Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

eBPF verification failed with incorrect stack upper bound check #3360

Closed
zenmiao7 opened this issue Mar 16, 2024 · 4 comments
Closed

eBPF verification failed with incorrect stack upper bound check #3360

zenmiao7 opened this issue Mar 16, 2024 · 4 comments
Labels
bug Something isn't working triaged Discussed in a triage meeting

Comments

@zenmiao7
Copy link

Describe the bug

code example

typedef struct 
{
    uint16_t cipher_suits[50];
    uint8_t cipher_suit_count;
} client_hello_info;

SEC("xdp_test")
int tls_client_hello_tracker(xdp_md_t* ctx)
{
    client_hello_info info;
    for (int i = 0;i < 50; i++)
        info.cipher_suits[i] = 0;

    bpf_ringbuf_output(&client_hello_info_pipe, &info, sizeof(info), 0);
    bpf_printk("Add one message");

    return XDP_PASS;
}

ebpf verification result

; C:\Users\User\Source\ebpfSamples/xdp1.c:142
;         info.cipher_suits[i] = 0;
9: Lower bound must be at least 0 (valid_access(r3.offset, width=2) for write)
; C:\Users\User\Source\ebpfSamples/xdp1.c:142
;         info.cipher_suits[i] = 0;
9: Upper bound must be at most EBPF_STACK_SIZE (valid_access(r3.offset, width=2) for write)
; C:\Users\User\Source\ebpfSamples/xdp1.c:144
;     bpf_ringbuf_output(&client_hello_info_pipe, &info, sizeof(info), 0);
19: Stack content is not numeric (valid_access(r2.offset, width=r3) for read)

In the code, the size of the array is given. Why the verification still think the array access is not valid?

OS information

Windows11

Steps taken to reproduce bug

  1. use clang to build code example.
  2. netsh ebpf show verification xxx.o

Expected behavior

Verification succeed.

Actual outcome

Verification failed.

Additional details

No response

@zenmiao7 zenmiao7 added the bug Something isn't working label Mar 16, 2024
@shankarseal
Copy link
Collaborator

Please share the .o file and the eBPF version that you are using.

@zenmiao7
Copy link
Author

zenmiao7 commented Mar 16, 2024

While debugging with @shankarseal, we find the error is resolved if we rewrite the loop to

info.cipher_suits[0] = 0;
info.cipher_suits[1] = 1;
info.cipher_suits[2] = 2;
...
info.cipher_suits[4] = 4;

@dthaler
Copy link
Collaborator

dthaler commented Mar 18, 2024

Looks like a duplicate of vbpf/ebpf-verifier#441
Workarounds are either:
a) Use the pragma unroll macro (see https://stackoverflow.com/questions/27310229/loop-unrolling-in-clang) to tell the compiler to unroll the loop like you mentioned, or
b) make the loop count down instead of up. sometimes that will work.

@dahavey dahavey added the triaged Discussed in a triage meeting label Mar 18, 2024
@dahavey
Copy link
Contributor

dahavey commented Mar 18, 2024

Tracked by #1993

@dahavey dahavey closed this as completed Mar 18, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working triaged Discussed in a triage meeting
Projects
None yet
Development

No branches or pull requests

4 participants