On Fri, Feb 9, 2024 at 11:03 PM Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx> wrote: > > On Sat, 10 Feb 2024 at 05:35, Alexei Starovoitov > <alexei.starovoitov@xxxxxxxxx> wrote: > > > > On Fri, Feb 9, 2024 at 3:14 PM David Vernet <void@xxxxxxxxxxxxx> wrote: > > > > > > > + > > > > +#ifndef arena_container_of > > > > > > Why is this ifndef required if we have a pragma once above? > > > > Just a habit to check for a macro before defining it. > > > > > Obviously it's way better for us to actually have arenas in the interim > > > so this is fine for now, but UAF bugs could potentially be pretty > > > painful until we get proper exception unwinding support. > > > > Detection that arena access faulted doesn't have to come after > > exception unwinding. Exceptions vs cancellable progs are also different. > > What do you mean exactly by 'cancellable progs'? That they can be > interrupted at any (or well-known) points and stopped? I believe > whatever plumbing was done to enable exceptions will be useful there > as well. The verifier would just need to know e.g. that a load into > PTR_TO_ARENA may fault, and thus generate descriptors for all frames > for that pc. Then, at runtime, you could technically release all > resources by looking up the frame descriptor and unwind the stack and > return back to the caller of the prog. I don't think it's a scalable approach. I'm still trying to understand your exceptions part 2 series, but from what I understand so far the scalability is a real concern. > > > A record of the line in bpf prog that caused the first fault is probably > > good enough for prog debugging. > > > > I think it would make more sense to abort the program by default, > because use-after-free in the arena most certainly means a bug in the > program. yes, but aborting vs safe continue and remember the first wrong access from debuggability pov is the same thing. aborting by itself also doesn't mean that the prog is auto-detached. It may run again a split second later and won't hit abort condition. Recording of first wrong access (either abort or pf in arena) is must have regardless.
