lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Wed, 10 Aug 2022 18:08:49 +0800
From:   Youlin Li <liulin063@...il.com>
To:     daniel@...earbox.net, haoluo@...gle.com
Cc:     ast@...nel.org, john.fastabend@...il.com, andrii@...nel.org,
        martin.lau@...ux.dev, song@...nel.org, yhs@...com,
        kpsingh@...nel.org, sdf@...gle.com, jolsa@...nel.org,
        bpf@...r.kernel.org, linux-kernel@...r.kernel.org,
        Youlin Li <liulin063@...il.com>
Subject: [PATCH 1/2] bpf: Fix 32bit bounds update in ALU64

The commit ("bpf: Do more tight ALU bounds tracking") introduces a bug
that fails some selftests.

in previous versions of the code, when
__reg_combine_64_into_32() was called, the 32bit boundary was
completely deduced from the 64bit boundary, so there was a call to
__mark_reg32_unbounded() in __reg_combine_64_into_32(). But before
adjust_scalar_min_max_vals() calls
__reg_combine_64_into_32() , the 32bit bounds are already calculated
to some extent, and __mark_reg32_unbounded() will eliminate these
information.

Simply remove the call to __reg_combine_64_into_32() and copying a code
without __mark_reg32_unbounded() should work.

Before:
    ./test_verifier 142
    #142/p bounds check after truncation of non-boundary-crossing range FAIL
    Failed to load prog 'Permission denied'!
    invalid access to map value, value_size=8 off=16777215 size=1
    R0 max value is outside of the allowed memory range
    verification time 149 usec
    stack depth 8
    processed 15 insns (limit 1000000) max_states_per_insn 0
    total_states 0 peak_states 0 mark_read 0
    Summary: 0 PASSED, 1 SKIPPED, 1 FAILED

After:
    ./test_verifier 142
    #142/p bounds check after truncation of non-boundary-crossing range OK
    Summary: 1 PASSED, 1 SKIPPED, 0 FAILED

Signed-off-by: Youlin Li <liulin063@...il.com>
---
 kernel/bpf/verifier.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 11d8bb54ba6b..7ea6e0372d62 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9014,7 +9014,17 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
 		/* ALU32 ops are zero extended into 64bit register */
 		zext_32_to_64(dst_reg);
 	} else {
-		__reg_combine_64_into_32(dst_reg);
+		if (__reg64_bound_s32(dst_reg->smin_value) &&
+		    __reg64_bound_s32(dst_reg->smax_value)) {
+			dst_reg->s32_min_value = (s32)dst_reg->smin_value;
+			dst_reg->s32_max_value = (s32)dst_reg->smax_value;
+		}
+		if (__reg64_bound_u32(dst_reg->umin_value) &&
+		    __reg64_bound_u32(dst_reg->umax_value)) {
+			dst_reg->u32_min_value = (u32)dst_reg->umin_value;
+			dst_reg->u32_max_value = (u32)dst_reg->umax_value;
+		}
+		reg_bounds_sync(dst_reg);
 	}
 	return 0;
 }
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ