs= stack=-8:") __msg("mark_precise: frame0: last_idx 9 first_idx 0 subseq_idx 10") __msg("mark_precise: frame0: regs= stack=-8 before 9: (b7) r4 = 0") __msg("mark_precise: frame0: regs= stack=-8 before 8: (b7) r3 = 0") __msg("mark_precise: frame0: regs= stack=-8 before 7: (bf) r2 = r8") __msg("mark_precise: frame0: regs= stack=-8 before 6: (bf) r1 = r6") __msg("mark_precise: frame0: regs= stack=-8 before 5: (7b) *(u64 *)(r10 -8) = r6") __msg("mark_precise: frame0: regs=r6 stack= before 4: (b7) r6 = 3") /* State entering callback body popped from states stack */ __msg("from 10 to 17: frame1:") __msg("17: frame1: R1=scalar() R2=0 R10=fp0 cb") __msg("17: (b7) r0 = 0") __msg("18: (95) exit") __msg("returning from callee:") __msg("to caller at 10:") /* r1, r4 are always precise for bpf_loop(), * fp-8 was marked before backtracking to callback body. */ __msg("frame 0: propagating r1,r4,fp-8") __msg("mark_precise: frame0: last_idx 10 first_idx 10 subseq_idx -1") __msg("mark_precise: frame0: regs=r1,r4 stack=-8 before 18: (95) exit") __msg("mark_precise: frame1: regs= stack= before 17: (b7) r0 = 0") __msg("mark_precise: frame1: regs= stack= before 10: (85) call bpf_loop#181") __msg("mark_precise: frame0: parent state regs= stack=:") __msg("from 18 to 10: safe") __naked int parent_stack_slot_precise_with_callback(void) { asm volatile ( /* spill reg */ "r6 = 3;" "*(u64 *)(r10 - 8) = r6;" /* ensure we have callback frame in jump history */ "r1 = r6;" /* nr_loops */ "r2 = %[callback_subprog];" /* callback_fn */ "r3 = 0;" /* callback_ctx */ "r4 = 0;" /* flags */ "call %[bpf_loop];" /* restore reg from stack; in this case we'll be carrying * stack mask when going back into subprog through jump * history */ "r6 = *(u64 *)(r10 - 8);" "r6 *= 4;" "r1 = %[vals];" /* here r6 is forced to be precise and has to be propagated * back to the beginning, handling (and ignoring) subprog call */ "r1 += r6;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals), __imm_ptr(callback_subprog), __imm(bpf_loop) : __clobber_common, "r6" ); } __noinline __used static __u64 subprog_with_precise_arg(__u64 x) { return vals[x]; /* x is forced to be precise */ } SEC("?raw_tp") __success __log_level(2) __msg("8: (0f) r2 += r1") __msg("mark_precise: frame1: last_idx 8 first_idx 0") __msg("mark_precise: frame1: regs=r1 stack= before 6: (18) r2 = ") __msg("mark_precise: frame1: regs=r1 stack= before 5: (67) r1 <<= 2") __msg("mark_precise: frame1: regs=r1 stack= before 2: (85) call pc+2") __msg("mark_precise: frame0: regs=r1 stack= before 1: (bf) r1 = r6") __msg("mark_precise: frame0: regs=r6 stack= before 0: (b7) r6 = 3") __naked int subprog_arg_precise(void) { asm volatile ( "r6 = 3;" "r1 = r6;" /* subprog_with_precise_arg expects its argument to be * precise, so r1->r6 will be marked precise from inside the * subprog */ "call subprog_with_precise_arg;" "r0 += r6;" "exit;" : : : __clobber_common, "r6" ); } /* r1 is pointer to stack slot; * r2 is a register to spill into that slot * subprog also spills r2 into its own stack slot */ __naked __noinline __used static __u64 subprog_spill_reg_precise(void) { asm volatile ( /* spill to parent stack */ "*(u64 *)(r1 + 0) = r2;" /* spill to subprog stack (we use -16 offset to avoid * accidental confusion with parent's -8 stack slot in * verifier log output) */ "*(u64 *)(r10 - 16) = r2;" /* use both spills as return result to propagete precision everywhere */ "r0 = *(u64 *)(r10 - 16);" "r2 = *(u64 *)(r1 + 0);" "r0 += r2;" "exit;" ); } SEC("?raw_tp") __success __log_level(2) __msg("10: (0f) r1 += r7") __msg("mark_precise: frame0: last_idx 10 first_idx 7 subseq_idx -1") __msg("mark_precise: frame0: regs=r7 stack= before 9: (bf) r1 = r8") __msg("mark_precise: frame0: regs=r7 stack= before 8: (27) r7 *= 4") __msg("mark_precise: frame0: regs=r7 stack= before 7: (79) r7 = *(u64 *)(r10 -8)") __msg("mark_precise: frame0: parent state regs= stack=-8: R0_w=2 R6_w=1 R8_rw=map_value(map=.data.vals,ks=4,vs=16) R10=fp0 fp-8_rw=P1") __msg("mark_precise: frame0: last_idx 18 first_idx 0 subseq_idx 7") __msg("mark_precise: frame0: regs= stack=-8 before 18: (95) exit") __msg("mark_precise: frame1: regs= stack= before 17: (0f) r0 += r2") __msg("mark_precise: frame1: regs= stack= before 16: (79) r2 = *(u64 *)(r1 +0)") __msg("mark_precise: frame1: regs= stack= before 15: (79) r0 = *(u64 *)(r10 -16)") __msg("mark_precise: frame1: regs= stack= before 14: (7b) *(u64 *)(r10 -16) = r2") __msg("mark_precise: frame1: regs= stack= before 13: (7b) *(u64 *)(r1 +0) = r2") __msg("mark_precise: frame1: regs=r2 stack= before 6: (85) call pc+6") __msg("mark_precise: frame0: regs=r2 stack= before 5: (bf) r2 = r6") __msg("mark_precise: frame0: regs=r6 stack= before 4: (07) r1 += -8") __msg("mark_precise: frame0: regs=r6 stack= before 3: (bf) r1 = r10") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1") __naked int subprog_spill_into_parent_stack_slot_precise(void) { asm volatile ( "r6 = 1;" /* pass pointer to stack slot and r6 to subprog; * r6 will be marked precise and spilled into fp-8 slot, which * also should be marked precise */ "r1 = r10;" "r1 += -8;" "r2 = r6;" "call subprog_spill_reg_precise;" /* restore reg from stack; in this case we'll be carrying * stack mask when going back into subprog through jump * history */ "r7 = *(u64 *)(r10 - 8);" "r7 *= 4;" "r1 = %[vals];" /* here r7 is forced to be precise and has to be propagated * back to the beginning, handling subprog call and logic */ "r1 += r7;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6", "r7" ); } SEC("?raw_tp") __success __log_level(2) __msg("17: (0f) r1 += r0") __msg("mark_precise: frame0: last_idx 17 first_idx 0 subseq_idx -1") __msg("mark_precise: frame0: regs=r0 stack= before 16: (bf) r1 = r7") __msg("mark_precise: frame0: regs=r0 stack= before 15: (27) r0 *= 4") __msg("mark_precise: frame0: regs=r0 stack= before 14: (79) r0 = *(u64 *)(r10 -16)") __msg("mark_precise: frame0: regs= stack=-16 before 13: (7b) *(u64 *)(r7 -8) = r0") __msg("mark_precise: frame0: regs=r0 stack= before 12: (79) r0 = *(u64 *)(r8 +16)") __msg("mark_precise: frame0: regs= stack=-16 before 11: (7b) *(u64 *)(r8 +16) = r0") __msg("mark_precise: frame0: regs=r0 stack= before 10: (79) r0 = *(u64 *)(r7 -8)") __msg("mark_precise: frame0: regs= stack=-16 before 9: (7b) *(u64 *)(r10 -16) = r0") __msg("mark_precise: frame0: regs=r0 stack= before 8: (07) r8 += -32") __msg("mark_precise: frame0: regs=r0 stack= before 7: (bf) r8 = r10") __msg("mark_precise: frame0: regs=r0 stack= before 6: (07) r7 += -8") __msg("mark_precise: frame0: regs=r0 stack= before 5: (bf) r7 = r10") __msg("mark_precise: frame0: regs=r0 stack= before 21: (95) exit") __msg("mark_precise: frame1: regs=r0 stack= before 20: (bf) r0 = r1") __msg("mark_precise: frame1: regs=r1 stack= before 4: (85) call pc+15") __msg("mark_precise: frame0: regs=r1 stack= before 3: (bf) r1 = r6") __msg("mark_precise: frame0: regs=r6 stack= before 2: (b7) r6 = 1") __naked int stack_slot_aliases_precision(void) { asm volatile ( "r6 = 1;" /* pass r6 through r1 into subprog to get it back as r0; * this whole chain will have to be marked as precise later */ "r1 = r6;" "call identity_subprog;" /* let's setup two registers that are aliased to r10 */ "r7 = r10;" "r7 += -8;" /* r7 = r10 - 8 */ "r8 = r10;" "r8 += -32;" /* r8 = r10 - 32 */ /* now spill subprog's return value (a r6 -> r1 -> r0 chain) * a few times through different stack pointer regs, making * sure to use r10, r7, and r8 both in LDX and STX insns, and * *importantly* also using a combination of const var_off and * insn->off to validate that we record final stack slot * correctly, instead of relying on just insn->off derivation, * which is only valid for r10-based stack offset */ "*(u64 *)(r10 - 16) = r0;" "r0 = *(u64 *)(r7 - 8);" /* r7 - 8 == r10 - 16 */ "*(u64 *)(r8 + 16) = r0;" /* r8 + 16 = r10 - 16 */ "r0 = *(u64 *)(r8 + 16);" "*(u64 *)(r7 - 8) = r0;" "r0 = *(u64 *)(r10 - 16);" /* get ready to use r0 as an index into array to force precision */ "r0 *= 4;" "r1 = %[vals];" /* here r0->r1->r6 chain is forced to be precise and has to be * propagated back to the beginning, including through the * subprog call and all the stack spills and loads */ "r1 += r0;" "r0 = *(u32 *)(r1 + 0);" "exit;" : : __imm_ptr(vals) : __clobber_common, "r6" ); } char _license[] SEC("license") = "GPL";
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
Created with Cregit http://github.com/cregit/cregit
Version 2.0-RC1