Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The return for ctx_load_bytes() isn't being checked #16076

Closed
trvll opened this issue May 11, 2021 · 6 comments · Fixed by #16138
Closed

The return for ctx_load_bytes() isn't being checked #16076

trvll opened this issue May 11, 2021 · 6 comments · Fixed by #16138
Assignees
@trvll
Labels
kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.

Comments

@trvll
Copy link
Contributor

trvll commented May 11, 2021

In the datapath, the function ipv6_dec_hoplimit() makes a call to ctx_load_bytes() without checking for return errors. This will let this function code make a evaluation of an uninitialized variable (__u8 hl) when ctx_load_bytes() returned a error. In this case the eBPF compiler will generate a code that won't be accepted by Linux kernel verifier, throwing a "invalid size of register spill" error in the /var/log/syslog.

cilium/bpf/lib/ipv6.h

Line 151 in e9e4c46

ctx_load_bytes(ctx, off + offsetof(struct ipv6hdr, hop_limit),

Please, add error checks when calling ctx_load_bytes().
@trvll trvll added the kind/bug This is a bug in the Cilium logic. label May 11, 2021
@trvll
Copy link
Contributor Author

trvll commented May 11, 2021

Hello @pchaigno, Could you assign it to me, pls?

@trvll trvll changed the title The return for ctx_load_bytes not checked The return for ctx_load_bytes() isn't being checked May 11, 2021
@pchaigno
Copy link
Member

pchaigno commented May 11, 2021
edited

In this case the eBPF compiler will generate a code that won't be accepted by Linux kernel verifier, throwing a "invalid size of register spill" error in the /var/log/syslog.

Could you describe exactly how you reproduced that error?

@trvll
Copy link
Contributor Author

trvll commented May 11, 2021

The problem occurs when the function skb_load_bytes() is introduced:

@pchaigno
Copy link
Member

Ok, I see 👍

AFAIK invalid size of register spill can't be reproduced from C code unless the compiler is buggy, hence my question. If we're using inline assembly, then that's totally possible.

@pchaigno pchaigno added the sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages. label May 11, 2021
@trvll
Copy link
Contributor Author

trvll commented May 11, 2021

YES, compiler should complain about possible usage of an uninitialized variable but does't while kernel verifier will prohibit loading the code for some reason not so clear for me, but when we do initialize the var accordingly or check the return error for ctx_load_bytes() in that context, the verifier will permit loading bpf_overlay.o.

@pchaigno
Copy link
Member

No, I mean the compiler would not generated bytecode that results in invalid size of register spill. Uninitialized variable might happen but not invalid size of register spill.

compiler should complain about possible usage of an uninitialized variable

I think it is initialized by the helper from compiler's point of view.

Anyway, the C code is clearly incorrect and we should fix it 🙂

@trvll trvll mentioned this issue May 13, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@trvll trvll

Labels
kind/bug This is a bug in the Cilium logic. sig/datapath Impacts bpf/ or low-level forwarding details, including map management and monitor messages.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Adding error checks for ctx_load_bytes. trvll/cilium
2 participants
@pchaigno @trvll