lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-Id: <20231210130001.2050847-1-menglong8.dong@gmail.com>
Date:   Sun, 10 Dec 2023 21:00:01 +0800
From:   Menglong Dong <menglong8.dong@...il.com>
To:     andrii@...nel.org
Cc:     ast@...nel.org, daniel@...earbox.net, john.fastabend@...il.com,
        martin.lau@...ux.dev, song@...nel.org, yonghong.song@...ux.dev,
        kpsingh@...nel.org, sdf@...gle.com, haoluo@...gle.com,
        jolsa@...nel.org, bpf@...r.kernel.org,
        linux-kernel@...r.kernel.org,
        Menglong Dong <menglong8.dong@...il.com>
Subject: [PATCH bpf-next] bpf: make the verifier trace the "not qeual" for regs

We can derive some new information for BPF_JNE in regs_refine_cond_op().
Take following code for example:

  /* The type of "a" is u16 */
  if (a > 0 && a < 100) {
    /* the range of the register for a is [0, 99], not [1, 99],
     * and will cause the following error:
     *
     *   invalid zero-sized read
     *
     * as a can be 0.
     */
    bpf_skb_store_bytes(skb, xx, xx, a, 0);
  }

In the code above, "a > 0" will be compiled to "jmp xxx if a == 0". In the
TRUE branch, the dst_reg will be marked as known to 0. However, in the
fallthrough(FALSE) branch, the dst_reg will not be handled, which makes
the [min, max] for a is [0, 99], not [1, 99].

For BPF_JNE, we can reduce the range of the dst reg if the src reg is a
const and is exactly the edge of the dst reg.

Signed-off-by: Menglong Dong <menglong8.dong@...il.com>
---
 kernel/bpf/verifier.c | 45 ++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 44 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 727a59e4a647..7b074ac93190 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1764,6 +1764,40 @@ static void __mark_reg_const_zero(struct bpf_reg_state *reg)
 	reg->type = SCALAR_VALUE;
 }
 
+#define CHECK_REG_MIN(value)			\
+do {						\
+	if ((value) == (typeof(value))imm)	\
+		value++;			\
+} while (0)
+
+#define CHECK_REG_MAX(value)			\
+do {						\
+	if ((value) == (typeof(value))imm)	\
+		value--;			\
+} while (0)
+
+static void mark_reg32_not_equal(struct bpf_reg_state *reg, u64 imm)
+{
+		CHECK_REG_MIN(reg->s32_min_value);
+		CHECK_REG_MAX(reg->s32_max_value);
+		CHECK_REG_MIN(reg->u32_min_value);
+		CHECK_REG_MAX(reg->u32_max_value);
+}
+
+static void mark_reg_not_equal(struct bpf_reg_state *reg, u64 imm)
+{
+		CHECK_REG_MIN(reg->smin_value);
+		CHECK_REG_MAX(reg->smax_value);
+
+		CHECK_REG_MIN(reg->umin_value);
+		CHECK_REG_MAX(reg->umax_value);
+
+		CHECK_REG_MIN(reg->s32_min_value);
+		CHECK_REG_MAX(reg->s32_max_value);
+		CHECK_REG_MIN(reg->u32_min_value);
+		CHECK_REG_MAX(reg->u32_max_value);
+}
+
 static void mark_reg_known_zero(struct bpf_verifier_env *env,
 				struct bpf_reg_state *regs, u32 regno)
 {
@@ -14332,7 +14366,16 @@ static void regs_refine_cond_op(struct bpf_reg_state *reg1, struct bpf_reg_state
 		}
 		break;
 	case BPF_JNE:
-		/* we don't derive any new information for inequality yet */
+		/* try to recompute the bound of reg1 if reg2 is a const and
+		 * is exactly the edge of reg1.
+		 */
+		if (is_reg_const(reg2, is_jmp32)) {
+			val = reg_const_value(reg2, is_jmp32);
+			if (is_jmp32)
+				mark_reg32_not_equal(reg1, val);
+			else
+				mark_reg_not_equal(reg1, val);
+		}
 		break;
 	case BPF_JSET:
 		if (!is_reg_const(reg2, is_jmp32))
-- 
2.39.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ