Hi, Martin.
On 2021/11/2 2:45 PM, Martin KaFai Lau wrote:
> Below is a simplified case from a report in bcc [0]:
> r4 = 20
> *(u32 *)(r10 -4) = r4
> *(u32 *)(r10 -8) = r4 /* r4 state is tracked */
> r4 = *(u64 *)(r10 -8) /* Read more than the tracked 32bit scalar.
> * verifier rejects as 'corrupted spill memory'.
> */
>
> After commit 354e8f1970f8 ("bpf: Support <8-byte scalar spill and refill"),
> the 8-byte aligned 32bit spill is also tracked by the verifier
> and the reg state is stored.
>
> However, if 8 bytes are read from the stack instead of the tracked
> 4 byte scalar, the verifier currently rejects as "corrupted spill memory".
>
> This patch fixes this case by allowing it to read but marks the reg as
> unknown.
>
> Also note that, if the prog is trying to corrupt/leak an
> earlier spilled pointer by spilling another <8 bytes register on top,
> this has already been rejected in the check_stack_write_fixed_off().
>
> [0]: https://github.com/iovisor/bcc/pull/3683
>
> Fixes: 354e8f1970f8 ("bpf: Support <8-byte scalar spill and refill")
> Reported-by: Hengqi Chen <hengqi.chen@xxxxxxxxx>
> Reported-by: Yonghong Song <yhs@xxxxxxxxx>
> Signed-off-by: Martin KaFai Lau <kafai@xxxxxx>
> ---
[...]
Thanks for the quick fix. I've tested this patch and now the BCC tools work fine.
Tested-by: Hengqi Chen <hengqi.chen@xxxxxxxxx>
Cheers,
--
Hengqi
