[llvm-bugs] [Bug 43994] New: BPF code generation emits "|" instead of "+", causing problems for BPF verifier

via llvm-bugs llvm-bugs at lists.llvm.org
Wed Nov 13 12:38:49 PST 2019 

https://bugs.llvm.org/show_bug.cgi?id=43994

            Bug ID: 43994
           Summary: BPF code generation emits "|" instead of "+", causing
                    problems for BPF verifier
           Product: clang
           Version: 9.0
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: -New Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: eugene.loh at oracle.com
                CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org,
                    neeilans at live.com, richard-llvm at metafoo.co.uk

Created attachment 22808
  --> https://bugs.llvm.org/attachment.cgi?id=22808&action=edit
C code, run script, generated BPF code

Here is an issue with clang/LLVM's BPF code generation.
Technically, the generated code is not wrong, but it causes
an unnecessary problem for the BPF verifier.

Consider the C source code BPF.c.  The generated BPF code can be
seen in objdump.txt and verifier.txt.  Here are the C and BPF code,
redacted for readability and shown side-by-side:

    BPF.c                                   objdump.txt/verifier.txt
    ====================================    =====================
    u64 dest = -1;                          *(u64 *)(r10-24) = -1
    u64 offset;
    u64 garbage = 0x3141592654;             *(u64 *)(r10- 8) = 0x3141592654

    // set offset to some mystery value     r1 = r10-16
    bpf_probe_read(&offset,                 r2 = 8
        sizeof (offset), &garbage);         r3 = r10- 8
                                            call bpf_probe_read#4

    // clip offset to be offset within dest r1 = *(u64 *)(r10 - 16)
    offset &= sizeof (dest) - 1;            r1 &= 7
                                            *(u64 *)(r10 - 16) = r1

    // copy byte to mystery offset in dest  r2 = r10-24
    bpf_probe_read(((u64) &dest) + offset,  r1 |= r2      ======> PROBLEM!
        1, &garbage);                       r2 = 1
                                            r3 = r10- 8
                                            call bpf_probe_read#4

    return 0;                               r0 = 0
                                            exit

To compute ((u64)&dest)+offset, the generated BPF uses "offset |= &dest".
The replacement of "+" with "|" presumably gives the correct result
in this particular case, but then the BPF verifier complains:

        R1 bitwise operator |= on pointer prohibited

That is, the replacement of "+" with "|" causes this correct program to be
rejected unnecessarily by the BPF verifier.

This problem occurred on a system with an upstream kernel with
    % uname -r
    5.3.0+
with clang/LLVM built from source:
    % clang --version
    clang version 9.0.0 (trunk 364493)
    [...]

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20191113/8a289fdf/attachment.html>

More information about the llvm-bugs mailing list