eBPF Interpreter Implementation
The Linux interpreter lies here: kernel/bpf/core.c#___bpf_prog_run
To understand what exactly each instruction means and their undefined behaviors, given that no documentation ever states that (for now), we have to look into an actual, official implementation.
The following table uses a lot macros:
u64 *regs: The array of the registers,#define DST regs[insn->dst_reg]: thedst_reg,#define SRC regs[insn->src_reg]: thesrc_reg,#define IMM insn->imm: the immediate number (which isi32by the way).
To save some space, when SRC and IMM follows the same pattern, I am going to skip the latter.
INFO
Just in case someone forgets about type conversions in C like me, (u64_v) op (i32_v) actually does (u64_v) op (i32_v as i64 as u64) in Rust.
| Ops / Variant | Code | Notes |
|---|---|---|
| Shifts (64-bit) | DST = DST OP (SRC & 63) | |
| Shifts (32-bit) | DST = (u32) DST OP ((u32) SRC & 31) | Upper-half zeroed |
| Shifts (s64) | (*(s64 *) &DST) >>= (SRC & 63) | |
| Shifts (s32) | DST = (u64) (u32) (((s32) DST) >> (SRC & 31)) | Upper-half zeroed |
| ALU (64-bit) | DST = DST OP SRC | + - & | ^ * |
| ALU (32-bit) | DST = (u32) DST OP (u32) SRC | Upper-half zeroed |
| ALU (NEG64) | DST = -DST | |
| ALU (NEG32) | DST = (u32) -DST | Upper-half zeroed |
| ALU (MOV64) | DST = SRC | |
| ALU (MOV32) | DST = (u32) SRC | Upper-half zeroed |
| ALU (MOV_K 64) | DST = (__s32) IMM | Sign-extending |
LD_IMM_DW | See LD_IMM_DW | |
| MOD (64-bit) | div64_u64_rem(DST, SRC, &AX); DST = AX; | Unknown |
| MOD (32-bit) | AX = (u32) DST; DST = do_div(AX, (u32) SRC); | Unknown |
| DIV (64-bit) | DST = div64_u64(DST, SRC) | Unknown |
| DIV (32-bit) | AX = (u32) DST; do_div(AX, (u32) SRC); DST = (u32) AX; | Unknown |
| Endianness | DST = (__force u??) cpu_to_be??(DST) | Upper bits zeroed |
| Function calls | Pre-processed by the verifier. Skipping. | |
| JMP | insn += insn->off | +1 by outer loop |
| Conditional JMP | if ((SIGN##64) DST CMP_OP (SIGN##64) SRC) { ... } | Casts |
| STX | *(SIZE *)(unsigned long) (DST + insn->off) = SRC | Casts |
| ST | *(SIZE *)(unsigned long) (DST + insn->off) = IMM | Casts? |
| LDX | DST = *(SIZE *)(unsigned long) (SRC + insn->off) | Casts |
| Atomic | ... | WIP |
Notes
Note that the interpreter implementation is not necessarily the actual specification.