[RFC PATCH bpf-next v1 06/14] MIPS: eBPF: fix JIT static analysis hang with bounded loops
From: Tony Ambardar <hidden>
Date: 2021-07-12 00:35:45
Also in:
bpf, linux-mips
Subsystem:
bpf jit for mips (32-bit and 64-bit), bpf [general] (safe dynamic programs and tools), mips, the rest · Maintainers:
Johan Almbladh, Paul Burton, Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko, Eduard Zingerman, Kumar Kartikeya Dwivedi, Thomas Bogendoerfer, Linus Torvalds
Support for bounded loops allowed the verifier to output backward jumps
such as BPF_JMP_A(-4). These trap the JIT's static analysis in a loop,
resulting in a system hang and eventual RCU stall.
Fix by updating reg_val_propagate_range() to skip backward jumps when in
fallthrough mode and if the jump target has been visited already.
Trigger the bug using the test_verifier test "bounded loop that jumps out
rather than in".
Fixes: 2589726d12a1 ("bpf: introduce bounded loops")
Signed-off-by: Tony Ambardar <redacted>
---
arch/mips/net/ebpf_jit.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/arch/mips/net/ebpf_jit.c b/arch/mips/net/ebpf_jit.c
index e60a089ee3b3..4f641dcb2031 100644
--- a/arch/mips/net/ebpf_jit.c
+++ b/arch/mips/net/ebpf_jit.c@@ -1690,6 +1690,10 @@ static int reg_val_propagate_range(struct jit_ctx *ctx, u64 initial_rvt, rvt[prog->len] = exit_rvt; return idx; case BPF_JA: + { + int tgt = idx + 1 + insn->off; + bool visited = (rvt[tgt] & RVT_FALL_THROUGH); + rvt[idx] |= RVT_DONE; /* * Verifier dead code patching can use
@@ -1699,8 +1703,16 @@ static int reg_val_propagate_range(struct jit_ctx *ctx, u64 initial_rvt, */ if (insn->off == -1) break; + /* + * Bounded loops cause the same issues in + * fallthrough mode; follow only if jump + * target is unvisited to mitigate. + */ + if (insn->off < 0 && !follow_taken && visited) + break; idx += insn->off; break; + } case BPF_JEQ: case BPF_JGT: case BPF_JGE:
--
2.25.1