On Thu, Dec 22, 2022 at 09:49:21PM -0800, Andrii Nakryiko wrote:
> Make default case in regsafe() safer. Instead of doing byte-by-byte
I love the patches 1-6, but this one is not making it safer.
It looks to be going less safe route.
More below.
> comparison, take into account ID remapping and also range and var_off
ID remapping is handled by the patch 6 in regs_exact().
This patch adds range and var_off check as default.
Which might not be correct in the future.
> checks. For most of registers range and var_off will be zero (not set),
> which doesn't matter. For some, like PTR_TO_MAP_{KEY,VALUE}, this
> generalized logic is exactly matching what regsafe() was doing as
> a special case. But in any case, if register has id and/or ref_obj_id
> set, check it using check_ids() logic, taking into account idmap.
That was already done in patch 6. So the commit log is misleading.
It's arguing that it's a benefit of this change while it was in the previous patch.
> With these changes, default case should be handling most registers more
> correctly, and even for future register would be a good default. For some
> special cases, like PTR_TO_PACKET, one would still need to implement extra
> checks (like special handling of reg->range) to get better state
> equivalence, but default logic shouldn't be wrong.
PTR_TO_BTF_ID with var_off would be a counter example where
such default of comparing ranges and var_off would lead to issues.
Currently PTR_TO_BTF_ID doesn't allow var_off, but folks requested this support.
The range_within() logic is safe only for types like PTR_TO_MAP_KEY/VALUE
that start from zero and have uniform typeless blob of bytes.
PTR_TO_BTF_ID with var_off would be wrong to do with just range_within().
SCALARS and PTR_TO_BTF_ID will likely dominate future bpf progs.
Keeping default as regs_exact (that does ID match) is safer default.
Having said all that the focus on safety should be balanced with focus on performance
of the verifier itself.
The regsafe is the hottest function.
That first memcmp used to be the hottest part of the whole verifier.
I suspect this refactoring won't change the perf profile, but we can optimize it.
Assuming that SCALAR, PTR_TO_BTF_ID and PTR_TO_MAP will be the majority of types
we can special case them and refactor comparison to only things
that matter to these types. var_off and min/max_value are the biggest part
of bpf_reg_state. They should be zero for PTR_TO_BTF_ID, but we already check
that in other parts of the verifier. There is no need to compare zeros again
in the hottest regsafe() function.
Same thing for SCALAR. Doing regs_exact() with big memcmp and then finer range_within()
on the same bytes is probably wasteful and can be optimized.
We might consider reshuffling bpf_reg_state fields again depending on cache line usage.
I suspect doing "smart" reg comparison we will be able to significantly
improve verification speed. Please consider for a follow up.
I've applied the first 6 patches.
