LXR linux/kernel/bpf/verifier.c

   1/* Copyright (c) 2011-2014 PLUMgrid, http://plumgrid.com
   2 * Copyright (c) 2016 Facebook
   3 *
   4 * This program is free software; you can redistribute it and/or
   5 * modify it under the terms of version 2 of the GNU General Public
   6 * License as published by the Free Software Foundation.
   7 *
   8 * This program is distributed in the hope that it will be useful, but
   9 * WITHOUT ANY WARRANTY; without even the implied warranty of
  10 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
  11 * General Public License for more details.
  12 */
  13#include <linux/kernel.h>
  14#include <linux/types.h>
  15#include <linux/slab.h>
  16#include <linux/bpf.h>
  17#include <linux/filter.h>
  18#include <net/netlink.h>
  19#include <linux/file.h>
  20#include <linux/vmalloc.h>
  21
  22/* bpf_check() is a static code analyzer that walks eBPF program
  23 * instruction by instruction and updates register/stack state.
  24 * All paths of conditional branches are analyzed until 'bpf_exit' insn.
  25 *
  26 * The first pass is depth-first-search to check that the program is a DAG.
  27 * It rejects the following programs:
  28 * - larger than BPF_MAXINSNS insns
  29 * - if loop is present (detected via back-edge)
  30 * - unreachable insns exist (shouldn't be a forest. program = one function)
  31 * - out of bounds or malformed jumps
  32 * The second pass is all possible path descent from the 1st insn.
  33 * Since it's analyzing all pathes through the program, the length of the
  34 * analysis is limited to 32k insn, which may be hit even if total number of
  35 * insn is less then 4K, but there are too many branches that change stack/regs.
  36 * Number of 'branches to be analyzed' is limited to 1k
  37 *
  38 * On entry to each instruction, each register has a type, and the instruction
  39 * changes the types of the registers depending on instruction semantics.
  40 * If instruction is BPF_MOV64_REG(BPF_REG_1, BPF_REG_5), then type of R5 is
  41 * copied to R1.
  42 *
  43 * All registers are 64-bit.
  44 * R0 - return register
  45 * R1-R5 argument passing registers
  46 * R6-R9 callee saved registers
  47 * R10 - frame pointer read-only
  48 *
  49 * At the start of BPF program the register R1 contains a pointer to bpf_context
  50 * and has type PTR_TO_CTX.
  51 *
  52 * Verifier tracks arithmetic operations on pointers in case:
  53 *    BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
  54 *    BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -20),
  55 * 1st insn copies R10 (which has FRAME_PTR) type into R1
  56 * and 2nd arithmetic instruction is pattern matched to recognize
  57 * that it wants to construct a pointer to some element within stack.
  58 * So after 2nd insn, the register R1 has type PTR_TO_STACK
  59 * (and -20 constant is saved for further stack bounds checking).
  60 * Meaning that this reg is a pointer to stack plus known immediate constant.
  61 *
  62 * Most of the time the registers have UNKNOWN_VALUE type, which
  63 * means the register has some value, but it's not a valid pointer.
  64 * (like pointer plus pointer becomes UNKNOWN_VALUE type)
  65 *
  66 * When verifier sees load or store instructions the type of base register
  67 * can be: PTR_TO_MAP_VALUE, PTR_TO_CTX, FRAME_PTR. These are three pointer
  68 * types recognized by check_mem_access() function.
  69 *
  70 * PTR_TO_MAP_VALUE means that this register is pointing to 'map element value'
  71 * and the range of [ptr, ptr + map's value_size) is accessible.
  72 *
  73 * registers used to pass values to function calls are checked against
  74 * function argument constraints.
  75 *
  76 * ARG_PTR_TO_MAP_KEY is one of such argument constraints.
  77 * It means that the register type passed to this function must be
  78 * PTR_TO_STACK and it will be used inside the function as
  79 * 'pointer to map element key'
  80 *
  81 * For example the argument constraints for bpf_map_lookup_elem():
  82 *   .ret_type = RET_PTR_TO_MAP_VALUE_OR_NULL,
  83 *   .arg1_type = ARG_CONST_MAP_PTR,
  84 *   .arg2_type = ARG_PTR_TO_MAP_KEY,
  85 *
  86 * ret_type says that this function returns 'pointer to map elem value or null'
  87 * function expects 1st argument to be a const pointer to 'struct bpf_map' and
  88 * 2nd argument should be a pointer to stack, which will be used inside
  89 * the helper function as a pointer to map element key.
  90 *
  91 * On the kernel side the helper function looks like:
  92 * u64 bpf_map_lookup_elem(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5)
  93 * {
  94 *    struct bpf_map *map = (struct bpf_map *) (unsigned long) r1;
  95 *    void *key = (void *) (unsigned long) r2;
  96 *    void *value;
  97 *
  98 *    here kernel can access 'key' and 'map' pointers safely, knowing that
  99 *    [key, key + map->key_size) bytes are valid and were initialized on
 100 *    the stack of eBPF program.
 101 * }
 102 *
 103 * Corresponding eBPF program may look like:
 104 *    BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),  // after this insn R2 type is FRAME_PTR
 105 *    BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -4), // after this insn R2 type is PTR_TO_STACK
 106 *    BPF_LD_MAP_FD(BPF_REG_1, map_fd),      // after this insn R1 type is CONST_PTR_TO_MAP
 107 *    BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
 108 * here verifier looks at prototype of map_lookup_elem() and sees:
 109 * .arg1_type == ARG_CONST_MAP_PTR and R1->type == CONST_PTR_TO_MAP, which is ok,
 110 * Now verifier knows that this map has key of R1->map_ptr->key_size bytes
 111 *
 112 * Then .arg2_type == ARG_PTR_TO_MAP_KEY and R2->type == PTR_TO_STACK, ok so far,
 113 * Now verifier checks that [R2, R2 + map's key_size) are within stack limits
 114 * and were initialized prior to this call.
 115 * If it's ok, then verifier allows this BPF_CALL insn and looks at
 116 * .ret_type which is RET_PTR_TO_MAP_VALUE_OR_NULL, so it sets
 117 * R0->type = PTR_TO_MAP_VALUE_OR_NULL which means bpf_map_lookup_elem() function
 118 * returns ether pointer to map value or NULL.
 119 *
 120 * When type PTR_TO_MAP_VALUE_OR_NULL passes through 'if (reg != 0) goto +off'
 121 * insn, the register holding that pointer in the true branch changes state to
 122 * PTR_TO_MAP_VALUE and the same register changes state to CONST_IMM in the false
 123 * branch. See check_cond_jmp_op().
 124 *
 125 * After the call R0 is set to return type of the function and registers R1-R5
 126 * are set to NOT_INIT to indicate that they are no longer readable.
 127 */
 128
 129struct reg_state {
 130        enum bpf_reg_type type;
 131        union {
 132                /* valid when type == CONST_IMM | PTR_TO_STACK | UNKNOWN_VALUE */
 133                s64 imm;
 134
 135                /* valid when type == PTR_TO_PACKET* */
 136                struct {
 137                        u32 id;
 138                        u16 off;
 139                        u16 range;
 140                };
 141
 142                /* valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE |
 143                 *   PTR_TO_MAP_VALUE_OR_NULL
 144                 */
 145                struct bpf_map *map_ptr;
 146        };
 147};
 148
 149enum bpf_stack_slot_type {
 150        STACK_INVALID,    /* nothing was stored in this stack slot */
 151        STACK_SPILL,      /* register spilled into stack */
 152        STACK_MISC        /* BPF program wrote some data into this slot */
 153};
 154
 155#define BPF_REG_SIZE 8  /* size of eBPF register in bytes */
 156
 157/* state of the program:
 158 * type of all registers and stack info
 159 */
 160struct verifier_state {
 161        struct reg_state regs[MAX_BPF_REG];
 162        u8 stack_slot_type[MAX_BPF_STACK];
 163        struct reg_state spilled_regs[MAX_BPF_STACK / BPF_REG_SIZE];
 164};
 165
 166/* linked list of verifier states used to prune search */
 167struct verifier_state_list {
 168        struct verifier_state state;
 169        struct verifier_state_list *next;
 170};
 171
 172/* verifier_state + insn_idx are pushed to stack when branch is encountered */
 173struct verifier_stack_elem {
 174        /* verifer state is 'st'
 175         * before processing instruction 'insn_idx'
 176         * and after processing instruction 'prev_insn_idx'
 177         */
 178        struct verifier_state st;
 179        int insn_idx;
 180        int prev_insn_idx;
 181        struct verifier_stack_elem *next;
 182};
 183
 184#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
 185
 186/* single container for all structs
 187 * one verifier_env per bpf_check() call
 188 */
 189struct verifier_env {
 190        struct bpf_prog *prog;          /* eBPF program being verified */
 191        struct verifier_stack_elem *head; /* stack of verifier states to be processed */
 192        int stack_size;                 /* number of states to be processed */
 193        struct verifier_state cur_state; /* current verifier state */
 194        struct verifier_state_list **explored_states; /* search pruning optimization */
 195        struct bpf_map *used_maps[MAX_USED_MAPS]; /* array of map's used by eBPF program */
 196        u32 used_map_cnt;               /* number of used maps */
 197        u32 id_gen;                     /* used to generate unique reg IDs */
 198        bool allow_ptr_leaks;
 199};
 200
 201#define BPF_COMPLEXITY_LIMIT_INSNS      65536
 202#define BPF_COMPLEXITY_LIMIT_STACK      1024
 203
 204struct bpf_call_arg_meta {
 205        struct bpf_map *map_ptr;
 206        bool raw_mode;
 207        int regno;
 208        int access_size;
 209};
 210
 211/* verbose verifier prints what it's seeing
 212 * bpf_check() is called under lock, so no race to access these global vars
 213 */
 214static u32 log_level, log_size, log_len;
 215static char *log_buf;
 216
 217static DEFINE_MUTEX(bpf_verifier_lock);
 218
 219/* log_level controls verbosity level of eBPF verifier.
 220 * verbose() is used to dump the verification trace to the log, so the user
 221 * can figure out what's wrong with the program
 222 */
 223static __printf(1, 2) void verbose(const char *fmt, ...)
 224{
 225        va_list args;
 226
 227        if (log_level == 0 || log_len >= log_size - 1)
 228                return;
 229
 230        va_start(args, fmt);
 231        log_len += vscnprintf(log_buf + log_len, log_size - log_len, fmt, args);
 232        va_end(args);
 233}
 234
 235/* string representation of 'enum bpf_reg_type' */
 236static const char * const reg_type_str[] = {
 237        [NOT_INIT]              = "?",
 238        [UNKNOWN_VALUE]         = "inv",
 239        [PTR_TO_CTX]            = "ctx",
 240        [CONST_PTR_TO_MAP]      = "map_ptr",
 241        [PTR_TO_MAP_VALUE]      = "map_value",
 242        [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null",
 243        [FRAME_PTR]             = "fp",
 244        [PTR_TO_STACK]          = "fp",
 245        [CONST_IMM]             = "imm",
 246        [PTR_TO_PACKET]         = "pkt",
 247        [PTR_TO_PACKET_END]     = "pkt_end",
 248};
 249
 250static void print_verifier_state(struct verifier_state *state)
 251{
 252        struct reg_state *reg;
 253        enum bpf_reg_type t;
 254        int i;
 255
 256        for (i = 0; i < MAX_BPF_REG; i++) {
 257                reg = &state->regs[i];
 258                t = reg->type;
 259                if (t == NOT_INIT)
 260                        continue;
 261                verbose(" R%d=%s", i, reg_type_str[t]);
 262                if (t == CONST_IMM || t == PTR_TO_STACK)
 263                        verbose("%lld", reg->imm);
 264                else if (t == PTR_TO_PACKET)
 265                        verbose("(id=%d,off=%d,r=%d)",
 266                                reg->id, reg->off, reg->range);
 267                else if (t == UNKNOWN_VALUE && reg->imm)
 268                        verbose("%lld", reg->imm);
 269                else if (t == CONST_PTR_TO_MAP || t == PTR_TO_MAP_VALUE ||
 270                         t == PTR_TO_MAP_VALUE_OR_NULL)
 271                        verbose("(ks=%d,vs=%d)",
 272                                reg->map_ptr->key_size,
 273                                reg->map_ptr->value_size);
 274        }
 275        for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
 276                if (state->stack_slot_type[i] == STACK_SPILL)
 277                        verbose(" fp%d=%s", -MAX_BPF_STACK + i,
 278                                reg_type_str[state->spilled_regs[i / BPF_REG_SIZE].type]);
 279        }
 280        verbose("\n");
 281}
 282
 283static const char *const bpf_class_string[] = {
 284        [BPF_LD]    = "ld",
 285        [BPF_LDX]   = "ldx",
 286        [BPF_ST]    = "st",
 287        [BPF_STX]   = "stx",
 288        [BPF_ALU]   = "alu",
 289        [BPF_JMP]   = "jmp",
 290        [BPF_RET]   = "BUG",
 291        [BPF_ALU64] = "alu64",
 292};
 293
 294static const char *const bpf_alu_string[16] = {
 295        [BPF_ADD >> 4]  = "+=",
 296        [BPF_SUB >> 4]  = "-=",
 297        [BPF_MUL >> 4]  = "*=",
 298        [BPF_DIV >> 4]  = "/=",
 299        [BPF_OR  >> 4]  = "|=",
 300        [BPF_AND >> 4]  = "&=",
 301        [BPF_LSH >> 4]  = "<<=",
 302        [BPF_RSH >> 4]  = ">>=",
 303        [BPF_NEG >> 4]  = "neg",
 304        [BPF_MOD >> 4]  = "%=",
 305        [BPF_XOR >> 4]  = "^=",
 306        [BPF_MOV >> 4]  = "=",
 307        [BPF_ARSH >> 4] = "s>>=",
 308        [BPF_END >> 4]  = "endian",
 309};
 310
 311static const char *const bpf_ldst_string[] = {
 312        [BPF_W >> 3]  = "u32",
 313        [BPF_H >> 3]  = "u16",
 314        [BPF_B >> 3]  = "u8",
 315        [BPF_DW >> 3] = "u64",
 316};
 317
 318static const char *const bpf_jmp_string[16] = {
 319        [BPF_JA >> 4]   = "jmp",
 320        [BPF_JEQ >> 4]  = "==",
 321        [BPF_JGT >> 4]  = ">",
 322        [BPF_JGE >> 4]  = ">=",
 323        [BPF_JSET >> 4] = "&",
 324        [BPF_JNE >> 4]  = "!=",
 325        [BPF_JSGT >> 4] = "s>",
 326        [BPF_JSGE >> 4] = "s>=",
 327        [BPF_CALL >> 4] = "call",
 328        [BPF_EXIT >> 4] = "exit",
 329};
 330
 331static void print_bpf_insn(struct bpf_insn *insn)
 332{
 333        u8 class = BPF_CLASS(insn->code);
 334
 335        if (class == BPF_ALU || class == BPF_ALU64) {
 336                if (BPF_SRC(insn->code) == BPF_X)
 337                        verbose("(%02x) %sr%d %s %sr%d\n",
 338                                insn->code, class == BPF_ALU ? "(u32) " : "",
 339                                insn->dst_reg,
 340                                bpf_alu_string[BPF_OP(insn->code) >> 4],
 341                                class == BPF_ALU ? "(u32) " : "",
 342                                insn->src_reg);
 343                else
 344                        verbose("(%02x) %sr%d %s %s%d\n",
 345                                insn->code, class == BPF_ALU ? "(u32) " : "",
 346                                insn->dst_reg,
 347                                bpf_alu_string[BPF_OP(insn->code) >> 4],
 348                                class == BPF_ALU ? "(u32) " : "",
 349                                insn->imm);
 350        } else if (class == BPF_STX) {
 351                if (BPF_MODE(insn->code) == BPF_MEM)
 352                        verbose("(%02x) *(%s *)(r%d %+d) = r%d\n",
 353                                insn->code,
 354                                bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
 355                                insn->dst_reg,
 356                                insn->off, insn->src_reg);
 357                else if (BPF_MODE(insn->code) == BPF_XADD)
 358                        verbose("(%02x) lock *(%s *)(r%d %+d) += r%d\n",
 359                                insn->code,
 360                                bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
 361                                insn->dst_reg, insn->off,
 362                                insn->src_reg);
 363                else
 364                        verbose("BUG_%02x\n", insn->code);
 365        } else if (class == BPF_ST) {
 366                if (BPF_MODE(insn->code) != BPF_MEM) {
 367                        verbose("BUG_st_%02x\n", insn->code);
 368                        return;
 369                }
 370                verbose("(%02x) *(%s *)(r%d %+d) = %d\n",
 371                        insn->code,
 372                        bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
 373                        insn->dst_reg,
 374                        insn->off, insn->imm);
 375        } else if (class == BPF_LDX) {
 376                if (BPF_MODE(insn->code) != BPF_MEM) {
 377                        verbose("BUG_ldx_%02x\n", insn->code);
 378                        return;
 379                }
 380                verbose("(%02x) r%d = *(%s *)(r%d %+d)\n",
 381                        insn->code, insn->dst_reg,
 382                        bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
 383                        insn->src_reg, insn->off);
 384        } else if (class == BPF_LD) {
 385                if (BPF_MODE(insn->code) == BPF_ABS) {
 386                        verbose("(%02x) r0 = *(%s *)skb[%d]\n",
 387                                insn->code,
 388                                bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
 389                                insn->imm);
 390                } else if (BPF_MODE(insn->code) == BPF_IND) {
 391                        verbose("(%02x) r0 = *(%s *)skb[r%d + %d]\n",
 392                                insn->code,
 393                                bpf_ldst_string[BPF_SIZE(insn->code) >> 3],
 394                                insn->src_reg, insn->imm);
 395                } else if (BPF_MODE(insn->code) == BPF_IMM) {
 396                        verbose("(%02x) r%d = 0x%x\n",
 397                                insn->code, insn->dst_reg, insn->imm);
 398                } else {
 399                        verbose("BUG_ld_%02x\n", insn->code);
 400                        return;
 401                }
 402        } else if (class == BPF_JMP) {
 403                u8 opcode = BPF_OP(insn->code);
 404
 405                if (opcode == BPF_CALL) {
 406                        verbose("(%02x) call %d\n", insn->code, insn->imm);
 407                } else if (insn->code == (BPF_JMP | BPF_JA)) {
 408                        verbose("(%02x) goto pc%+d\n",
 409                                insn->code, insn->off);
 410                } else if (insn->code == (BPF_JMP | BPF_EXIT)) {
 411                        verbose("(%02x) exit\n", insn->code);
 412                } else if (BPF_SRC(insn->code) == BPF_X) {
 413                        verbose("(%02x) if r%d %s r%d goto pc%+d\n",
 414                                insn->code, insn->dst_reg,
 415                                bpf_jmp_string[BPF_OP(insn->code) >> 4],
 416                                insn->src_reg, insn->off);
 417                } else {
 418                        verbose("(%02x) if r%d %s 0x%x goto pc%+d\n",
 419                                insn->code, insn->dst_reg,
 420                                bpf_jmp_string[BPF_OP(insn->code) >> 4],
 421                                insn->imm, insn->off);
 422                }
 423        } else {
 424                verbose("(%02x) %s\n", insn->code, bpf_class_string[class]);
 425        }
 426}
 427
 428static int pop_stack(struct verifier_env *env, int *prev_insn_idx)
 429{
 430        struct verifier_stack_elem *elem;
 431        int insn_idx;
 432
 433        if (env->head == NULL)
 434                return -1;
 435
 436        memcpy(&env->cur_state, &env->head->st, sizeof(env->cur_state));
 437        insn_idx = env->head->insn_idx;
 438        if (prev_insn_idx)
 439                *prev_insn_idx = env->head->prev_insn_idx;
 440        elem = env->head->next;
 441        kfree(env->head);
 442        env->head = elem;
 443        env->stack_size--;
 444        return insn_idx;
 445}
 446
 447static struct verifier_state *push_stack(struct verifier_env *env, int insn_idx,
 448                                         int prev_insn_idx)
 449{
 450        struct verifier_stack_elem *elem;
 451
 452        elem = kmalloc(sizeof(struct verifier_stack_elem), GFP_KERNEL);
 453        if (!elem)
 454                goto err;
 455
 456        memcpy(&elem->st, &env->cur_state, sizeof(env->cur_state));
 457        elem->insn_idx = insn_idx;
 458        elem->prev_insn_idx = prev_insn_idx;
 459        elem->next = env->head;
 460        env->head = elem;
 461        env->stack_size++;
 462        if (env->stack_size > BPF_COMPLEXITY_LIMIT_STACK) {
 463                verbose("BPF program is too complex\n");
 464                goto err;
 465        }
 466        return &elem->st;
 467err:
 468        /* pop all elements and return */
 469        while (pop_stack(env, NULL) >= 0);
 470        return NULL;
 471}
 472
 473#define CALLER_SAVED_REGS 6
 474static const int caller_saved[CALLER_SAVED_REGS] = {
 475        BPF_REG_0, BPF_REG_1, BPF_REG_2, BPF_REG_3, BPF_REG_4, BPF_REG_5
 476};
 477
 478static void init_reg_state(struct reg_state *regs)
 479{
 480        int i;
 481
 482        for (i = 0; i < MAX_BPF_REG; i++) {
 483                regs[i].type = NOT_INIT;
 484                regs[i].imm = 0;
 485        }
 486
 487        /* frame pointer */
 488        regs[BPF_REG_FP].type = FRAME_PTR;
 489
 490        /* 1st arg to a function */
 491        regs[BPF_REG_1].type = PTR_TO_CTX;
 492}
 493
 494static void mark_reg_unknown_value(struct reg_state *regs, u32 regno)
 495{
 496        BUG_ON(regno >= MAX_BPF_REG);
 497        regs[regno].type = UNKNOWN_VALUE;
 498        regs[regno].imm = 0;
 499}
 500
 501enum reg_arg_type {
 502        SRC_OP,         /* register is used as source operand */
 503        DST_OP,         /* register is used as destination operand */
 504        DST_OP_NO_MARK  /* same as above, check only, don't mark */
 505};
 506
 507static int check_reg_arg(struct reg_state *regs, u32 regno,
 508                         enum reg_arg_type t)
 509{
 510        if (regno >= MAX_BPF_REG) {
 511                verbose("R%d is invalid\n", regno);
 512                return -EINVAL;
 513        }
 514
 515        if (t == SRC_OP) {
 516                /* check whether register used as source operand can be read */
 517                if (regs[regno].type == NOT_INIT) {
 518                        verbose("R%d !read_ok\n", regno);
 519                        return -EACCES;
 520                }
 521        } else {
 522                /* check whether register used as dest operand can be written to */
 523                if (regno == BPF_REG_FP) {
 524                        verbose("frame pointer is read only\n");
 525                        return -EACCES;
 526                }
 527                if (t == DST_OP)
 528                        mark_reg_unknown_value(regs, regno);
 529        }
 530        return 0;
 531}
 532
 533static int bpf_size_to_bytes(int bpf_size)
 534{
 535        if (bpf_size == BPF_W)
 536                return 4;
 537        else if (bpf_size == BPF_H)
 538                return 2;
 539        else if (bpf_size == BPF_B)
 540                return 1;
 541        else if (bpf_size == BPF_DW)
 542                return 8;
 543        else
 544                return -EINVAL;
 545}
 546
 547static bool is_spillable_regtype(enum bpf_reg_type type)
 548{
 549        switch (type) {
 550        case PTR_TO_MAP_VALUE:
 551        case PTR_TO_MAP_VALUE_OR_NULL:
 552        case PTR_TO_STACK:
 553        case PTR_TO_CTX:
 554        case PTR_TO_PACKET:
 555        case PTR_TO_PACKET_END:
 556        case FRAME_PTR:
 557        case CONST_PTR_TO_MAP:
 558                return true;
 559        default:
 560                return false;
 561        }
 562}
 563
 564/* check_stack_read/write functions track spill/fill of registers,
 565 * stack boundary and alignment are checked in check_mem_access()
 566 */
 567static int check_stack_write(struct verifier_state *state, int off, int size,
 568                             int value_regno)
 569{
 570        int i;
 571        /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
 572         * so it's aligned access and [off, off + size) are within stack limits
 573         */
 574
 575        if (value_regno >= 0 &&
 576            is_spillable_regtype(state->regs[value_regno].type)) {
 577
 578                /* register containing pointer is being spilled into stack */
 579                if (size != BPF_REG_SIZE) {
 580                        verbose("invalid size of register spill\n");
 581                        return -EACCES;
 582                }
 583
 584                /* save register state */
 585                state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE] =
 586                        state->regs[value_regno];
 587
 588                for (i = 0; i < BPF_REG_SIZE; i++)
 589                        state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL;
 590        } else {
 591                /* regular write of data into stack */
 592                state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE] =
 593                        (struct reg_state) {};
 594
 595                for (i = 0; i < size; i++)
 596                        state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_MISC;
 597        }
 598        return 0;
 599}
 600
 601static int check_stack_read(struct verifier_state *state, int off, int size,
 602                            int value_regno)
 603{
 604        u8 *slot_type;
 605        int i;
 606
 607        slot_type = &state->stack_slot_type[MAX_BPF_STACK + off];
 608
 609        if (slot_type[0] == STACK_SPILL) {
 610                if (size != BPF_REG_SIZE) {
 611                        verbose("invalid size of register spill\n");
 612                        return -EACCES;
 613                }
 614                for (i = 1; i < BPF_REG_SIZE; i++) {
 615                        if (slot_type[i] != STACK_SPILL) {
 616                                verbose("corrupted spill memory\n");
 617                                return -EACCES;
 618                        }
 619                }
 620
 621                if (value_regno >= 0)
 622                        /* restore register state from stack */
 623                        state->regs[value_regno] =
 624                                state->spilled_regs[(MAX_BPF_STACK + off) / BPF_REG_SIZE];
 625                return 0;
 626        } else {
 627                for (i = 0; i < size; i++) {
 628                        if (slot_type[i] != STACK_MISC) {
 629                                verbose("invalid read from stack off %d+%d size %d\n",
 630                                        off, i, size);
 631                                return -EACCES;
 632                        }
 633                }
 634                if (value_regno >= 0)
 635                        /* have read misc data from the stack */
 636                        mark_reg_unknown_value(state->regs, value_regno);
 637                return 0;
 638        }
 639}
 640
 641/* check read/write into map element returned by bpf_map_lookup_elem() */
 642static int check_map_access(struct verifier_env *env, u32 regno, int off,
 643                            int size)
 644{
 645        struct bpf_map *map = env->cur_state.regs[regno].map_ptr;
 646
 647        if (off < 0 || off + size > map->value_size) {
 648                verbose("invalid access to map value, value_size=%d off=%d size=%d\n",
 649                        map->value_size, off, size);
 650                return -EACCES;
 651        }
 652        return 0;
 653}
 654
 655#define MAX_PACKET_OFF 0xffff
 656
 657static bool may_write_pkt_data(enum bpf_prog_type type)
 658{
 659        switch (type) {
 660        case BPF_PROG_TYPE_XDP:
 661                return true;
 662        default:
 663                return false;
 664        }
 665}
 666
 667static int check_packet_access(struct verifier_env *env, u32 regno, int off,
 668                               int size)
 669{
 670        struct reg_state *regs = env->cur_state.regs;
 671        struct reg_state *reg = &regs[regno];
 672
 673        off += reg->off;
 674        if (off < 0 || off + size > reg->range) {
 675                verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n",
 676                        off, size, regno, reg->id, reg->off, reg->range);
 677                return -EACCES;
 678        }
 679        return 0;
 680}
 681
 682/* check access to 'struct bpf_context' fields */
 683static int check_ctx_access(struct verifier_env *env, int off, int size,
 684                            enum bpf_access_type t, enum bpf_reg_type *reg_type)
 685{
 686        if (env->prog->aux->ops->is_valid_access &&
 687            env->prog->aux->ops->is_valid_access(off, size, t, reg_type)) {
 688                /* remember the offset of last byte accessed in ctx */
 689                if (env->prog->aux->max_ctx_offset < off + size)
 690                        env->prog->aux->max_ctx_offset = off + size;
 691                return 0;
 692        }
 693
 694        verbose("invalid bpf_context access off=%d size=%d\n", off, size);
 695        return -EACCES;
 696}
 697
 698static bool is_pointer_value(struct verifier_env *env, int regno)
 699{
 700        if (env->allow_ptr_leaks)
 701                return false;
 702
 703        switch (env->cur_state.regs[regno].type) {
 704        case UNKNOWN_VALUE:
 705        case CONST_IMM:
 706                return false;
 707        default:
 708                return true;
 709        }
 710}
 711
 712static int check_ptr_alignment(struct verifier_env *env, struct reg_state *reg,
 713                               int off, int size)
 714{
 715        if (reg->type != PTR_TO_PACKET) {
 716                if (off % size != 0) {
 717                        verbose("misaligned access off %d size %d\n", off, size);
 718                        return -EACCES;
 719                } else {
 720                        return 0;
 721                }
 722        }
 723
 724        switch (env->prog->type) {
 725        case BPF_PROG_TYPE_SCHED_CLS:
 726        case BPF_PROG_TYPE_SCHED_ACT:
 727        case BPF_PROG_TYPE_XDP:
 728                break;
 729        default:
 730                verbose("verifier is misconfigured\n");
 731                return -EACCES;
 732        }
 733
 734        if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
 735                /* misaligned access to packet is ok on x86,arm,arm64 */
 736                return 0;
 737
 738        if (reg->id && size != 1) {
 739                verbose("Unknown packet alignment. Only byte-sized access allowed\n");
 740                return -EACCES;
 741        }
 742
 743        /* skb->data is NET_IP_ALIGN-ed */
 744        if ((NET_IP_ALIGN + reg->off + off) % size != 0) {
 745                verbose("misaligned packet access off %d+%d+%d size %d\n",
 746                        NET_IP_ALIGN, reg->off, off, size);
 747                return -EACCES;
 748        }
 749        return 0;
 750}
 751
 752/* check whether memory at (regno + off) is accessible for t = (read | write)
 753 * if t==write, value_regno is a register which value is stored into memory
 754 * if t==read, value_regno is a register which will receive the value from memory
 755 * if t==write && value_regno==-1, some unknown value is stored into memory
 756 * if t==read && value_regno==-1, don't care what we read from memory
 757 */
 758static int check_mem_access(struct verifier_env *env, u32 regno, int off,
 759                            int bpf_size, enum bpf_access_type t,
 760                            int value_regno)
 761{
 762        struct verifier_state *state = &env->cur_state;
 763        struct reg_state *reg = &state->regs[regno];
 764        int size, err = 0;
 765
 766        if (reg->type == PTR_TO_STACK)
 767                off += reg->imm;
 768
 769        size = bpf_size_to_bytes(bpf_size);
 770        if (size < 0)
 771                return size;
 772
 773        err = check_ptr_alignment(env, reg, off, size);
 774        if (err)
 775                return err;
 776
 777        if (reg->type == PTR_TO_MAP_VALUE) {
 778                if (t == BPF_WRITE && value_regno >= 0 &&
 779                    is_pointer_value(env, value_regno)) {
 780                        verbose("R%d leaks addr into map\n", value_regno);
 781                        return -EACCES;
 782                }
 783                err = check_map_access(env, regno, off, size);
 784                if (!err && t == BPF_READ && value_regno >= 0)
 785                        mark_reg_unknown_value(state->regs, value_regno);
 786
 787        } else if (reg->type == PTR_TO_CTX) {
 788                enum bpf_reg_type reg_type = UNKNOWN_VALUE;
 789
 790                if (t == BPF_WRITE && value_regno >= 0 &&
 791                    is_pointer_value(env, value_regno)) {
 792                        verbose("R%d leaks addr into ctx\n", value_regno);
 793                        return -EACCES;
 794                }
 795                err = check_ctx_access(env, off, size, t, &reg_type);
 796                if (!err && t == BPF_READ && value_regno >= 0) {
 797                        mark_reg_unknown_value(state->regs, value_regno);
 798                        if (env->allow_ptr_leaks)
 799                                /* note that reg.[id|off|range] == 0 */
 800                                state->regs[value_regno].type = reg_type;
 801                }
 802
 803        } else if (reg->type == FRAME_PTR || reg->type == PTR_TO_STACK) {
 804                if (off >= 0 || off < -MAX_BPF_STACK) {
 805                        verbose("invalid stack off=%d size=%d\n", off, size);
 806                        return -EACCES;
 807                }
 808                if (t == BPF_WRITE) {
 809                        if (!env->allow_ptr_leaks &&
 810                            state->stack_slot_type[MAX_BPF_STACK + off] == STACK_SPILL &&
 811                            size != BPF_REG_SIZE) {
 812                                verbose("attempt to corrupt spilled pointer on stack\n");
 813                                return -EACCES;
 814                        }
 815                        err = check_stack_write(state, off, size, value_regno);
 816                } else {
 817                        err = check_stack_read(state, off, size, value_regno);
 818                }
 819        } else if (state->regs[regno].type == PTR_TO_PACKET) {
 820                if (t == BPF_WRITE && !may_write_pkt_data(env->prog->type)) {
 821                        verbose("cannot write into packet\n");
 822                        return -EACCES;
 823                }
 824                if (t == BPF_WRITE && value_regno >= 0 &&
 825                    is_pointer_value(env, value_regno)) {
 826                        verbose("R%d leaks addr into packet\n", value_regno);
 827                        return -EACCES;
 828                }
 829                err = check_packet_access(env, regno, off, size);
 830                if (!err && t == BPF_READ && value_regno >= 0)
 831                        mark_reg_unknown_value(state->regs, value_regno);
 832        } else {
 833                verbose("R%d invalid mem access '%s'\n",
 834                        regno, reg_type_str[reg->type]);
 835                return -EACCES;
 836        }
 837
 838        if (!err && size <= 2 && value_regno >= 0 && env->allow_ptr_leaks &&
 839            state->regs[value_regno].type == UNKNOWN_VALUE) {
 840                /* 1 or 2 byte load zero-extends, determine the number of
 841                 * zero upper bits. Not doing it fo 4 byte load, since
 842                 * such values cannot be added to ptr_to_packet anyway.
 843                 */
 844                state->regs[value_regno].imm = 64 - size * 8;
 845        }
 846        return err;
 847}
 848
 849static int check_xadd(struct verifier_env *env, struct bpf_insn *insn)
 850{
 851        struct reg_state *regs = env->cur_state.regs;
 852        int err;
 853
 854        if ((BPF_SIZE(insn->code) != BPF_W && BPF_SIZE(insn->code) != BPF_DW) ||
 855            insn->imm != 0) {
 856                verbose("BPF_XADD uses reserved fields\n");
 857                return -EINVAL;
 858        }
 859
 860        /* check src1 operand */
 861        err = check_reg_arg(regs, insn->src_reg, SRC_OP);
 862        if (err)
 863                return err;
 864
 865        /* check src2 operand */
 866        err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
 867        if (err)
 868                return err;
 869
 870        /* check whether atomic_add can read the memory */
 871        err = check_mem_access(env, insn->dst_reg, insn->off,
 872                               BPF_SIZE(insn->code), BPF_READ, -1);
 873        if (err)
 874                return err;
 875
 876        /* check whether atomic_add can write into the same memory */
 877        return check_mem_access(env, insn->dst_reg, insn->off,
 878                                BPF_SIZE(insn->code), BPF_WRITE, -1);
 879}
 880
 881/* when register 'regno' is passed into function that will read 'access_size'
 882 * bytes from that pointer, make sure that it's within stack boundary
 883 * and all elements of stack are initialized
 884 */
 885static int check_stack_boundary(struct verifier_env *env, int regno,
 886                                int access_size, bool zero_size_allowed,
 887                                struct bpf_call_arg_meta *meta)
 888{
 889        struct verifier_state *state = &env->cur_state;
 890        struct reg_state *regs = state->regs;
 891        int off, i;
 892
 893        if (regs[regno].type != PTR_TO_STACK) {
 894                if (zero_size_allowed && access_size == 0 &&
 895                    regs[regno].type == CONST_IMM &&
 896                    regs[regno].imm  == 0)
 897                        return 0;
 898
 899                verbose("R%d type=%s expected=%s\n", regno,
 900                        reg_type_str[regs[regno].type],
 901                        reg_type_str[PTR_TO_STACK]);
 902                return -EACCES;
 903        }
 904
 905        off = regs[regno].imm;
 906        if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
 907            access_size <= 0) {
 908                verbose("invalid stack type R%d off=%d access_size=%d\n",
 909                        regno, off, access_size);
 910                return -EACCES;
 911        }
 912
 913        if (meta && meta->raw_mode) {
 914                meta->access_size = access_size;
 915                meta->regno = regno;
 916                return 0;
 917        }
 918
 919        for (i = 0; i < access_size; i++) {
 920                if (state->stack_slot_type[MAX_BPF_STACK + off + i] != STACK_MISC) {
 921                        verbose("invalid indirect read from stack off %d+%d size %d\n",
 922                                off, i, access_size);
 923                        return -EACCES;
 924                }
 925        }
 926        return 0;
 927}
 928
 929static int check_func_arg(struct verifier_env *env, u32 regno,
 930                          enum bpf_arg_type arg_type,
 931                          struct bpf_call_arg_meta *meta)
 932{
 933        struct reg_state *reg = env->cur_state.regs + regno;
 934        enum bpf_reg_type expected_type;
 935        int err = 0;
 936
 937        if (arg_type == ARG_DONTCARE)
 938                return 0;
 939
 940        if (reg->type == NOT_INIT) {
 941                verbose("R%d !read_ok\n", regno);
 942                return -EACCES;
 943        }
 944
 945        if (arg_type == ARG_ANYTHING) {
 946                if (is_pointer_value(env, regno)) {
 947                        verbose("R%d leaks addr into helper function\n", regno);
 948                        return -EACCES;
 949                }
 950                return 0;
 951        }
 952
 953        if (arg_type == ARG_PTR_TO_MAP_KEY ||
 954            arg_type == ARG_PTR_TO_MAP_VALUE) {
 955                expected_type = PTR_TO_STACK;
 956        } else if (arg_type == ARG_CONST_STACK_SIZE ||
 957                   arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {
 958                expected_type = CONST_IMM;
 959        } else if (arg_type == ARG_CONST_MAP_PTR) {
 960                expected_type = CONST_PTR_TO_MAP;
 961        } else if (arg_type == ARG_PTR_TO_CTX) {
 962                expected_type = PTR_TO_CTX;
 963        } else if (arg_type == ARG_PTR_TO_STACK ||
 964                   arg_type == ARG_PTR_TO_RAW_STACK) {
 965                expected_type = PTR_TO_STACK;
 966                /* One exception here. In case function allows for NULL to be
 967                 * passed in as argument, it's a CONST_IMM type. Final test
 968                 * happens during stack boundary checking.
 969                 */
 970                if (reg->type == CONST_IMM && reg->imm == 0)
 971                        expected_type = CONST_IMM;
 972                meta->raw_mode = arg_type == ARG_PTR_TO_RAW_STACK;
 973        } else {
 974                verbose("unsupported arg_type %d\n", arg_type);
 975                return -EFAULT;
 976        }
 977
 978        if (reg->type != expected_type) {
 979                verbose("R%d type=%s expected=%s\n", regno,
 980                        reg_type_str[reg->type], reg_type_str[expected_type]);
 981                return -EACCES;
 982        }
 983
 984        if (arg_type == ARG_CONST_MAP_PTR) {
 985                /* bpf_map_xxx(map_ptr) call: remember that map_ptr */
 986                meta->map_ptr = reg->map_ptr;
 987        } else if (arg_type == ARG_PTR_TO_MAP_KEY) {
 988                /* bpf_map_xxx(..., map_ptr, ..., key) call:
 989                 * check that [key, key + map->key_size) are within
 990                 * stack limits and initialized
 991                 */
 992                if (!meta->map_ptr) {
 993                        /* in function declaration map_ptr must come before
 994                         * map_key, so that it's verified and known before
 995                         * we have to check map_key here. Otherwise it means
 996                         * that kernel subsystem misconfigured verifier
 997                         */
 998                        verbose("invalid map_ptr to access map->key\n");
 999                        return -EACCES;
1000                }

1001                err = check_stack_boundary(env, regno, meta->map_ptr->key_size,
1002                                           false, NULL);
1003        } else if (arg_type == ARG_PTR_TO_MAP_VALUE) {
1004                /* bpf_map_xxx(..., map_ptr, ..., value) call:
1005                 * check [value, value + map->value_size) validity
1006                 */
1007                if (!meta->map_ptr) {
1008                        /* kernel subsystem misconfigured verifier */
1009                        verbose("invalid map_ptr to access map->value\n");
1010                        return -EACCES;
1011                }
1012                err = check_stack_boundary(env, regno,
1013                                           meta->map_ptr->value_size,
1014                                           false, NULL);
1015        } else if (arg_type == ARG_CONST_STACK_SIZE ||
1016                   arg_type == ARG_CONST_STACK_SIZE_OR_ZERO) {
1017                bool zero_size_allowed = (arg_type == ARG_CONST_STACK_SIZE_OR_ZERO);
1018
1019                /* bpf_xxx(..., buf, len) call will access 'len' bytes
1020                 * from stack pointer 'buf'. Check it
1021                 * note: regno == len, regno - 1 == buf
1022                 */
1023                if (regno == 0) {
1024                        /* kernel subsystem misconfigured verifier */
1025                        verbose("ARG_CONST_STACK_SIZE cannot be first argument\n");
1026                        return -EACCES;
1027                }
1028                err = check_stack_boundary(env, regno - 1, reg->imm,
1029                                           zero_size_allowed, meta);
1030        }
1031
1032        return err;
1033}
1034
1035static int check_map_func_compatibility(struct bpf_map *map, int func_id)
1036{
1037        if (!map)
1038                return 0;
1039
1040        /* We need a two way check, first is from map perspective ... */
1041        switch (map->map_type) {
1042        case BPF_MAP_TYPE_PROG_ARRAY:
1043                if (func_id != BPF_FUNC_tail_call)
1044                        goto error;
1045                break;
1046        case BPF_MAP_TYPE_PERF_EVENT_ARRAY:
1047                if (func_id != BPF_FUNC_perf_event_read &&
1048                    func_id != BPF_FUNC_perf_event_output)
1049                        goto error;
1050                break;
1051        case BPF_MAP_TYPE_STACK_TRACE:
1052                if (func_id != BPF_FUNC_get_stackid)
1053                        goto error;
1054                break;
1055        case BPF_MAP_TYPE_CGROUP_ARRAY:
1056                if (func_id != BPF_FUNC_skb_under_cgroup)
1057                        goto error;
1058                break;
1059        default:
1060                break;
1061        }
1062
1063        /* ... and second from the function itself. */
1064        switch (func_id) {
1065        case BPF_FUNC_tail_call:
1066                if (map->map_type != BPF_MAP_TYPE_PROG_ARRAY)
1067                        goto error;
1068                break;
1069        case BPF_FUNC_perf_event_read:
1070        case BPF_FUNC_perf_event_output:
1071                if (map->map_type != BPF_MAP_TYPE_PERF_EVENT_ARRAY)
1072                        goto error;
1073                break;
1074        case BPF_FUNC_get_stackid:
1075                if (map->map_type != BPF_MAP_TYPE_STACK_TRACE)
1076                        goto error;
1077                break;
1078        case BPF_FUNC_skb_under_cgroup:
1079                if (map->map_type != BPF_MAP_TYPE_CGROUP_ARRAY)
1080                        goto error;
1081                break;
1082        default:
1083                break;
1084        }
1085
1086        return 0;
1087error:
1088        verbose("cannot pass map_type %d into func %d\n",
1089                map->map_type, func_id);
1090        return -EINVAL;
1091}
1092
1093static int check_raw_mode(const struct bpf_func_proto *fn)
1094{
1095        int count = 0;
1096
1097        if (fn->arg1_type == ARG_PTR_TO_RAW_STACK)
1098                count++;
1099        if (fn->arg2_type == ARG_PTR_TO_RAW_STACK)
1100                count++;
1101        if (fn->arg3_type == ARG_PTR_TO_RAW_STACK)
1102                count++;
1103        if (fn->arg4_type == ARG_PTR_TO_RAW_STACK)
1104                count++;
1105        if (fn->arg5_type == ARG_PTR_TO_RAW_STACK)
1106                count++;
1107
1108        return count > 1 ? -EINVAL : 0;
1109}
1110
1111static void clear_all_pkt_pointers(struct verifier_env *env)
1112{
1113        struct verifier_state *state = &env->cur_state;
1114        struct reg_state *regs = state->regs, *reg;
1115        int i;
1116
1117        for (i = 0; i < MAX_BPF_REG; i++)
1118                if (regs[i].type == PTR_TO_PACKET ||
1119                    regs[i].type == PTR_TO_PACKET_END)
1120                        mark_reg_unknown_value(regs, i);
1121
1122        for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
1123                if (state->stack_slot_type[i] != STACK_SPILL)
1124                        continue;
1125                reg = &state->spilled_regs[i / BPF_REG_SIZE];
1126                if (reg->type != PTR_TO_PACKET &&
1127                    reg->type != PTR_TO_PACKET_END)
1128                        continue;
1129                reg->type = UNKNOWN_VALUE;
1130                reg->imm = 0;
1131        }
1132}
1133
1134static int check_call(struct verifier_env *env, int func_id)
1135{
1136        struct verifier_state *state = &env->cur_state;
1137        const struct bpf_func_proto *fn = NULL;
1138        struct reg_state *regs = state->regs;
1139        struct reg_state *reg;
1140        struct bpf_call_arg_meta meta;
1141        bool changes_data;
1142        int i, err;
1143
1144        /* find function prototype */
1145        if (func_id < 0 || func_id >= __BPF_FUNC_MAX_ID) {
1146                verbose("invalid func %d\n", func_id);
1147                return -EINVAL;
1148        }
1149
1150        if (env->prog->aux->ops->get_func_proto)
1151                fn = env->prog->aux->ops->get_func_proto(func_id);
1152
1153        if (!fn) {
1154                verbose("unknown func %d\n", func_id);
1155                return -EINVAL;
1156        }
1157
1158        /* eBPF programs must be GPL compatible to use GPL-ed functions */
1159        if (!env->prog->gpl_compatible && fn->gpl_only) {
1160                verbose("cannot call GPL only function from proprietary program\n");
1161                return -EINVAL;
1162        }
1163
1164        changes_data = bpf_helper_changes_skb_data(fn->func);
1165
1166        memset(&meta, 0, sizeof(meta));
1167
1168        /* We only support one arg being in raw mode at the moment, which
1169         * is sufficient for the helper functions we have right now.
1170         */
1171        err = check_raw_mode(fn);
1172        if (err) {
1173                verbose("kernel subsystem misconfigured func %d\n", func_id);
1174                return err;
1175        }
1176
1177        /* check args */
1178        err = check_func_arg(env, BPF_REG_1, fn->arg1_type, &meta);
1179        if (err)
1180                return err;
1181        err = check_func_arg(env, BPF_REG_2, fn->arg2_type, &meta);
1182        if (err)
1183                return err;
1184        err = check_func_arg(env, BPF_REG_3, fn->arg3_type, &meta);
1185        if (err)
1186                return err;
1187        err = check_func_arg(env, BPF_REG_4, fn->arg4_type, &meta);
1188        if (err)
1189                return err;
1190        err = check_func_arg(env, BPF_REG_5, fn->arg5_type, &meta);
1191        if (err)
1192                return err;
1193
1194        /* Mark slots with STACK_MISC in case of raw mode, stack offset
1195         * is inferred from register state.
1196         */
1197        for (i = 0; i < meta.access_size; i++) {
1198                err = check_mem_access(env, meta.regno, i, BPF_B, BPF_WRITE, -1);
1199                if (err)
1200                        return err;
1201        }
1202
1203        /* reset caller saved regs */
1204        for (i = 0; i < CALLER_SAVED_REGS; i++) {
1205                reg = regs + caller_saved[i];
1206                reg->type = NOT_INIT;
1207                reg->imm = 0;
1208        }
1209
1210        /* update return register */
1211        if (fn->ret_type == RET_INTEGER) {
1212                regs[BPF_REG_0].type = UNKNOWN_VALUE;
1213        } else if (fn->ret_type == RET_VOID) {
1214                regs[BPF_REG_0].type = NOT_INIT;
1215        } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) {
1216                regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
1217                /* remember map_ptr, so that check_map_access()
1218                 * can check 'value_size' boundary of memory access
1219                 * to map element returned from bpf_map_lookup_elem()
1220                 */
1221                if (meta.map_ptr == NULL) {
1222                        verbose("kernel subsystem misconfigured verifier\n");
1223                        return -EINVAL;
1224                }
1225                regs[BPF_REG_0].map_ptr = meta.map_ptr;
1226        } else {
1227                verbose("unknown return type %d of func %d\n",
1228                        fn->ret_type, func_id);
1229                return -EINVAL;
1230        }
1231
1232        err = check_map_func_compatibility(meta.map_ptr, func_id);
1233        if (err)
1234                return err;
1235
1236        if (changes_data)
1237                clear_all_pkt_pointers(env);
1238        return 0;
1239}
1240
1241static int check_packet_ptr_add(struct verifier_env *env, struct bpf_insn *insn)
1242{
1243        struct reg_state *regs = env->cur_state.regs;
1244        struct reg_state *dst_reg = &regs[insn->dst_reg];
1245        struct reg_state *src_reg = &regs[insn->src_reg];
1246        struct reg_state tmp_reg;
1247        s32 imm;
1248
1249        if (BPF_SRC(insn->code) == BPF_K) {
1250                /* pkt_ptr += imm */
1251                imm = insn->imm;
1252
1253add_imm:
1254                if (imm <= 0) {
1255                        verbose("addition of negative constant to packet pointer is not allowed\n");
1256                        return -EACCES;
1257                }
1258                if (imm >= MAX_PACKET_OFF ||
1259                    imm + dst_reg->off >= MAX_PACKET_OFF) {
1260                        verbose("constant %d is too large to add to packet pointer\n",
1261                                imm);
1262                        return -EACCES;
1263                }
1264                /* a constant was added to pkt_ptr.
1265                 * Remember it while keeping the same 'id'
1266                 */
1267                dst_reg->off += imm;
1268        } else {
1269                if (src_reg->type == PTR_TO_PACKET) {
1270                        /* R6=pkt(id=0,off=0,r=62) R7=imm22; r7 += r6 */
1271                        tmp_reg = *dst_reg;  /* save r7 state */
1272                        *dst_reg = *src_reg; /* copy pkt_ptr state r6 into r7 */
1273                        src_reg = &tmp_reg;  /* pretend it's src_reg state */
1274                        /* if the checks below reject it, the copy won't matter,
1275                         * since we're rejecting the whole program. If all ok,
1276                         * then imm22 state will be added to r7
1277                         * and r7 will be pkt(id=0,off=22,r=62) while
1278                         * r6 will stay as pkt(id=0,off=0,r=62)
1279                         */
1280                }
1281
1282                if (src_reg->type == CONST_IMM) {
1283                        /* pkt_ptr += reg where reg is known constant */
1284                        imm = src_reg->imm;
1285                        goto add_imm;
1286                }
1287                /* disallow pkt_ptr += reg
1288                 * if reg is not uknown_value with guaranteed zero upper bits
1289                 * otherwise pkt_ptr may overflow and addition will become
1290                 * subtraction which is not allowed
1291                 */
1292                if (src_reg->type != UNKNOWN_VALUE) {
1293                        verbose("cannot add '%s' to ptr_to_packet\n",
1294                                reg_type_str[src_reg->type]);
1295                        return -EACCES;
1296                }
1297                if (src_reg->imm < 48) {
1298                        verbose("cannot add integer value with %lld upper zero bits to ptr_to_packet\n",
1299                                src_reg->imm);
1300                        return -EACCES;
1301                }
1302                /* dst_reg stays as pkt_ptr type and since some positive
1303                 * integer value was added to the pointer, increment its 'id'
1304                 */
1305                dst_reg->id = ++env->id_gen;
1306
1307                /* something was added to pkt_ptr, set range and off to zero */
1308                dst_reg->off = 0;
1309                dst_reg->range = 0;
1310        }
1311        return 0;
1312}
1313
1314static int evaluate_reg_alu(struct verifier_env *env, struct bpf_insn *insn)
1315{
1316        struct reg_state *regs = env->cur_state.regs;
1317        struct reg_state *dst_reg = &regs[insn->dst_reg];
1318        u8 opcode = BPF_OP(insn->code);
1319        s64 imm_log2;
1320
1321        /* for type == UNKNOWN_VALUE:
1322         * imm > 0 -> number of zero upper bits
1323         * imm == 0 -> don't track which is the same as all bits can be non-zero
1324         */
1325
1326        if (BPF_SRC(insn->code) == BPF_X) {
1327                struct reg_state *src_reg = &regs[insn->src_reg];
1328
1329                if (src_reg->type == UNKNOWN_VALUE && src_reg->imm > 0 &&
1330                    dst_reg->imm && opcode == BPF_ADD) {
1331                        /* dreg += sreg
1332                         * where both have zero upper bits. Adding them
1333                         * can only result making one more bit non-zero
1334                         * in the larger value.
1335                         * Ex. 0xffff (imm=48) + 1 (imm=63) = 0x10000 (imm=47)
1336                         *     0xffff (imm=48) + 0xffff = 0x1fffe (imm=47)
1337                         */
1338                        dst_reg->imm = min(dst_reg->imm, src_reg->imm);
1339                        dst_reg->imm--;
1340                        return 0;
1341                }
1342                if (src_reg->type == CONST_IMM && src_reg->imm > 0 &&
1343                    dst_reg->imm && opcode == BPF_ADD) {
1344                        /* dreg += sreg
1345                         * where dreg has zero upper bits and sreg is const.
1346                         * Adding them can only result making one more bit
1347                         * non-zero in the larger value.
1348                         */
1349                        imm_log2 = __ilog2_u64((long long)src_reg->imm);
1350                        dst_reg->imm = min(dst_reg->imm, 63 - imm_log2);
1351                        dst_reg->imm--;
1352                        return 0;
1353                }
1354                /* all other cases non supported yet, just mark dst_reg */
1355                dst_reg->imm = 0;
1356                return 0;
1357        }
1358
1359        /* sign extend 32-bit imm into 64-bit to make sure that
1360         * negative values occupy bit 63. Note ilog2() would have
1361         * been incorrect, since sizeof(insn->imm) == 4
1362         */
1363        imm_log2 = __ilog2_u64((long long)insn->imm);
1364
1365        if (dst_reg->imm && opcode == BPF_LSH) {
1366                /* reg <<= imm
1367                 * if reg was a result of 2 byte load, then its imm == 48
1368                 * which means that upper 48 bits are zero and shifting this reg
1369                 * left by 4 would mean that upper 44 bits are still zero
1370                 */
1371                dst_reg->imm -= insn->imm;
1372        } else if (dst_reg->imm && opcode == BPF_MUL) {
1373                /* reg *= imm
1374                 * if multiplying by 14 subtract 4
1375                 * This is conservative calculation of upper zero bits.
1376                 * It's not trying to special case insn->imm == 1 or 0 cases
1377                 */
1378                dst_reg->imm -= imm_log2 + 1;
1379        } else if (opcode == BPF_AND) {
1380                /* reg &= imm */
1381                dst_reg->imm = 63 - imm_log2;
1382        } else if (dst_reg->imm && opcode == BPF_ADD) {
1383                /* reg += imm */
1384                dst_reg->imm = min(dst_reg->imm, 63 - imm_log2);
1385                dst_reg->imm--;
1386        } else if (opcode == BPF_RSH) {
1387                /* reg >>= imm
1388                 * which means that after right shift, upper bits will be zero
1389                 * note that verifier already checked that
1390                 * 0 <= imm < 64 for shift insn
1391                 */
1392                dst_reg->imm += insn->imm;
1393                if (unlikely(dst_reg->imm > 64))
1394                        /* some dumb code did:
1395                         * r2 = *(u32 *)mem;
1396                         * r2 >>= 32;
1397                         * and all bits are zero now */
1398                        dst_reg->imm = 64;
1399        } else {
1400                /* all other alu ops, means that we don't know what will
1401                 * happen to the value, mark it with unknown number of zero bits
1402                 */
1403                dst_reg->imm = 0;
1404        }
1405
1406        if (dst_reg->imm < 0) {
1407                /* all 64 bits of the register can contain non-zero bits
1408                 * and such value cannot be added to ptr_to_packet, since it
1409                 * may overflow, mark it as unknown to avoid further eval
1410                 */
1411                dst_reg->imm = 0;
1412        }
1413        return 0;
1414}
1415
1416static int evaluate_reg_imm_alu(struct verifier_env *env, struct bpf_insn *insn)
1417{
1418        struct reg_state *regs = env->cur_state.regs;
1419        struct reg_state *dst_reg = &regs[insn->dst_reg];
1420        struct reg_state *src_reg = &regs[insn->src_reg];
1421        u8 opcode = BPF_OP(insn->code);
1422
1423        /* dst_reg->type == CONST_IMM here, simulate execution of 'add' insn.
1424         * Don't care about overflow or negative values, just add them
1425         */
1426        if (opcode == BPF_ADD && BPF_SRC(insn->code) == BPF_K)
1427                dst_reg->imm += insn->imm;
1428        else if (opcode == BPF_ADD && BPF_SRC(insn->code) == BPF_X &&
1429                 src_reg->type == CONST_IMM)
1430                dst_reg->imm += src_reg->imm;
1431        else
1432                mark_reg_unknown_value(regs, insn->dst_reg);
1433        return 0;
1434}
1435
1436/* check validity of 32-bit and 64-bit arithmetic operations */
1437static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
1438{
1439        struct reg_state *regs = env->cur_state.regs, *dst_reg;
1440        u8 opcode = BPF_OP(insn->code);
1441        int err;
1442
1443        if (opcode == BPF_END || opcode == BPF_NEG) {
1444                if (opcode == BPF_NEG) {
1445                        if (BPF_SRC(insn->code) != 0 ||
1446                            insn->src_reg != BPF_REG_0 ||
1447                            insn->off != 0 || insn->imm != 0) {
1448                                verbose("BPF_NEG uses reserved fields\n");
1449                                return -EINVAL;
1450                        }
1451                } else {
1452                        if (insn->src_reg != BPF_REG_0 || insn->off != 0 ||
1453                            (insn->imm != 16 && insn->imm != 32 && insn->imm != 64)) {
1454                                verbose("BPF_END uses reserved fields\n");
1455                                return -EINVAL;
1456                        }
1457                }
1458
1459                /* check src operand */
1460                err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
1461                if (err)
1462                        return err;
1463
1464                if (is_pointer_value(env, insn->dst_reg)) {
1465                        verbose("R%d pointer arithmetic prohibited\n",
1466                                insn->dst_reg);
1467                        return -EACCES;
1468                }
1469
1470                /* check dest operand */
1471                err = check_reg_arg(regs, insn->dst_reg, DST_OP);
1472                if (err)
1473                        return err;
1474
1475        } else if (opcode == BPF_MOV) {
1476
1477                if (BPF_SRC(insn->code) == BPF_X) {
1478                        if (insn->imm != 0 || insn->off != 0) {
1479                                verbose("BPF_MOV uses reserved fields\n");
1480                                return -EINVAL;
1481                        }
1482
1483                        /* check src operand */
1484                        err = check_reg_arg(regs, insn->src_reg, SRC_OP);
1485                        if (err)
1486                                return err;
1487                } else {
1488                        if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
1489                                verbose("BPF_MOV uses reserved fields\n");
1490                                return -EINVAL;
1491                        }
1492                }
1493
1494                /* check dest operand */
1495                err = check_reg_arg(regs, insn->dst_reg, DST_OP);
1496                if (err)
1497                        return err;
1498
1499                if (BPF_SRC(insn->code) == BPF_X) {
1500                        if (BPF_CLASS(insn->code) == BPF_ALU64) {
1501                                /* case: R1 = R2
1502                                 * copy register state to dest reg
1503                                 */
1504                                regs[insn->dst_reg] = regs[insn->src_reg];
1505                        } else {
1506                                if (is_pointer_value(env, insn->src_reg)) {
1507                                        verbose("R%d partial copy of pointer\n",
1508                                                insn->src_reg);
1509                                        return -EACCES;
1510                                }
1511                                regs[insn->dst_reg].type = UNKNOWN_VALUE;
1512                                regs[insn->dst_reg].map_ptr = NULL;
1513                        }
1514                } else {
1515                        /* case: R = imm
1516                         * remember the value we stored into this reg
1517                         */
1518                        regs[insn->dst_reg].type = CONST_IMM;
1519                        regs[insn->dst_reg].imm = insn->imm;
1520                }
1521
1522        } else if (opcode > BPF_END) {
1523                verbose("invalid BPF_ALU opcode %x\n", opcode);
1524                return -EINVAL;
1525
1526        } else {        /* all other ALU ops: and, sub, xor, add, ... */
1527
1528                if (BPF_SRC(insn->code) == BPF_X) {
1529                        if (insn->imm != 0 || insn->off != 0) {
1530                                verbose("BPF_ALU uses reserved fields\n");
1531                                return -EINVAL;
1532                        }
1533                        /* check src1 operand */
1534                        err = check_reg_arg(regs, insn->src_reg, SRC_OP);
1535                        if (err)
1536                                return err;
1537                } else {
1538                        if (insn->src_reg != BPF_REG_0 || insn->off != 0) {
1539                                verbose("BPF_ALU uses reserved fields\n");
1540                                return -EINVAL;
1541                        }
1542                }
1543
1544                /* check src2 operand */
1545                err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
1546                if (err)
1547                        return err;
1548
1549                if ((opcode == BPF_MOD || opcode == BPF_DIV) &&
1550                    BPF_SRC(insn->code) == BPF_K && insn->imm == 0) {
1551                        verbose("div by zero\n");
1552                        return -EINVAL;
1553                }
1554
1555                if ((opcode == BPF_LSH || opcode == BPF_RSH ||
1556                     opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
1557                        int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
1558
1559                        if (insn->imm < 0 || insn->imm >= size) {
1560                                verbose("invalid shift %d\n", insn->imm);
1561                                return -EINVAL;
1562                        }
1563                }
1564
1565                /* check dest operand */
1566                err = check_reg_arg(regs, insn->dst_reg, DST_OP_NO_MARK);
1567                if (err)
1568                        return err;
1569
1570                dst_reg = &regs[insn->dst_reg];
1571
1572                /* pattern match 'bpf_add Rx, imm' instruction */
1573                if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
1574                    dst_reg->type == FRAME_PTR && BPF_SRC(insn->code) == BPF_K) {
1575                        dst_reg->type = PTR_TO_STACK;
1576                        dst_reg->imm = insn->imm;
1577                        return 0;
1578                } else if (opcode == BPF_ADD &&
1579                           BPF_CLASS(insn->code) == BPF_ALU64 &&
1580                           (dst_reg->type == PTR_TO_PACKET ||
1581                            (BPF_SRC(insn->code) == BPF_X &&
1582                             regs[insn->src_reg].type == PTR_TO_PACKET))) {
1583                        /* ptr_to_packet += K|X */
1584                        return check_packet_ptr_add(env, insn);
1585                } else if (BPF_CLASS(insn->code) == BPF_ALU64 &&
1586                           dst_reg->type == UNKNOWN_VALUE &&
1587                           env->allow_ptr_leaks) {
1588                        /* unknown += K|X */
1589                        return evaluate_reg_alu(env, insn);
1590                } else if (BPF_CLASS(insn->code) == BPF_ALU64 &&
1591                           dst_reg->type == CONST_IMM &&
1592                           env->allow_ptr_leaks) {
1593                        /* reg_imm += K|X */
1594                        return evaluate_reg_imm_alu(env, insn);
1595                } else if (is_pointer_value(env, insn->dst_reg)) {
1596                        verbose("R%d pointer arithmetic prohibited\n",
1597                                insn->dst_reg);
1598                        return -EACCES;
1599                } else if (BPF_SRC(insn->code) == BPF_X &&
1600                           is_pointer_value(env, insn->src_reg)) {
1601                        verbose("R%d pointer arithmetic prohibited\n",
1602                                insn->src_reg);
1603                        return -EACCES;
1604                }
1605
1606                /* mark dest operand */
1607                mark_reg_unknown_value(regs, insn->dst_reg);
1608        }
1609
1610        return 0;
1611}
1612
1613static void find_good_pkt_pointers(struct verifier_env *env,
1614                                   struct reg_state *dst_reg)
1615{
1616        struct verifier_state *state = &env->cur_state;
1617        struct reg_state *regs = state->regs, *reg;
1618        int i;
1619        /* r2 = r3;
1620         * r2 += 8
1621         * if (r2 > pkt_end) goto somewhere
1622         * r2 == dst_reg, pkt_end == src_reg,
1623         * r2=pkt(id=n,off=8,r=0)
1624         * r3=pkt(id=n,off=0,r=0)
1625         * find register r3 and mark its range as r3=pkt(id=n,off=0,r=8)
1626         * so that range of bytes [r3, r3 + 8) is safe to access
1627         */
1628        for (i = 0; i < MAX_BPF_REG; i++)
1629                if (regs[i].type == PTR_TO_PACKET && regs[i].id == dst_reg->id)
1630                        regs[i].range = dst_reg->off;
1631
1632        for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
1633                if (state->stack_slot_type[i] != STACK_SPILL)
1634                        continue;
1635                reg = &state->spilled_regs[i / BPF_REG_SIZE];
1636                if (reg->type == PTR_TO_PACKET && reg->id == dst_reg->id)
1637                        reg->range = dst_reg->off;
1638        }
1639}
1640
1641static int check_cond_jmp_op(struct verifier_env *env,
1642                             struct bpf_insn *insn, int *insn_idx)
1643{
1644        struct reg_state *regs = env->cur_state.regs, *dst_reg;
1645        struct verifier_state *other_branch;
1646        u8 opcode = BPF_OP(insn->code);
1647        int err;
1648
1649        if (opcode > BPF_EXIT) {
1650                verbose("invalid BPF_JMP opcode %x\n", opcode);
1651                return -EINVAL;
1652        }
1653
1654        if (BPF_SRC(insn->code) == BPF_X) {
1655                if (insn->imm != 0) {
1656                        verbose("BPF_JMP uses reserved fields\n");
1657                        return -EINVAL;
1658                }
1659
1660                /* check src1 operand */
1661                err = check_reg_arg(regs, insn->src_reg, SRC_OP);
1662                if (err)
1663                        return err;
1664
1665                if (is_pointer_value(env, insn->src_reg)) {
1666                        verbose("R%d pointer comparison prohibited\n",
1667                                insn->src_reg);
1668                        return -EACCES;
1669                }
1670        } else {
1671                if (insn->src_reg != BPF_REG_0) {
1672                        verbose("BPF_JMP uses reserved fields\n");
1673                        return -EINVAL;
1674                }
1675        }
1676
1677        /* check src2 operand */
1678        err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
1679        if (err)
1680                return err;
1681
1682        dst_reg = &regs[insn->dst_reg];
1683
1684        /* detect if R == 0 where R was initialized to zero earlier */
1685        if (BPF_SRC(insn->code) == BPF_K &&
1686            (opcode == BPF_JEQ || opcode == BPF_JNE) &&
1687            dst_reg->type == CONST_IMM && dst_reg->imm == insn->imm) {
1688                if (opcode == BPF_JEQ) {
1689                        /* if (imm == imm) goto pc+off;
1690                         * only follow the goto, ignore fall-through
1691                         */
1692                        *insn_idx += insn->off;
1693                        return 0;
1694                } else {
1695                        /* if (imm != imm) goto pc+off;
1696                         * only follow fall-through branch, since
1697                         * that's where the program will go
1698                         */
1699                        return 0;
1700                }
1701        }
1702
1703        other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx);
1704        if (!other_branch)
1705                return -EFAULT;
1706
1707        /* detect if R == 0 where R is returned value from bpf_map_lookup_elem() */
1708        if (BPF_SRC(insn->code) == BPF_K &&
1709            insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
1710            dst_reg->type == PTR_TO_MAP_VALUE_OR_NULL) {
1711                if (opcode == BPF_JEQ) {
1712                        /* next fallthrough insn can access memory via
1713                         * this register
1714                         */
1715                        regs[insn->dst_reg].type = PTR_TO_MAP_VALUE;
1716                        /* branch targer cannot access it, since reg == 0 */
1717                        mark_reg_unknown_value(other_branch->regs,
1718                                               insn->dst_reg);
1719                } else {
1720                        other_branch->regs[insn->dst_reg].type = PTR_TO_MAP_VALUE;
1721                        mark_reg_unknown_value(regs, insn->dst_reg);
1722                }
1723        } else if (BPF_SRC(insn->code) == BPF_X && opcode == BPF_JGT &&
1724                   dst_reg->type == PTR_TO_PACKET &&
1725                   regs[insn->src_reg].type == PTR_TO_PACKET_END) {
1726                find_good_pkt_pointers(env, dst_reg);
1727        } else if (is_pointer_value(env, insn->dst_reg)) {
1728                verbose("R%d pointer comparison prohibited\n", insn->dst_reg);
1729                return -EACCES;
1730        }
1731        if (log_level)
1732                print_verifier_state(&env->cur_state);
1733        return 0;
1734}
1735
1736/* return the map pointer stored inside BPF_LD_IMM64 instruction */
1737static struct bpf_map *ld_imm64_to_map_ptr(struct bpf_insn *insn)
1738{
1739        u64 imm64 = ((u64) (u32) insn[0].imm) | ((u64) (u32) insn[1].imm) << 32;
1740
1741        return (struct bpf_map *) (unsigned long) imm64;
1742}
1743
1744/* verify BPF_LD_IMM64 instruction */
1745static int check_ld_imm(struct verifier_env *env, struct bpf_insn *insn)
1746{
1747        struct reg_state *regs = env->cur_state.regs;
1748        int err;
1749
1750        if (BPF_SIZE(insn->code) != BPF_DW) {
1751                verbose("invalid BPF_LD_IMM insn\n");
1752                return -EINVAL;
1753        }
1754        if (insn->off != 0) {
1755                verbose("BPF_LD_IMM64 uses reserved fields\n");
1756                return -EINVAL;
1757        }
1758
1759        err = check_reg_arg(regs, insn->dst_reg, DST_OP);
1760        if (err)
1761                return err;
1762
1763        if (insn->src_reg == 0)
1764                /* generic move 64-bit immediate into a register */
1765                return 0;
1766
1767        /* replace_map_fd_with_map_ptr() should have caught bad ld_imm64 */
1768        BUG_ON(insn->src_reg != BPF_PSEUDO_MAP_FD);
1769
1770        regs[insn->dst_reg].type = CONST_PTR_TO_MAP;
1771        regs[insn->dst_reg].map_ptr = ld_imm64_to_map_ptr(insn);
1772        return 0;
1773}
1774
1775static bool may_access_skb(enum bpf_prog_type type)
1776{
1777        switch (type) {
1778        case BPF_PROG_TYPE_SOCKET_FILTER:
1779        case BPF_PROG_TYPE_SCHED_CLS:
1780        case BPF_PROG_TYPE_SCHED_ACT:
1781                return true;
1782        default:
1783                return false;
1784        }
1785}
1786
1787/* verify safety of LD_ABS|LD_IND instructions:
1788 * - they can only appear in the programs where ctx == skb
1789 * - since they are wrappers of function calls, they scratch R1-R5 registers,
1790 *   preserve R6-R9, and store return value into R0
1791 *
1792 * Implicit input:
1793 *   ctx == skb == R6 == CTX
1794 *
1795 * Explicit input:
1796 *   SRC == any register
1797 *   IMM == 32-bit immediate
1798 *
1799 * Output:
1800 *   R0 - 8/16/32-bit skb data converted to cpu endianness
1801 */
1802static int check_ld_abs(struct verifier_env *env, struct bpf_insn *insn)
1803{
1804        struct reg_state *regs = env->cur_state.regs;
1805        u8 mode = BPF_MODE(insn->code);
1806        struct reg_state *reg;
1807        int i, err;
1808
1809        if (!may_access_skb(env->prog->type)) {
1810                verbose("BPF_LD_[ABS|IND] instructions not allowed for this program type\n");
1811                return -EINVAL;
1812        }
1813
1814        if (insn->dst_reg != BPF_REG_0 || insn->off != 0 ||
1815            BPF_SIZE(insn->code) == BPF_DW ||
1816            (mode == BPF_ABS && insn->src_reg != BPF_REG_0)) {
1817                verbose("BPF_LD_[ABS|IND] uses reserved fields\n");
1818                return -EINVAL;
1819        }
1820
1821        /* check whether implicit source operand (register R6) is readable */
1822        err = check_reg_arg(regs, BPF_REG_6, SRC_OP);
1823        if (err)
1824                return err;
1825
1826        if (regs[BPF_REG_6].type != PTR_TO_CTX) {
1827                verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
1828                return -EINVAL;
1829        }
1830
1831        if (mode == BPF_IND) {
1832                /* check explicit source operand */
1833                err = check_reg_arg(regs, insn->src_reg, SRC_OP);
1834                if (err)
1835                        return err;
1836        }
1837
1838        /* reset caller saved regs to unreadable */
1839        for (i = 0; i < CALLER_SAVED_REGS; i++) {
1840                reg = regs + caller_saved[i];
1841                reg->type = NOT_INIT;
1842                reg->imm = 0;
1843        }
1844
1845        /* mark destination R0 register as readable, since it contains
1846         * the value fetched from the packet
1847         */
1848        regs[BPF_REG_0].type = UNKNOWN_VALUE;
1849        return 0;
1850}
1851
1852/* non-recursive DFS pseudo code
1853 * 1  procedure DFS-iterative(G,v):
1854 * 2      label v as discovered
1855 * 3      let S be a stack
1856 * 4      S.push(v)
1857 * 5      while S is not empty
1858 * 6            t <- S.pop()
1859 * 7            if t is what we're looking for:
1860 * 8                return t
1861 * 9            for all edges e in G.adjacentEdges(t) do
1862 * 10               if edge e is already labelled
1863 * 11                   continue with the next edge
1864 * 12               w <- G.adjacentVertex(t,e)
1865 * 13               if vertex w is not discovered and not explored
1866 * 14                   label e as tree-edge
1867 * 15                   label w as discovered
1868 * 16                   S.push(w)
1869 * 17                   continue at 5
1870 * 18               else if vertex w is discovered
1871 * 19                   label e as back-edge
1872 * 20               else
1873 * 21                   // vertex w is explored
1874 * 22                   label e as forward- or cross-edge
1875 * 23           label t as explored
1876 * 24           S.pop()
1877 *
1878 * convention:
1879 * 0x10 - discovered
1880 * 0x11 - discovered and fall-through edge labelled
1881 * 0x12 - discovered and fall-through and branch edges labelled
1882 * 0x20 - explored
1883 */
1884
1885enum {
1886        DISCOVERED = 0x10,
1887        EXPLORED = 0x20,
1888        FALLTHROUGH = 1,
1889        BRANCH = 2,
1890};
1891
1892#define STATE_LIST_MARK ((struct verifier_state_list *) -1L)
1893
1894static int *insn_stack; /* stack of insns to process */
1895static int cur_stack;   /* current stack index */
1896static int *insn_state;
1897
1898/* t, w, e - match pseudo-code above:
1899 * t - index of current instruction
1900 * w - next instruction
1901 * e - edge
1902 */
1903static int push_insn(int t, int w, int e, struct verifier_env *env)
1904{
1905        if (e == FALLTHROUGH && insn_state[t] >= (DISCOVERED | FALLTHROUGH))
1906                return 0;
1907
1908        if (e == BRANCH && insn_state[t] >= (DISCOVERED | BRANCH))
1909                return 0;
1910
1911        if (w < 0 || w >= env->prog->len) {
1912                verbose("jump out of range from insn %d to %d\n", t, w);
1913                return -EINVAL;
1914        }
1915
1916        if (e == BRANCH)
1917                /* mark branch target for state pruning */
1918                env->explored_states[w] = STATE_LIST_MARK;
1919
1920        if (insn_state[w] == 0) {
1921                /* tree-edge */
1922                insn_state[t] = DISCOVERED | e;
1923                insn_state[w] = DISCOVERED;
1924                if (cur_stack >= env->prog->len)
1925                        return -E2BIG;
1926                insn_stack[cur_stack++] = w;
1927                return 1;
1928        } else if ((insn_state[w] & 0xF0) == DISCOVERED) {
1929                verbose("back-edge from insn %d to %d\n", t, w);
1930                return -EINVAL;
1931        } else if (insn_state[w] == EXPLORED) {
1932                /* forward- or cross-edge */
1933                insn_state[t] = DISCOVERED | e;
1934        } else {
1935                verbose("insn state internal bug\n");
1936                return -EFAULT;
1937        }
1938        return 0;
1939}
1940
1941/* non-recursive depth-first-search to detect loops in BPF program
1942 * loop == back-edge in directed graph
1943 */
1944static int check_cfg(struct verifier_env *env)
1945{
1946        struct bpf_insn *insns = env->prog->insnsi;
1947        int insn_cnt = env->prog->len;
1948        int ret = 0;
1949        int i, t;
1950
1951        insn_state = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
1952        if (!insn_state)
1953                return -ENOMEM;
1954
1955        insn_stack = kcalloc(insn_cnt, sizeof(int), GFP_KERNEL);
1956        if (!insn_stack) {
1957                kfree(insn_state);
1958                return -ENOMEM;
1959        }
1960
1961        insn_state[0] = DISCOVERED; /* mark 1st insn as discovered */
1962        insn_stack[0] = 0; /* 0 is the first instruction */
1963        cur_stack = 1;
1964
1965peek_stack:
1966        if (cur_stack == 0)
1967                goto check_state;
1968        t = insn_stack[cur_stack - 1];
1969
1970        if (BPF_CLASS(insns[t].code) == BPF_JMP) {
1971                u8 opcode = BPF_OP(insns[t].code);
1972
1973                if (opcode == BPF_EXIT) {
1974                        goto mark_explored;
1975                } else if (opcode == BPF_CALL) {
1976                        ret = push_insn(t, t + 1, FALLTHROUGH, env);
1977                        if (ret == 1)
1978                                goto peek_stack;
1979                        else if (ret < 0)
1980                                goto err_free;
1981                        if (t + 1 < insn_cnt)
1982                                env->explored_states[t + 1] = STATE_LIST_MARK;
1983                } else if (opcode == BPF_JA) {
1984                        if (BPF_SRC(insns[t].code) != BPF_K) {
1985                                ret = -EINVAL;
1986                                goto err_free;
1987                        }
1988                        /* unconditional jump with single edge */
1989                        ret = push_insn(t, t + insns[t].off + 1,
1990                                        FALLTHROUGH, env);
1991                        if (ret == 1)
1992                                goto peek_stack;
1993                        else if (ret < 0)
1994                                goto err_free;
1995                        /* tell verifier to check for equivalent states
1996                         * after every call and jump
1997                         */
1998                        if (t + 1 < insn_cnt)
1999                                env->explored_states[t + 1] = STATE_LIST_MARK;
2000                } else {

2001                        /* conditional jump with two edges */
2002                        ret = push_insn(t, t + 1, FALLTHROUGH, env);
2003                        if (ret == 1)
2004                                goto peek_stack;
2005                        else if (ret < 0)
2006                                goto err_free;
2007
2008                        ret = push_insn(t, t + insns[t].off + 1, BRANCH, env);
2009                        if (ret == 1)
2010                                goto peek_stack;
2011                        else if (ret < 0)
2012                                goto err_free;
2013                }
2014        } else {
2015                /* all other non-branch instructions with single
2016                 * fall-through edge
2017                 */
2018                ret = push_insn(t, t + 1, FALLTHROUGH, env);
2019                if (ret == 1)
2020                        goto peek_stack;
2021                else if (ret < 0)
2022                        goto err_free;
2023        }
2024
2025mark_explored:
2026        insn_state[t] = EXPLORED;
2027        if (cur_stack-- <= 0) {
2028                verbose("pop stack internal bug\n");
2029                ret = -EFAULT;
2030                goto err_free;
2031        }
2032        goto peek_stack;
2033
2034check_state:
2035        for (i = 0; i < insn_cnt; i++) {
2036                if (insn_state[i] != EXPLORED) {
2037                        verbose("unreachable insn %d\n", i);
2038                        ret = -EINVAL;
2039                        goto err_free;
2040                }
2041        }
2042        ret = 0; /* cfg looks good */
2043
2044err_free:
2045        kfree(insn_state);
2046        kfree(insn_stack);
2047        return ret;
2048}
2049
2050/* the following conditions reduce the number of explored insns
2051 * from ~140k to ~80k for ultra large programs that use a lot of ptr_to_packet
2052 */
2053static bool compare_ptrs_to_packet(struct reg_state *old, struct reg_state *cur)
2054{
2055        if (old->id != cur->id)
2056                return false;
2057
2058        /* old ptr_to_packet is more conservative, since it allows smaller
2059         * range. Ex:
2060         * old(off=0,r=10) is equal to cur(off=0,r=20), because
2061         * old(off=0,r=10) means that with range=10 the verifier proceeded
2062         * further and found no issues with the program. Now we're in the same
2063         * spot with cur(off=0,r=20), so we're safe too, since anything further
2064         * will only be looking at most 10 bytes after this pointer.
2065         */
2066        if (old->off == cur->off && old->range < cur->range)
2067                return true;
2068
2069        /* old(off=20,r=10) is equal to cur(off=22,re=22 or 5 or 0)
2070         * since both cannot be used for packet access and safe(old)
2071         * pointer has smaller off that could be used for further
2072         * 'if (ptr > data_end)' check
2073         * Ex:
2074         * old(off=20,r=10) and cur(off=22,r=22) and cur(off=22,r=0) mean
2075         * that we cannot access the packet.
2076         * The safe range is:
2077         * [ptr, ptr + range - off)
2078         * so whenever off >=range, it means no safe bytes from this pointer.
2079         * When comparing old->off <= cur->off, it means that older code
2080         * went with smaller offset and that offset was later
2081         * used to figure out the safe range after 'if (ptr > data_end)' check
2082         * Say, 'old' state was explored like:
2083         * ... R3(off=0, r=0)
2084         * R4 = R3 + 20
2085         * ... now R4(off=20,r=0)  <-- here
2086         * if (R4 > data_end)
2087         * ... R4(off=20,r=20), R3(off=0,r=20) and R3 can be used to access.
2088         * ... the code further went all the way to bpf_exit.
2089         * Now the 'cur' state at the mark 'here' has R4(off=30,r=0).
2090         * old_R4(off=20,r=0) equal to cur_R4(off=30,r=0), since if the verifier
2091         * goes further, such cur_R4 will give larger safe packet range after
2092         * 'if (R4 > data_end)' and all further insn were already good with r=20,
2093         * so they will be good with r=30 and we can prune the search.
2094         */
2095        if (old->off <= cur->off &&
2096            old->off >= old->range && cur->off >= cur->range)
2097                return true;
2098
2099        return false;
2100}
2101
2102/* compare two verifier states
2103 *
2104 * all states stored in state_list are known to be valid, since
2105 * verifier reached 'bpf_exit' instruction through them
2106 *
2107 * this function is called when verifier exploring different branches of
2108 * execution popped from the state stack. If it sees an old state that has
2109 * more strict register state and more strict stack state then this execution
2110 * branch doesn't need to be explored further, since verifier already
2111 * concluded that more strict state leads to valid finish.
2112 *
2113 * Therefore two states are equivalent if register state is more conservative
2114 * and explored stack state is more conservative than the current one.
2115 * Example:
2116 *       explored                   current
2117 * (slot1=INV slot2=MISC) == (slot1=MISC slot2=MISC)
2118 * (slot1=MISC slot2=MISC) != (slot1=INV slot2=MISC)
2119 *
2120 * In other words if current stack state (one being explored) has more
2121 * valid slots than old one that already passed validation, it means
2122 * the verifier can stop exploring and conclude that current state is valid too
2123 *
2124 * Similarly with registers. If explored state has register type as invalid
2125 * whereas register type in current state is meaningful, it means that
2126 * the current state will reach 'bpf_exit' instruction safely
2127 */
2128static bool states_equal(struct verifier_state *old, struct verifier_state *cur)
2129{
2130        struct reg_state *rold, *rcur;
2131        int i;
2132
2133        for (i = 0; i < MAX_BPF_REG; i++) {
2134                rold = &old->regs[i];
2135                rcur = &cur->regs[i];
2136
2137                if (memcmp(rold, rcur, sizeof(*rold)) == 0)
2138                        continue;
2139
2140                if (rold->type == NOT_INIT ||
2141                    (rold->type == UNKNOWN_VALUE && rcur->type != NOT_INIT))
2142                        continue;
2143
2144                if (rold->type == PTR_TO_PACKET && rcur->type == PTR_TO_PACKET &&
2145                    compare_ptrs_to_packet(rold, rcur))
2146                        continue;
2147
2148                return false;
2149        }
2150
2151        for (i = 0; i < MAX_BPF_STACK; i++) {
2152                if (old->stack_slot_type[i] == STACK_INVALID)
2153                        continue;
2154                if (old->stack_slot_type[i] != cur->stack_slot_type[i])
2155                        /* Ex: old explored (safe) state has STACK_SPILL in
2156                         * this stack slot, but current has has STACK_MISC ->
2157                         * this verifier states are not equivalent,
2158                         * return false to continue verification of this path
2159                         */
2160                        return false;
2161                if (i % BPF_REG_SIZE)
2162                        continue;
2163                if (memcmp(&old->spilled_regs[i / BPF_REG_SIZE],
2164                           &cur->spilled_regs[i / BPF_REG_SIZE],
2165                           sizeof(old->spilled_regs[0])))
2166                        /* when explored and current stack slot types are
2167                         * the same, check that stored pointers types
2168                         * are the same as well.
2169                         * Ex: explored safe path could have stored
2170                         * (struct reg_state) {.type = PTR_TO_STACK, .imm = -8}
2171                         * but current path has stored:
2172                         * (struct reg_state) {.type = PTR_TO_STACK, .imm = -16}
2173                         * such verifier states are not equivalent.
2174                         * return false to continue verification of this path
2175                         */
2176                        return false;
2177                else
2178                        continue;
2179        }
2180        return true;
2181}
2182
2183static int is_state_visited(struct verifier_env *env, int insn_idx)
2184{
2185        struct verifier_state_list *new_sl;
2186        struct verifier_state_list *sl;
2187
2188        sl = env->explored_states[insn_idx];
2189        if (!sl)
2190                /* this 'insn_idx' instruction wasn't marked, so we will not
2191                 * be doing state search here
2192                 */
2193                return 0;
2194
2195        while (sl != STATE_LIST_MARK) {
2196                if (states_equal(&sl->state, &env->cur_state))
2197                        /* reached equivalent register/stack state,
2198                         * prune the search
2199                         */
2200                        return 1;
2201                sl = sl->next;
2202        }
2203
2204        /* there were no equivalent states, remember current one.
2205         * technically the current state is not proven to be safe yet,
2206         * but it will either reach bpf_exit (which means it's safe) or
2207         * it will be rejected. Since there are no loops, we won't be
2208         * seeing this 'insn_idx' instruction again on the way to bpf_exit
2209         */
2210        new_sl = kmalloc(sizeof(struct verifier_state_list), GFP_USER);
2211        if (!new_sl)
2212                return -ENOMEM;
2213
2214        /* add new state to the head of linked list */
2215        memcpy(&new_sl->state, &env->cur_state, sizeof(env->cur_state));
2216        new_sl->next = env->explored_states[insn_idx];
2217        env->explored_states[insn_idx] = new_sl;
2218        return 0;
2219}
2220
2221static int do_check(struct verifier_env *env)
2222{
2223        struct verifier_state *state = &env->cur_state;
2224        struct bpf_insn *insns = env->prog->insnsi;
2225        struct reg_state *regs = state->regs;
2226        int insn_cnt = env->prog->len;
2227        int insn_idx, prev_insn_idx = 0;
2228        int insn_processed = 0;
2229        bool do_print_state = false;
2230
2231        init_reg_state(regs);
2232        insn_idx = 0;
2233        for (;;) {
2234                struct bpf_insn *insn;
2235                u8 class;
2236                int err;
2237
2238                if (insn_idx >= insn_cnt) {
2239                        verbose("invalid insn idx %d insn_cnt %d\n",
2240                                insn_idx, insn_cnt);
2241                        return -EFAULT;
2242                }
2243
2244                insn = &insns[insn_idx];
2245                class = BPF_CLASS(insn->code);
2246
2247                if (++insn_processed > BPF_COMPLEXITY_LIMIT_INSNS) {
2248                        verbose("BPF program is too large. Proccessed %d insn\n",
2249                                insn_processed);
2250                        return -E2BIG;
2251                }
2252
2253                err = is_state_visited(env, insn_idx);
2254                if (err < 0)
2255                        return err;
2256                if (err == 1) {
2257                        /* found equivalent state, can prune the search */
2258                        if (log_level) {
2259                                if (do_print_state)
2260                                        verbose("\nfrom %d to %d: safe\n",
2261                                                prev_insn_idx, insn_idx);
2262                                else
2263                                        verbose("%d: safe\n", insn_idx);
2264                        }
2265                        goto process_bpf_exit;
2266                }
2267
2268                if (log_level && do_print_state) {
2269                        verbose("\nfrom %d to %d:", prev_insn_idx, insn_idx);
2270                        print_verifier_state(&env->cur_state);
2271                        do_print_state = false;
2272                }
2273
2274                if (log_level) {
2275                        verbose("%d: ", insn_idx);
2276                        print_bpf_insn(insn);
2277                }
2278
2279                if (class == BPF_ALU || class == BPF_ALU64) {
2280                        err = check_alu_op(env, insn);
2281                        if (err)
2282                                return err;
2283
2284                } else if (class == BPF_LDX) {
2285                        enum bpf_reg_type src_reg_type;
2286
2287                        /* check for reserved fields is already done */
2288
2289                        /* check src operand */
2290                        err = check_reg_arg(regs, insn->src_reg, SRC_OP);
2291                        if (err)
2292                                return err;
2293
2294                        err = check_reg_arg(regs, insn->dst_reg, DST_OP_NO_MARK);
2295                        if (err)
2296                                return err;
2297
2298                        src_reg_type = regs[insn->src_reg].type;
2299
2300                        /* check that memory (src_reg + off) is readable,
2301                         * the state of dst_reg will be updated by this func
2302                         */
2303                        err = check_mem_access(env, insn->src_reg, insn->off,
2304                                               BPF_SIZE(insn->code), BPF_READ,
2305                                               insn->dst_reg);
2306                        if (err)
2307                                return err;
2308
2309                        if (BPF_SIZE(insn->code) != BPF_W) {
2310                                insn_idx++;
2311                                continue;
2312                        }
2313
2314                        if (insn->imm == 0) {
2315                                /* saw a valid insn
2316                                 * dst_reg = *(u32 *)(src_reg + off)
2317                                 * use reserved 'imm' field to mark this insn
2318                                 */
2319                                insn->imm = src_reg_type;
2320
2321                        } else if (src_reg_type != insn->imm &&
2322                                   (src_reg_type == PTR_TO_CTX ||
2323                                    insn->imm == PTR_TO_CTX)) {
2324                                /* ABuser program is trying to use the same insn
2325                                 * dst_reg = *(u32*) (src_reg + off)
2326                                 * with different pointer types:
2327                                 * src_reg == ctx in one branch and
2328                                 * src_reg == stack|map in some other branch.
2329                                 * Reject it.
2330                                 */
2331                                verbose("same insn cannot be used with different pointers\n");
2332                                return -EINVAL;
2333                        }
2334
2335                } else if (class == BPF_STX) {
2336                        enum bpf_reg_type dst_reg_type;
2337
2338                        if (BPF_MODE(insn->code) == BPF_XADD) {
2339                                err = check_xadd(env, insn);
2340                                if (err)
2341                                        return err;
2342                                insn_idx++;
2343                                continue;
2344                        }
2345
2346                        /* check src1 operand */
2347                        err = check_reg_arg(regs, insn->src_reg, SRC_OP);
2348                        if (err)
2349                                return err;
2350                        /* check src2 operand */
2351                        err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
2352                        if (err)
2353                                return err;
2354
2355                        dst_reg_type = regs[insn->dst_reg].type;
2356
2357                        /* check that memory (dst_reg + off) is writeable */
2358                        err = check_mem_access(env, insn->dst_reg, insn->off,
2359                                               BPF_SIZE(insn->code), BPF_WRITE,
2360                                               insn->src_reg);
2361                        if (err)
2362                                return err;
2363
2364                        if (insn->imm == 0) {
2365                                insn->imm = dst_reg_type;
2366                        } else if (dst_reg_type != insn->imm &&
2367                                   (dst_reg_type == PTR_TO_CTX ||
2368                                    insn->imm == PTR_TO_CTX)) {
2369                                verbose("same insn cannot be used with different pointers\n");
2370                                return -EINVAL;
2371                        }
2372
2373                } else if (class == BPF_ST) {
2374                        if (BPF_MODE(insn->code) != BPF_MEM ||
2375                            insn->src_reg != BPF_REG_0) {
2376                                verbose("BPF_ST uses reserved fields\n");
2377                                return -EINVAL;
2378                        }
2379                        /* check src operand */
2380                        err = check_reg_arg(regs, insn->dst_reg, SRC_OP);
2381                        if (err)
2382                                return err;
2383
2384                        /* check that memory (dst_reg + off) is writeable */
2385                        err = check_mem_access(env, insn->dst_reg, insn->off,
2386                                               BPF_SIZE(insn->code), BPF_WRITE,
2387                                               -1);
2388                        if (err)
2389                                return err;
2390
2391                } else if (class == BPF_JMP) {
2392                        u8 opcode = BPF_OP(insn->code);
2393
2394                        if (opcode == BPF_CALL) {
2395                                if (BPF_SRC(insn->code) != BPF_K ||
2396                                    insn->off != 0 ||
2397                                    insn->src_reg != BPF_REG_0 ||
2398                                    insn->dst_reg != BPF_REG_0) {
2399                                        verbose("BPF_CALL uses reserved fields\n");
2400                                        return -EINVAL;
2401                                }
2402
2403                                err = check_call(env, insn->imm);
2404                                if (err)
2405                                        return err;
2406
2407                        } else if (opcode == BPF_JA) {
2408                                if (BPF_SRC(insn->code) != BPF_K ||
2409                                    insn->imm != 0 ||
2410                                    insn->src_reg != BPF_REG_0 ||
2411                                    insn->dst_reg != BPF_REG_0) {
2412                                        verbose("BPF_JA uses reserved fields\n");
2413                                        return -EINVAL;
2414                                }
2415
2416                                insn_idx += insn->off + 1;
2417                                continue;
2418
2419                        } else if (opcode == BPF_EXIT) {
2420                                if (BPF_SRC(insn->code) != BPF_K ||
2421                                    insn->imm != 0 ||
2422                                    insn->src_reg != BPF_REG_0 ||
2423                                    insn->dst_reg != BPF_REG_0) {
2424                                        verbose("BPF_EXIT uses reserved fields\n");
2425                                        return -EINVAL;
2426                                }
2427
2428                                /* eBPF calling convetion is such that R0 is used
2429                                 * to return the value from eBPF program.
2430                                 * Make sure that it's readable at this time
2431                                 * of bpf_exit, which means that program wrote
2432                                 * something into it earlier
2433                                 */
2434                                err = check_reg_arg(regs, BPF_REG_0, SRC_OP);
2435                                if (err)
2436                                        return err;
2437
2438                                if (is_pointer_value(env, BPF_REG_0)) {
2439                                        verbose("R0 leaks addr as return value\n");
2440                                        return -EACCES;
2441                                }
2442
2443process_bpf_exit:
2444                                insn_idx = pop_stack(env, &prev_insn_idx);
2445                                if (insn_idx < 0) {
2446                                        break;
2447                                } else {
2448                                        do_print_state = true;
2449                                        continue;
2450                                }
2451                        } else {
2452                                err = check_cond_jmp_op(env, insn, &insn_idx);
2453                                if (err)
2454                                        return err;
2455                        }
2456                } else if (class == BPF_LD) {
2457                        u8 mode = BPF_MODE(insn->code);
2458
2459                        if (mode == BPF_ABS || mode == BPF_IND) {
2460                                err = check_ld_abs(env, insn);
2461                                if (err)
2462                                        return err;
2463
2464                        } else if (mode == BPF_IMM) {
2465                                err = check_ld_imm(env, insn);
2466                                if (err)
2467                                        return err;
2468
2469                                insn_idx++;
2470                        } else {
2471                                verbose("invalid BPF_LD mode\n");
2472                                return -EINVAL;
2473                        }
2474                } else {
2475                        verbose("unknown insn class %d\n", class);
2476                        return -EINVAL;
2477                }
2478
2479                insn_idx++;
2480        }
2481
2482        verbose("processed %d insns\n", insn_processed);
2483        return 0;
2484}
2485
2486/* look for pseudo eBPF instructions that access map FDs and
2487 * replace them with actual map pointers
2488 */
2489static int replace_map_fd_with_map_ptr(struct verifier_env *env)
2490{
2491        struct bpf_insn *insn = env->prog->insnsi;
2492        int insn_cnt = env->prog->len;
2493        int i, j;
2494
2495        for (i = 0; i < insn_cnt; i++, insn++) {
2496                if (BPF_CLASS(insn->code) == BPF_LDX &&
2497                    (BPF_MODE(insn->code) != BPF_MEM || insn->imm != 0)) {
2498                        verbose("BPF_LDX uses reserved fields\n");
2499                        return -EINVAL;
2500                }
2501
2502                if (BPF_CLASS(insn->code) == BPF_STX &&
2503                    ((BPF_MODE(insn->code) != BPF_MEM &&
2504                      BPF_MODE(insn->code) != BPF_XADD) || insn->imm != 0)) {
2505                        verbose("BPF_STX uses reserved fields\n");
2506                        return -EINVAL;
2507                }
2508
2509                if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
2510                        struct bpf_map *map;
2511                        struct fd f;
2512
2513                        if (i == insn_cnt - 1 || insn[1].code != 0 ||
2514                            insn[1].dst_reg != 0 || insn[1].src_reg != 0 ||
2515                            insn[1].off != 0) {
2516                                verbose("invalid bpf_ld_imm64 insn\n");
2517                                return -EINVAL;
2518                        }
2519
2520                        if (insn->src_reg == 0)
2521                                /* valid generic load 64-bit imm */
2522                                goto next_insn;
2523
2524                        if (insn->src_reg != BPF_PSEUDO_MAP_FD) {
2525                                verbose("unrecognized bpf_ld_imm64 insn\n");
2526                                return -EINVAL;
2527                        }
2528
2529                        f = fdget(insn->imm);
2530                        map = __bpf_map_get(f);
2531                        if (IS_ERR(map)) {
2532                                verbose("fd %d is not pointing to valid bpf_map\n",
2533                                        insn->imm);
2534                                return PTR_ERR(map);
2535                        }
2536
2537                        /* store map pointer inside BPF_LD_IMM64 instruction */
2538                        insn[0].imm = (u32) (unsigned long) map;
2539                        insn[1].imm = ((u64) (unsigned long) map) >> 32;
2540
2541                        /* check whether we recorded this map already */
2542                        for (j = 0; j < env->used_map_cnt; j++)
2543                                if (env->used_maps[j] == map) {
2544                                        fdput(f);
2545                                        goto next_insn;
2546                                }
2547
2548                        if (env->used_map_cnt >= MAX_USED_MAPS) {
2549                                fdput(f);
2550                                return -E2BIG;
2551                        }
2552
2553                        /* hold the map. If the program is rejected by verifier,
2554                         * the map will be released by release_maps() or it
2555                         * will be used by the valid program until it's unloaded
2556                         * and all maps are released in free_bpf_prog_info()
2557                         */
2558                        map = bpf_map_inc(map, false);
2559                        if (IS_ERR(map)) {
2560                                fdput(f);
2561                                return PTR_ERR(map);
2562                        }
2563                        env->used_maps[env->used_map_cnt++] = map;
2564
2565                        fdput(f);
2566next_insn:
2567                        insn++;
2568                        i++;
2569                }
2570        }
2571
2572        /* now all pseudo BPF_LD_IMM64 instructions load valid
2573         * 'struct bpf_map *' into a register instead of user map_fd.
2574         * These pointers will be used later by verifier to validate map access.
2575         */
2576        return 0;
2577}
2578
2579/* drop refcnt of maps used by the rejected program */
2580static void release_maps(struct verifier_env *env)
2581{
2582        int i;
2583
2584        for (i = 0; i < env->used_map_cnt; i++)
2585                bpf_map_put(env->used_maps[i]);
2586}
2587
2588/* convert pseudo BPF_LD_IMM64 into generic BPF_LD_IMM64 */
2589static void convert_pseudo_ld_imm64(struct verifier_env *env)
2590{
2591        struct bpf_insn *insn = env->prog->insnsi;
2592        int insn_cnt = env->prog->len;
2593        int i;
2594
2595        for (i = 0; i < insn_cnt; i++, insn++)
2596                if (insn->code == (BPF_LD | BPF_IMM | BPF_DW))
2597                        insn->src_reg = 0;
2598}
2599
2600/* convert load instructions that access fields of 'struct __sk_buff'
2601 * into sequence of instructions that access fields of 'struct sk_buff'
2602 */
2603static int convert_ctx_accesses(struct verifier_env *env)
2604{
2605        struct bpf_insn *insn = env->prog->insnsi;
2606        int insn_cnt = env->prog->len;
2607        struct bpf_insn insn_buf[16];
2608        struct bpf_prog *new_prog;
2609        enum bpf_access_type type;
2610        int i;
2611
2612        if (!env->prog->aux->ops->convert_ctx_access)
2613                return 0;
2614
2615        for (i = 0; i < insn_cnt; i++, insn++) {
2616                u32 insn_delta, cnt;
2617
2618                if (insn->code == (BPF_LDX | BPF_MEM | BPF_W))
2619                        type = BPF_READ;
2620                else if (insn->code == (BPF_STX | BPF_MEM | BPF_W))
2621                        type = BPF_WRITE;
2622                else
2623                        continue;
2624
2625                if (insn->imm != PTR_TO_CTX) {
2626                        /* clear internal mark */
2627                        insn->imm = 0;
2628                        continue;
2629                }
2630
2631                cnt = env->prog->aux->ops->
2632                        convert_ctx_access(type, insn->dst_reg, insn->src_reg,
2633                                           insn->off, insn_buf, env->prog);
2634                if (cnt == 0 || cnt >= ARRAY_SIZE(insn_buf)) {
2635                        verbose("bpf verifier is misconfigured\n");
2636                        return -EINVAL;
2637                }
2638
2639                new_prog = bpf_patch_insn_single(env->prog, i, insn_buf, cnt);
2640                if (!new_prog)
2641                        return -ENOMEM;
2642
2643                insn_delta = cnt - 1;
2644
2645                /* keep walking new program and skip insns we just inserted */
2646                env->prog = new_prog;
2647                insn      = new_prog->insnsi + i + insn_delta;
2648
2649                insn_cnt += insn_delta;
2650                i        += insn_delta;
2651        }
2652
2653        return 0;
2654}
2655
2656static void free_states(struct verifier_env *env)
2657{
2658        struct verifier_state_list *sl, *sln;
2659        int i;
2660
2661        if (!env->explored_states)
2662                return;
2663
2664        for (i = 0; i < env->prog->len; i++) {
2665                sl = env->explored_states[i];
2666
2667                if (sl)
2668                        while (sl != STATE_LIST_MARK) {
2669                                sln = sl->next;
2670                                kfree(sl);
2671                                sl = sln;
2672                        }
2673        }
2674
2675        kfree(env->explored_states);
2676}
2677
2678int bpf_check(struct bpf_prog **prog, union bpf_attr *attr)
2679{
2680        char __user *log_ubuf = NULL;
2681        struct verifier_env *env;
2682        int ret = -EINVAL;
2683
2684        if ((*prog)->len <= 0 || (*prog)->len > BPF_MAXINSNS)
2685                return -E2BIG;
2686
2687        /* 'struct verifier_env' can be global, but since it's not small,
2688         * allocate/free it every time bpf_check() is called
2689         */
2690        env = kzalloc(sizeof(struct verifier_env), GFP_KERNEL);
2691        if (!env)
2692                return -ENOMEM;
2693
2694        env->prog = *prog;
2695
2696        /* grab the mutex to protect few globals used by verifier */
2697        mutex_lock(&bpf_verifier_lock);
2698
2699        if (attr->log_level || attr->log_buf || attr->log_size) {
2700                /* user requested verbose verifier output
2701                 * and supplied buffer to store the verification trace
2702                 */
2703                log_level = attr->log_level;
2704                log_ubuf = (char __user *) (unsigned long) attr->log_buf;
2705                log_size = attr->log_size;
2706                log_len = 0;
2707
2708                ret = -EINVAL;
2709                /* log_* values have to be sane */
2710                if (log_size < 128 || log_size > UINT_MAX >> 8 ||
2711                    log_level == 0 || log_ubuf == NULL)
2712                        goto free_env;
2713
2714                ret = -ENOMEM;
2715                log_buf = vmalloc(log_size);
2716                if (!log_buf)
2717                        goto free_env;
2718        } else {
2719                log_level = 0;
2720        }
2721
2722        ret = replace_map_fd_with_map_ptr(env);
2723        if (ret < 0)
2724                goto skip_full_check;
2725
2726        env->explored_states = kcalloc(env->prog->len,
2727                                       sizeof(struct verifier_state_list *),
2728                                       GFP_USER);
2729        ret = -ENOMEM;
2730        if (!env->explored_states)
2731                goto skip_full_check;
2732
2733        ret = check_cfg(env);
2734        if (ret < 0)
2735                goto skip_full_check;
2736
2737        env->allow_ptr_leaks = capable(CAP_SYS_ADMIN);
2738
2739        ret = do_check(env);
2740
2741skip_full_check:
2742        while (pop_stack(env, NULL) >= 0);
2743        free_states(env);
2744
2745        if (ret == 0)
2746                /* program is valid, convert *(u32*)(ctx + off) accesses */
2747                ret = convert_ctx_accesses(env);
2748
2749        if (log_level && log_len >= log_size - 1) {
2750                BUG_ON(log_len >= log_size);
2751                /* verifier log exceeded user supplied buffer */
2752                ret = -ENOSPC;
2753                /* fall through to return what was recorded */
2754        }
2755
2756        /* copy verifier log back to user space including trailing zero */
2757        if (log_level && copy_to_user(log_ubuf, log_buf, log_len + 1) != 0) {
2758                ret = -EFAULT;
2759                goto free_log_buf;
2760        }
2761
2762        if (ret == 0 && env->used_map_cnt) {
2763                /* if program passed verifier, update used_maps in bpf_prog_info */
2764                env->prog->aux->used_maps = kmalloc_array(env->used_map_cnt,
2765                                                          sizeof(env->used_maps[0]),
2766                                                          GFP_KERNEL);
2767
2768                if (!env->prog->aux->used_maps) {
2769                        ret = -ENOMEM;
2770                        goto free_log_buf;
2771                }
2772
2773                memcpy(env->prog->aux->used_maps, env->used_maps,
2774                       sizeof(env->used_maps[0]) * env->used_map_cnt);
2775                env->prog->aux->used_map_cnt = env->used_map_cnt;
2776
2777                /* program is valid. Convert pseudo bpf_ld_imm64 into generic
2778                 * bpf_ld_imm64 instructions
2779                 */
2780                convert_pseudo_ld_imm64(env);
2781        }
2782
2783free_log_buf:
2784        if (log_level)
2785                vfree(log_buf);
2786free_env:
2787        if (!env->prog->aux->used_maps)
2788                /* if we didn't copy map pointers into bpf_prog_info, release
2789                 * them now. Otherwise free_bpf_prog_info() will release them.
2790                 */
2791                release_maps(env);
2792        *prog = env->prog;
2793        kfree(env);
2794        mutex_unlock(&bpf_verifier_lock);
2795        return ret;
2796}
2797