On Mon, 2024-07-15 at 19:00 -0700, Alexei Starovoitov wrote:
> On Mon, Jul 15, 2024 at 4:02 PM Eduard Zingerman <eddyz87@xxxxxxxxx> wrote:
[...]
> > This might lead to a surprising behavior in combination with nocsr
> > rewrites, e.g. consider the program below:
> >
> > 1: r1 = 1;
> > /* nocsr pattern with stack offset -16 */
> > 2: *(u64 *)(r10 - 16) = r1;
> > 3: call %[bpf_get_smp_processor_id];
> > 4: r1 = *(u64 *)(r10 - 16);
> > 5: r1 = r10;
> > 6: r1 += -8;
> > 7: r2 = 1;
> > 8: r3 = r10;
> > 9: r3 += -16;
> > /* bpf_probe_read_kernel(dst: &fp[-8], size: 1, src: &fp[-16]) */
> > 10: call %[bpf_probe_read_kernel];
> > 11: exit;
> >
> > Here nocsr rewrite logic would remove instructions (2) and (4).
> > However, (2) writes a value that is later read by a call at (10).
>
> This makes no sense to me.
> This bpf prog is broken.
> If probe_read is used to read stack it will read garbage.
> JITs and the verifier are allowed to do any transformation
> that keeps the program semantics and safety.
I tried to run the following program
(should have run it earlier):
SEC("raw_tp")
__retval(42)
__success
int bpf_probe_read_kernel_stack_ptr(void *ctx)
{
unsigned long a = 17;
unsigned long b = 42;
int err;
err = bpf_probe_read_kernel(&a, 8, &b);
if (err)
return -1;
return a;
}
And indeed, it does not produce expected result,
the retval varies around 22079.
However, I don't really understand why this program is broken.
E.g. from C compiler pov pointer &b escapes, and compiler is not
really allowed to replace object at that offset with garbage.
Is it a limitation of the bpf_probe_read_kernel() that it cannot read
BPF program stack?
