[DTrace-devel] [PATCH 1/6] strings: improve bounds on strlen return value

[Nick Alcock]

Checking for a positive bound rather than a zero one prevents the
minimum range of the return value of strlen coming out of the verifier
as -1 (which can cause later problems if the verifier decides it needs a
non-negative arg).

We know the return value from bpf_probe_read_str must be non-negative
anyway, as the comment in the following line notes: this just teaches
this to the verifier.

Signed-off-by: Nick Alcock <nick.alcock at oracle.com>
---
 bpf/strlen.c      |  2 +-
 include/bpf-lib.h | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/bpf/strlen.c b/bpf/strlen.c
index 71ddbca42f01..e10070c9bdaf 100644
--- a/bpf/strlen.c
+++ b/bpf/strlen.c
@@ -21,7 +21,7 @@ noinline uint64_t dt_strlen(const dt_dctx_t *dctx, const char *str)
 	int64_t	len;
 
 	len = bpf_probe_read_str(tmp, (uint64_t)&STRSZ + 1, str);
-	set_not_neg_bound(len);
+	set_positive_bound(len);
 
 	return len - 1;		/* bpf_probe_read_str() never returns 0 */
 }
diff --git a/include/bpf-lib.h b/include/bpf-lib.h
index d7078da5c146..1c0d4a0c15cd 100644
--- a/include/bpf-lib.h
+++ b/include/bpf-lib.h
@@ -61,5 +61,20 @@
                 : /* no clobbers */ \
         );
 
+/*
+ * Explicit inline assembler to implement a positive bound check:
+ *
+ *	if (var < 1)
+ *		var = 1;
+ */
+#define set_positive_bound(var) \
+	asm ("jsgt %0, 0, 1f\n\t" \
+             "mov %0, 1\n\t" \
+             "1:" \
+                : "+r" (var) \
+                : /* no inputs */ \
+                : /* no clobbers */ \
+        );
+
 
 #endif /* BPF_LIB_H */
-- 
2.35.1.261.g8402f930ba.dirty