Re: R? min value is negative, either use unsigned or 'var &= const' #verifier


Simon
 

Hi,
 I begin to start to rewrite my code without using bcc. (I only used bpf c api / clang/ iproute2)

 I have a reduced version compared to the one I used here, unlike the previous error I reported here, I was not able to reproduce it.
 But I get a new one for exactly the same call (checksum calculation/bpf_csum_diff ...)

4: (57) r0 &= 65535
65: (0f) r0 += r1
66: (bf) r1 = r0
67: (77) r1 >>= 16
68: (15) if r1 == 0x0 goto pc+2

R0=inv(id=0,umax_value=4295032831,var_off=(0x0; 0x1ffffffff)) 
R1=inv(id=0,umax_value=65536,var_off=(0x0; 0x1ffff)) R6=pkt(id=0,off=34,r=42,imm=0) 
R7=inv(id=0,umax_value=511,var_off=(0x0; 0x1ff)) R8=inv0 
R9=pkt(id=0,off=0,r=42,imm=0) R10=fp0,call_-1
69: (57) r0 &= 65535
70: (0f) r0 += r1
71: (bf) r1 = r0
72: (77) r1 >>= 16
73: (0f) r1 += r0
74: (a7) r1 ^= -1
75: (6b) *(u16 *)(r9 +24) = r1
76: (6b) *(u16 *)(r9 +40) = r8
77: (bf) r3 = r9
78: (07) r3 += 26
79: (b7) r1 = 0
80: (b7) r2 = 0
81: (b7) r4 = 4
82: (b7) r5 = 0
83: (85) call bpf_csum_diff#28
84: (bf) r3 = r9
85: (07) r3 += 30
86: (b7) r1 = 0
87: (b7) r2 = 0
88: (b7) r4 = 4
89: (bf) r5 = r0
90: (85) call bpf_csum_diff#28
91: (71) r1 = *(u8 *)(r9 +23)
92: (dc) r1 = be32 r1
93: (63) *(u32 *)(r10 -4) = r1
94: (bf) r8 = r10
95: (07) r8 += -4
96: (b7) r1 = 0
97: (b7) r2 = 0
98: (bf) r3 = r8
99: (b7) r4 = 4
100: (bf) r5 = r0
101: (85) call bpf_csum_diff#28
102: (57) r7 &= 65535
103: (bf) r1 = r7
104: (dc) r1 = be32 r1
105: (63) *(u32 *)(r10 -4) = r1
106: (b7) r1 = 0
107: (b7) r2 = 0
108: (bf) r3 = r8
109: (b7) r4 = 4
110: (bf) r5 = r0
111: (85) call bpf_csum_diff#28
112: (b7) r1 = 0
113: (b7) r2 = 0
114: (bf) r3 = r6
115: (bf) r4 = r7
116: (bf) r5 = r0
117: (85) call bpf_csum_diff#28
invalid access to packet, off=34 size=511, R3(id=0,off=34,r=42)

I think I understand the error.

R7 which is my udp_len variable. It is considered as a integer with a max value 511 (min value should be 8 but I can not see that in verifier log)
And R6 is a reference to the packet at offset 34 with a max valid size of 42 (r=42?) and so boom !

But I already checked that this is a valid access before : https://github.com/sbernard31/udploadbalancer/blob/bpf_only_without_logs/ulb.c#L115

Is it another issue ? or pretty much the same ?

 

Join iovisor-dev@lists.iovisor.org to automatically receive all group messages.