On Wed, Mar 20, 2019 at 11:31PM, Yonghong Song wrote:
> On 3/20/19 5:57 AM, Paul Chaignon wrote:
> > The BPF verifier checks the maximum number of call stack frames twice,
> > first in the main CFG traversal (do_check) and then in a subsequent
> > traversal (check_max_stack_depth). If the second check fails, it logs a
> > 'verifier bug' warning and errors out, as the number of call stack frames
> > should have been verified already.
> >
> > However, the second check may fail without indicating a verifier bug: if
> > the excessive function calls reside in dead code, the main CFG traversal
> > may not visit them; the subsequent traversal visits all instructions,
> > including dead code.
> >
> > This case raises the question of how invalid dead code should be treated.
>
> Maybe we should do this check after dead code elimination to be
> consistent with do_check? There could some other kinds of illegal stuff
To be clear, are you suggesting we run check_max_stack_depth after the
dead code elimination? That would indeed solve this issue, but Jakub made
the exact reverse change not so long ago, in 9b38c40 ("bpf: verifier:
reorder stack size check with dead code sanitization"). I think the idea
was to avoid having code modifications in between code checks.
> in the dead code, e.g., illegal/unsupported helpers, etc. I suppose we
> did not warn or reject the program, right?
As far as I know, we do not warn or reject the programs for other illegal
stuff found in dead code, no.
>
> > The first patch implements the conservative option and rejects such code;
> > the second adds a test case.
> >
> > Paul Chaignon (2):
> > bpf: remove incorrect 'verifier bug' warning
> > selftests/bpf: test case for invalid call stack in dead code
> >
> > kernel/bpf/verifier.c | 5 +--
> > tools/testing/selftests/bpf/verifier/calls.c | 38 ++++++++++++++++++++
> > 2 files changed, 41 insertions(+), 2 deletions(-)
> >
