diff mbox series

[bpf,12/12] selftests/bpf: check if max number of bpf_loop iterations is tracked

Message ID 20231116021803.9982-13-eddyz87@gmail.com (mailing list archive)
State Superseded
Delegated to: BPF
Headers show
Series verify callbacks as if they are called unknown number of times | expand

Checks

Context Check Description
netdev/series_format success Posting correctly formatted
netdev/tree_selection success Clearly marked for bpf, async
netdev/fixes_present fail Series targets non-next tree, but doesn't contain any Fixes tags
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 8 this patch: 8
netdev/cc_maintainers warning 9 maintainers not CCed: haoluo@google.com song@kernel.org kpsingh@kernel.org jolsa@kernel.org john.fastabend@gmail.com linux-kselftest@vger.kernel.org shuah@kernel.org sdf@google.com mykolal@fb.com
netdev/build_clang success Errors and warnings before: 8 this patch: 8
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 8 this patch: 8
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 71 lines checked
netdev/build_clang_rust success No Rust files in patch. Skipping build
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0
bpf/vmtest-bpf-VM_Test-0 success Logs for Lint
bpf/vmtest-bpf-VM_Test-1 success Logs for ShellCheck
bpf/vmtest-bpf-VM_Test-2 success Logs for Validate matrix.py
bpf/vmtest-bpf-VM_Test-3 success Logs for aarch64-gcc / build / build for aarch64 with gcc
bpf/vmtest-bpf-VM_Test-7 success Logs for aarch64-gcc / test (test_verifier, false, 360) / test_verifier on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-8 success Logs for aarch64-gcc / veristat
bpf/vmtest-bpf-VM_Test-4 success Logs for aarch64-gcc / test (test_maps, false, 360) / test_maps on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-5 success Logs for aarch64-gcc / test (test_progs, false, 360) / test_progs on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-6 success Logs for aarch64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on aarch64 with gcc
bpf/vmtest-bpf-VM_Test-9 success Logs for s390x-gcc / build / build for s390x with gcc
bpf/vmtest-bpf-VM_Test-14 success Logs for s390x-gcc / veristat
bpf/vmtest-bpf-VM_Test-15 success Logs for set-matrix
bpf/vmtest-bpf-VM_Test-16 success Logs for x86_64-gcc / build / build for x86_64 with gcc
bpf/vmtest-bpf-VM_Test-17 success Logs for x86_64-gcc / test (test_maps, false, 360) / test_maps on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-18 success Logs for x86_64-gcc / test (test_progs, false, 360) / test_progs on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-19 success Logs for x86_64-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-20 success Logs for x86_64-gcc / test (test_progs_no_alu32_parallel, true, 30) / test_progs_no_alu32_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-21 success Logs for x86_64-gcc / test (test_progs_parallel, true, 30) / test_progs_parallel on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-22 success Logs for x86_64-gcc / test (test_verifier, false, 360) / test_verifier on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-23 success Logs for x86_64-gcc / veristat / veristat on x86_64 with gcc
bpf/vmtest-bpf-VM_Test-24 success Logs for x86_64-llvm-16 / build / build for x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-25 success Logs for x86_64-llvm-16 / test (test_maps, false, 360) / test_maps on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-26 success Logs for x86_64-llvm-16 / test (test_progs, false, 360) / test_progs on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-27 success Logs for x86_64-llvm-16 / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-28 success Logs for x86_64-llvm-16 / test (test_verifier, false, 360) / test_verifier on x86_64 with llvm-16
bpf/vmtest-bpf-VM_Test-29 success Logs for x86_64-llvm-16 / veristat
bpf/vmtest-bpf-VM_Test-13 success Logs for s390x-gcc / test (test_verifier, false, 360) / test_verifier on s390x with gcc
bpf/vmtest-bpf-VM_Test-12 success Logs for s390x-gcc / test (test_progs_no_alu32, false, 360) / test_progs_no_alu32 on s390x with gcc
bpf/vmtest-bpf-VM_Test-11 success Logs for s390x-gcc / test (test_progs, false, 360) / test_progs on s390x with gcc
bpf/vmtest-bpf-PR success PR summary
bpf/vmtest-bpf-VM_Test-10 success Logs for s390x-gcc / test (test_maps, false, 360) / test_maps on s390x with gcc

Commit Message

Eduard Zingerman Nov. 16, 2023, 2:18 a.m. UTC 
Check that even if bpf_loop() callback simulation does not converge to
a specific state, verification could proceed via "brute force"
simulation of maximal number of callback calls.

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
---
 .../bpf/progs/verifier_iterating_callbacks.c  | 67 +++++++++++++++++++
 1 file changed, 67 insertions(+)

Comments

Andrii Nakryiko Nov. 17, 2023, 4:47 p.m. UTC | #1 
On Wed, Nov 15, 2023 at 9:18 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> Check that even if bpf_loop() callback simulation does not converge to
> a specific state, verification could proceed via "brute force"
> simulation of maximal number of callback calls.
>
> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
> ---
>  .../bpf/progs/verifier_iterating_callbacks.c  | 67 +++++++++++++++++++
>  1 file changed, 67 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c b/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c
> index 598c1e984b26..da10ce57da5e 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c
> @@ -164,4 +164,71 @@ int unsafe_find_vma(void *unused)
>         return choice_arr[loop_ctx.i];
>  }
>
> +static int iter_limit_cb(__u32 idx, struct num_context *ctx)
> +{
> +       ctx->i++;
> +       return 0;
> +}
> +
> +SEC("?raw_tp")
> +__success
> +int bpf_loop_iter_limit_ok(void *unused)
> +{
> +       struct num_context ctx = { .i = 0 };
> +
> +       bpf_loop(1, iter_limit_cb, &ctx, 0);
> +       return choice_arr[ctx.i];
> +}
> +
> +SEC("?raw_tp")
> +__failure __msg("invalid access to map value, value_size=2 off=2 size=1")
> +int bpf_loop_iter_limit_overflow(void *unused)
> +{
> +       struct num_context ctx = { .i = 0 };
> +
> +       bpf_loop(2, iter_limit_cb, &ctx, 0);
> +       return choice_arr[ctx.i];
> +}
> +
> +static int iter_limit_level2a_cb(__u32 idx, struct num_context *ctx)
> +{
> +       ctx->i += 100;
> +       return 0;
> +}
> +
> +static int iter_limit_level2b_cb(__u32 idx, struct num_context *ctx)
> +{
> +       ctx->i += 10;
> +       return 0;
> +}
> +
> +static int iter_limit_level1_cb(__u32 idx, struct num_context *ctx)
> +{
> +       ctx->i += 1;
> +       bpf_loop(1, iter_limit_level2a_cb, ctx, 0);
> +       bpf_loop(1, iter_limit_level2b_cb, ctx, 0);
> +       return 0;
> +}
> +
> +SEC("?raw_tp")
> +__success __log_level(2)
> +/* Check that last verified exit from the program visited each
> + * callback expected number of times: one visit per callback for each
> + * top level bpf_loop call.
> + */
> +__msg("r1 = *(u64 *)(r10 -16)       ; R1_w=111111 R10=fp0 fp-16=111111")
> +/* Ensure that read above is the last one by checking that there are
> + * no more reads for ctx.i.
> + */
> +__not_msg("r1 = *(u64 *)(r10 -16)      ; R1_w=")

can't you enforce that we don't go above 111111 just by making sure to
use r1 - 111111 + 1 as an index into choice_arr()?

We can then simplify the patch set by dropping __not_msg() parts (and
can add them separately).


> +int bpf_loop_iter_limit_nested(void *unused)
> +{
> +       struct num_context ctx = { .i = 0 };
> +
> +       bpf_loop(1, iter_limit_level1_cb, &ctx, 0);
> +       ctx.i *= 1000;
> +       bpf_loop(1, iter_limit_level1_cb, &ctx, 0);
> +       return choice_arr[ctx.i % 2];
> +}
> +
>  char _license[] SEC("license") = "GPL";
> --
> 2.42.0
>
Eduard Zingerman Nov. 17, 2023, 6:53 p.m. UTC | #2 
On Fri, 2023-11-17 at 11:47 -0500, Andrii Nakryiko wrote:
[...]
> > +SEC("?raw_tp")
> > +__success __log_level(2)
> > +/* Check that last verified exit from the program visited each
> > + * callback expected number of times: one visit per callback for each
> > + * top level bpf_loop call.
> > + */
> > +__msg("r1 = *(u64 *)(r10 -16)       ; R1_w=111111 R10=fp0 fp-16=111111")
> > +/* Ensure that read above is the last one by checking that there are
> > + * no more reads for ctx.i.
> > + */
> > +__not_msg("r1 = *(u64 *)(r10 -16)      ; R1_w=")
> 
> can't you enforce that we don't go above 111111 just by making sure to
> use r1 - 111111 + 1 as an index into choice_arr()?
> 
> We can then simplify the patch set by dropping __not_msg() parts (and
> can add them separately).

Well, r1 could be 0 as well, so idx would be out of bounds.
But I like the idea, it is possible to check that r1 is either 00000,
100000, ..., 111111 and do something unsafe otherwise.
Thank you. I'll drop __not_msg() then.
Andrii Nakryiko Nov. 17, 2023, 8:32 p.m. UTC | #3 
On Fri, Nov 17, 2023 at 1:53 PM Eduard Zingerman <eddyz87@gmail.com> wrote:
>
> On Fri, 2023-11-17 at 11:47 -0500, Andrii Nakryiko wrote:
> [...]
> > > +SEC("?raw_tp")
> > > +__success __log_level(2)
> > > +/* Check that last verified exit from the program visited each
> > > + * callback expected number of times: one visit per callback for each
> > > + * top level bpf_loop call.
> > > + */
> > > +__msg("r1 = *(u64 *)(r10 -16)       ; R1_w=111111 R10=fp0 fp-16=111111")
> > > +/* Ensure that read above is the last one by checking that there are
> > > + * no more reads for ctx.i.
> > > + */
> > > +__not_msg("r1 = *(u64 *)(r10 -16)      ; R1_w=")
> >
> > can't you enforce that we don't go above 111111 just by making sure to
> > use r1 - 111111 + 1 as an index into choice_arr()?
> >
> > We can then simplify the patch set by dropping __not_msg() parts (and
> > can add them separately).
>
> Well, r1 could be 0 as well, so idx would be out of bounds.
> But I like the idea, it is possible to check that r1 is either 00000,
> 100000, ..., 111111 and do something unsafe otherwise.

then why not `return choice_arr[r <= 111111 ? (r & 1) : -1];` or
something along those lines?

> Thank you. I'll drop __not_msg() then.

yep, thanks

>
>
Eduard Zingerman Nov. 17, 2023, 9:18 p.m. UTC | #4 
On Fri, 2023-11-17 at 15:32 -0500, Andrii Nakryiko wrote:
[...]
> > Well, r1 could be 0 as well, so idx would be out of bounds.
> > But I like the idea, it is possible to check that r1 is either 00000,
> > 100000, ..., 111111 and do something unsafe otherwise.
> 
> then why not `return choice_arr[r <= 111111 ? (r & 1) : -1];` or
> something along those lines?

In theory, invalid value might be 100002 or something similar.
I'll try writing down something more precise, if that would look too
ugly would resort to the comparison that you suggest.
diff mbox series

Patch

diff --git a/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c b/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c
index 598c1e984b26..da10ce57da5e 100644
--- a/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c
+++ b/tools/testing/selftests/bpf/progs/verifier_iterating_callbacks.c
@@ -164,4 +164,71 @@  int unsafe_find_vma(void *unused)
 	return choice_arr[loop_ctx.i];
 }
 
+static int iter_limit_cb(__u32 idx, struct num_context *ctx)
+{
+	ctx->i++;
+	return 0;
+}
+
+SEC("?raw_tp")
+__success
+int bpf_loop_iter_limit_ok(void *unused)
+{
+	struct num_context ctx = { .i = 0 };
+
+	bpf_loop(1, iter_limit_cb, &ctx, 0);
+	return choice_arr[ctx.i];
+}
+
+SEC("?raw_tp")
+__failure __msg("invalid access to map value, value_size=2 off=2 size=1")
+int bpf_loop_iter_limit_overflow(void *unused)
+{
+	struct num_context ctx = { .i = 0 };
+
+	bpf_loop(2, iter_limit_cb, &ctx, 0);
+	return choice_arr[ctx.i];
+}
+
+static int iter_limit_level2a_cb(__u32 idx, struct num_context *ctx)
+{
+	ctx->i += 100;
+	return 0;
+}
+
+static int iter_limit_level2b_cb(__u32 idx, struct num_context *ctx)
+{
+	ctx->i += 10;
+	return 0;
+}
+
+static int iter_limit_level1_cb(__u32 idx, struct num_context *ctx)
+{
+	ctx->i += 1;
+	bpf_loop(1, iter_limit_level2a_cb, ctx, 0);
+	bpf_loop(1, iter_limit_level2b_cb, ctx, 0);
+	return 0;
+}
+
+SEC("?raw_tp")
+__success __log_level(2)
+/* Check that last verified exit from the program visited each
+ * callback expected number of times: one visit per callback for each
+ * top level bpf_loop call.
+ */
+__msg("r1 = *(u64 *)(r10 -16)       ; R1_w=111111 R10=fp0 fp-16=111111")
+/* Ensure that read above is the last one by checking that there are
+ * no more reads for ctx.i.
+ */
+__not_msg("r1 = *(u64 *)(r10 -16)	; R1_w=")
+int bpf_loop_iter_limit_nested(void *unused)
+{
+	struct num_context ctx = { .i = 0 };
+
+	bpf_loop(1, iter_limit_level1_cb, &ctx, 0);
+	ctx.i *= 1000;
+	bpf_loop(1, iter_limit_level1_cb, &ctx, 0);
+	return choice_arr[ctx.i % 2];
+}
+
 char _license[] SEC("license") = "GPL";