From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id C717E3858CDB; Thu, 13 Jul 2023 15:18:21 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C717E3858CDB DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gcc.gnu.org; s=default; t=1689261501; bh=pR4NYmBgr9uTXE/KfqGn+V8lWgY2hM7+gSLlhqmtdmM=; h=From:To:Subject:Date:From; b=jQgIMcNQYj1fcemTIlxPKx2pt+HI+mLXNTsLpdtyg/vXEjthsJ6TLttUAD4PKoSlF cjeCQ0QTqpCVuR9/RGA/gGflZ9YVQ9NIDaf7aIrhF5FAIbdB/V3u67newUywo9LLBU dS9SnhY55vCHAL2qj9+EBGGS2ueuZGAQR9ixfodg= From: "kris.van.hees at oracle dot com" To: gcc-bugs@gcc.gnu.org Subject: [Bug target/110657] New: BPF verifier rejects generated code due to invalid stack access Date: Thu, 13 Jul 2023 15:18:21 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: gcc X-Bugzilla-Component: target X-Bugzilla-Version: 13.1.0 X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: kris.van.hees at oracle dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P3 X-Bugzilla-Assigned-To: unassigned at gcc dot gnu.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter target_milestone attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://gcc.gnu.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 List-Id: https://gcc.gnu.org/bugzilla/show_bug.cgi?id=3D110657 Bug ID: 110657 Summary: BPF verifier rejects generated code due to invalid stack access Product: gcc Version: 13.1.0 Status: UNCONFIRMED Severity: normal Priority: P3 Component: target Assignee: unassigned at gcc dot gnu.org Reporter: kris.van.hees at oracle dot com Target Milestone: --- Created attachment 55535 --> https://gcc.gnu.org/bugzilla/attachment.cgi?id=3D55535&action=3Dedit C source code file for BPF function The attached BPF program compiles into code that the BPF kernel verifier rejects because of invalid stack access. Code is compiled with: bpf-gcc -gbtf -D__amd64 -Ilibdtrace -Iinclude -I/scratch/dtrace-bpf-user/build/include -O2 -Wall -Wno-unknown-pragmas -MP -MMD -MF /scratch/dtrace-bpf-user/build/bpf--inet_ntoa6.o.deps -MT /scratch/dtrace-bpf-user/build/bpf--inet_ntoa6.o -c -o /scratch/dtrace-bpf-user/build/bpf--inet_ntoa6.o bpf/inet_ntoa6.c The bpf/inet_ntoa6.c code is attached (incomplete implementation of the function but exhibiting the issue). The function gets included in a larger program so instruction numbers are much higher than in e.g. objdump output.= =20 Function entry point is at instruction 2432. The BPF verifier output is: BPF: 2432: (7b) *(u64 *)(r10 -32) =3D r1 ; frame2: R1_w=3Dmap_value(off=3D0,ks=3D4,vs=3D528,umin=3D8,umax=3D263,var_off=3D(0x0; 0x1ff),s32_min=3D0,s32_max=3D511,u32_max=3D511) R10=3Dfp0 fp-32_w=3Dmap_val= ue BPF: 2433: (bf) r6 =3D r2 ; frame2: R2_w=3Dmap_value(off=3D2208,ks=3D4,vs=3D3529,imm=3D0) R6_w=3Dmap_value(off=3D2208,ks=3D4,vs=3D3529,imm=3D0) BPF: 2434: (bf) r3 =3D r1 ; frame2: R1_w=3Dmap_value(off=3D0,ks=3D4,vs=3D528,umin=3D8,umax=3D263,var_off=3D(0x0; 0x1ff),s32_min=3D0,s32_max=3D511,u32_max=3D511) R3_w=3Dmap_value(off=3D0,ks=3D4,vs=3D528,umin=3D8,umax=3D263,var_off=3D(0x0; 0x1ff),s32_min=3D0,s32_max=3D511,u32_max=3D511) BPF: 2435: (b7) r2 =3D 16 ; frame2: R2_w=3DP16 BPF: 2436: (bf) r1 =3D r10 ; frame2: R1_w=3Dfp0 R10=3Dfp0 BPF: 2437: (07) r1 +=3D -16 ; frame2: R1_w=3Dfp-16 BPF: 2438: (85) call bpf_probe_read#4 ; frame2: R0=3DPscalar() fp-8=3D= mmmmmmmm fp-16=3Dmmmmmmmm BPF: 2439: (71) r0 =3D *(u8 *)(r10 -14) ; frame2: R0_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2440: (67) r0 <<=3D 8 ; frame2: R0_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2441: (71) r1 =3D *(u8 *)(r10 -13) ; frame2: R1_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2442: (4f) r0 |=3D r1 ; frame2: R0_w=3DPscalar() R1_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) BPF: 2443: (71) r8 =3D *(u8 *)(r10 -12) ; frame2: R8_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2444: (67) r8 <<=3D 8 ; frame2: R8_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2445: (71) r2 =3D *(u8 *)(r10 -11) ; frame2: R2_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2446: (4f) r8 |=3D r2 ; frame2: R2_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R8_w=3DPscalar() BPF: 2447: (71) r7 =3D *(u8 *)(r10 -10) ; frame2: R7_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2448: (67) r7 <<=3D 8 ; frame2: R7_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2449: (71) r3 =3D *(u8 *)(r10 -9) ; frame2: R3_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2450: (4f) r7 |=3D r3 ; frame2: R3_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R7_w=3DPscalar() BPF: 2451: (7b) *(u64 *)(r10 -40) =3D r7 ; frame2: R7_w=3DPscalar() R10= =3Dfp0 fp-40_w=3Dmmmmmmmm BPF: 2452: (71) r1 =3D *(u8 *)(r10 -8) ; frame2: R1_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2453: (67) r1 <<=3D 8 ; frame2: R1_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2454: (71) r4 =3D *(u8 *)(r10 -7) ; frame2: R4_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2455: (4f) r1 |=3D r4 ; frame2: R1_w=3DPscalar() R4_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) BPF: 2456: (71) r3 =3D *(u8 *)(r10 -6) ; frame2: R3_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2457: (67) r3 <<=3D 8 ; frame2: R3_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2458: (71) r5 =3D *(u8 *)(r10 -5) ; frame2: R5_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2459: (4f) r3 |=3D r5 ; frame2: R3_w=3DPscalar() R5_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) BPF: 2460: (71) r4 =3D *(u8 *)(r10 -4) ; frame2: R4_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2461: (67) r4 <<=3D 8 ; frame2: R4_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2462: (71) r2 =3D *(u8 *)(r10 -3) ; frame2: R2_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2463: (4f) r4 |=3D r2 ; frame2: R2_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R4_w=3DPscalar() BPF: 2464: (71) r5 =3D *(u8 *)(r10 -2) ; frame2: R5_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2465: (67) r5 <<=3D 8 ; frame2: R5_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2466: (71) r7 =3D *(u8 *)(r10 -1) ; frame2: R7_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2467: (4f) r5 |=3D r7 ; frame2: R5_w=3DPscalar() R7_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) BPF: 2468: (71) r2 =3D *(u8 *)(r10 -16) ; frame2: R2_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2469: (64) w2 <<=3D 8 ; frame2: R2_w=3DPscalar(umax=3D65280,var_off=3D(0x0; 0xff00)) BPF: 2470: (71) r7 =3D *(u8 *)(r10 -15) ; frame2: R7_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 BPF: 2471: (73) *(u8 *)(r10 -20) =3D r7 ; frame2: R7_w=3DPscalar(umax=3D255,var_off=3D(0x0; 0xff)) R10=3Dfp0 fp-24=3D???m???? BPF: 2472: (61) r7 =3D *(u32 *)(r10 -20) BPF: invalid read from stack off -20+1 size 4 BPF: verification time 75240 usec BPF: stack depth 96+16+0+0+96+0+0+40+0+0 BPF: processed 27048 insns (limit 1000000) max_states_per_insn 33 total_sta= tes 2418 peak_states 2318 mark_read 131 The core issue is seen in instructions 2471 and 2472, where an 8-bit value = is stored on the stack but we try to read a 32-bit value from the stack. That= is flagged as a BPF verifier error because we end up reading uninitialized data from the stack which is a no-no in BPF land.=