Re: [PATCH bpf] bpf: disallow 40-bytes extra stack for bpf_fastcall patterns

Hou Tao <houtao@xxxxxxxxxxxxxxx> · Wed, 30 Oct 2024 10:41:07 +0800



On 10/30/2024 3:39 AM, Eduard Zingerman wrote:
> Hou Tao reported an issue with bpf_fastcall patterns allowing extra
> stack space above MAX_BPF_STACK limit. This extra stack allowance is
> not integrated properly with the following verifier parts:
> - backtracking logic still assumes that stack can't exceed
>   MAX_BPF_STACK;
> - bpf_verifier_env->scratched_stack_slots assumes only 64 slots are
>   available.
>
> Here is an example of an issue with precision tracking
> (note stack slot -8 tracked as precise instead of -520):
>
>     0: (b7) r1 = 42                       ; R1_w=42
>     1: (b7) r2 = 42                       ; R2_w=42
>     2: (7b) *(u64 *)(r10 -512) = r1       ; R1_w=42 R10=fp0 fp-512_w=42
>     3: (7b) *(u64 *)(r10 -520) = r2       ; R2_w=42 R10=fp0 fp-520_w=42
>     4: (85) call bpf_get_smp_processor_id#8       ; R0_w=scalar(...)
>     5: (79) r2 = *(u64 *)(r10 -520)       ; R2_w=42 R10=fp0 fp-520_w=42
>     6: (79) r1 = *(u64 *)(r10 -512)       ; R1_w=42 R10=fp0 fp-512_w=42
>     7: (bf) r3 = r10                      ; R3_w=fp0 R10=fp0
>     8: (0f) r3 += r2
>     mark_precise: frame0: last_idx 8 first_idx 0 subseq_idx -1
>     mark_precise: frame0: regs=r2 stack= before 7: (bf) r3 = r10
>     mark_precise: frame0: regs=r2 stack= before 6: (79) r1 = *(u64 *)(r10 -512)
>     mark_precise: frame0: regs=r2 stack= before 5: (79) r2 = *(u64 *)(r10 -520)
>     mark_precise: frame0: regs= stack=-8 before 4: (85) call bpf_get_smp_processor_id#8
>     mark_precise: frame0: regs= stack=-8 before 3: (7b) *(u64 *)(r10 -520) = r2
>     mark_precise: frame0: regs=r2 stack= before 2: (7b) *(u64 *)(r10 -512) = r1
>     mark_precise: frame0: regs=r2 stack= before 1: (b7) r2 = 42
>     9: R2_w=42 R3_w=fp42
>     9: (95) exit
>
> This patch disables the additional allowance for the moment.
> Also, two test cases are removed:
> - bpf_fastcall_max_stack_ok:
>   it fails w/o additional stack allowance;
> - bpf_fastcall_max_stack_fail:
>   this test is no longer necessary, stack size follows
>   regular rules, pattern invalidation is checked by other
>   test cases.
>
> Reported-by: Hou Tao <houtao@xxxxxxxxxxxxxxx>
> Closes: https://lore.kernel.org/bpf/20241023022752.172005-1-houtao@xxxxxxxxxxxxxxx/
> Fixes: 5b5f51bff1b6 ("bpf: no_caller_saved_registers attribute for helper calls")
> Signed-off-by: Eduard Zingerman <eddyz87@xxxxxxxxx>

Tested-by: Hou Tao <houtao1@xxxxxxxxxx>