bpf: teach verifier to recognize imm += ptr pattern

Humans don't write C code like:
  u8 *ptr = skb->data;
  int imm = 4;
  imm += ptr;
but from llvm backend point of view 'imm' and 'ptr' are registers and
imm += ptr may be preferred vs ptr += imm depending which register value
will be used further in the code, while verifier can only recognize ptr += imm.
That caused small unrelated changes in the C code of the bpf program to
trigger rejection by the verifier. Therefore teach the verifier to recognize
both ptr += imm and imm += ptr.
For example:
when R6=pkt(id=0,off=0,r=62) R7=imm22
after r7 += r6 instruction
will be R6=pkt(id=0,off=0,r=62) R7=pkt(id=0,off=22,r=62)

Fixes: 969bf05eb3ce ("bpf: direct packet access")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d54e348..668e079 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1245,6 +1245,7 @@ static int check_packet_ptr_add(struct verifier_env *env, struct bpf_insn *insn)
        struct reg_state *regs = env->cur_state.regs;
        struct reg_state *dst_reg = &regs[insn->dst_reg];
        struct reg_state *src_reg = &regs[insn->src_reg];
+       struct reg_state tmp_reg;
        s32 imm;
 
        if (BPF_SRC(insn->code) == BPF_K) {
@@ -1267,6 +1268,19 @@ add_imm:
                 */
                dst_reg->off += imm;
        } else {
+               if (src_reg->type == PTR_TO_PACKET) {
+                       /* R6=pkt(id=0,off=0,r=62) R7=imm22; r7 += r6 */
+                       tmp_reg = *dst_reg;  /* save r7 state */
+                       *dst_reg = *src_reg; /* copy pkt_ptr state r6 into r7 */
+                       src_reg = &tmp_reg;  /* pretend it's src_reg state */
+                       /* if the checks below reject it, the copy won't matter,
+                        * since we're rejecting the whole program. If all ok,
+                        * then imm22 state will be added to r7
+                        * and r7 will be pkt(id=0,off=22,r=62) while
+                        * r6 will stay as pkt(id=0,off=0,r=62)
+                        */
+               }
+
                if (src_reg->type == CONST_IMM) {
                        /* pkt_ptr += reg where reg is known constant */
                        imm = src_reg->imm;
@@ -1565,7 +1579,9 @@ static int check_alu_op(struct verifier_env *env, struct bpf_insn *insn)
                        return 0;
                } else if (opcode == BPF_ADD &&
                           BPF_CLASS(insn->code) == BPF_ALU64 &&
-                          dst_reg->type == PTR_TO_PACKET) {
+                          (dst_reg->type == PTR_TO_PACKET ||
+                           (BPF_SRC(insn->code) == BPF_X &&
+                            regs[insn->src_reg].type == PTR_TO_PACKET))) {
                        /* ptr_to_packet += K|X */
                        return check_packet_ptr_add(env, insn);
                } else if (BPF_CLASS(insn->code) == BPF_ALU64 &&