内核samples/bpf代码中tracex1_kernel中把bpr_probe_read中的第二个参数变成*2,相当于恶意读取字段数值,编译没有错误,但是在load bpf的时候verfify checker会有大量的错误
/* non-portable! works for the given kernel only */ skb = (struct sk_buff *) PT_REGS_PARM1(ctx); dev = _(skb->dev); len = _(skb->len); bpf_probe_read(devname, sizeof(devname)*2, dev->name);
verify会发生大量的错误,这里是verfiyer会去检查相关的逻辑
bpf_load_program() err=13 0: (79) r6 = *(u64 *)(r1 +112) 1: (b7) r7 = 0 2: (7b) *(u64 *)(r10 -16) = r7 last_idx 2 first_idx 0 regs=80 stack=0 before 1: (b7) r7 = 0 3: (bf) r3 = r6 4: (07) r3 += 16 5: (bf) r1 = r10 6: (07) r1 += -16 7: (b7) r2 = 8 8: (85) call bpf_probe_read#4 last_idx 8 first_idx 0 regs=4 stack=0 before 7: (b7) r2 = 8 9: (79) r8 = *(u64 *)(r10 -16) 10: (63) *(u32 *)(r10 -16) = r7 11: (bf) r3 = r6 12: (07) r3 += 112 13: (bf) r1 = r10 14: (07) r1 += -16 15: (b7) r2 = 4 16: (85) call bpf_probe_read#4 last_idx 16 first_idx 0 regs=4 stack=0 before 15: (b7) r2 = 4 17: (61) r7 = *(u32 *)(r10 -16) 18: (bf) r1 = r10 19: (07) r1 += -16 20: (b7) r2 = 32 21: (bf) r3 = r8 22: (85) call bpf_probe_read#4 invalid stack type R1 off=-16 access_size=32 processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1 0: (79) r6 = *(u64 *)(r1 +112) 1: (b7) r7 = 0 2: (7b) *(u64 *)(r10 -16) = r7 last_idx 2 first_idx 0 regs=80 stack=0 before 1: (b7) r7 = 0 3: (bf) r3 = r6 4: (07) r3 += 16 5: (bf) r1 = r10 6: (07) r1 += -16 7: (b7) r2 = 8 8: (85) call bpf_probe_read#4 last_idx 8 first_idx 0 regs=4 stack=0 before 7: (b7) r2 = 8 9: (79) r8 = *(u64 *)(r10 -16) 10: (63) *(u32 *)(r10 -16) = r7 11: (bf) r3 = r6 12: (07) r3 += 112 13: (bf) r1 = r10 14: (07) r1 += -16 15: (b7) r2 = 4 16: (85) call bpf_probe_read#4 last_idx 16 first_idx 0 regs=4 stack=0 before 15: (b7) r2 = 4 17: (61) r7 = *(u32 *)(r10 -16) 18: (bf) r1 = r10 19: (07) r1 += -16 20: (b7) r2 = 32 21: (bf) r3 = r8 22: (85) call bpf_probe_read#4 invalid stack type R1 off=-16 access_size=32 processed 23 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1