| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEf4BzYUKkpFa5dp4Ye7jzK1RhYtS6Yv55GH18U21Qi6xxQetg@mail.gmail.com>
Date: Mon, 11 Dec 2023 11:15:48 -0800
From: Andrii Nakryiko <andrii.nakryiko@...il.com>
To: Menglong Dong <menglong8.dong@...il.com>
Cc: andrii@...nel.org, ast@...nel.org, daniel@...earbox.net,
john.fastabend@...il.com, martin.lau@...ux.dev, song@...nel.org,
yonghong.song@...ux.dev, kpsingh@...nel.org, sdf@...gle.com,
haoluo@...gle.com, jolsa@...nel.org, bpf@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH bpf-next] bpf: make the verifier trace the "not qeual" for regs
On Sun, Dec 10, 2023 at 5:00 AM Menglong Dong <menglong8.dong@...il.com> wrote:
>
> We can derive some new information for BPF_JNE in regs_refine_cond_op().
> Take following code for example:
>
> /* The type of "a" is u16 */
> if (a > 0 && a < 100) {
> /* the range of the register for a is [0, 99], not [1, 99],
> * and will cause the following error:
> *
> * invalid zero-sized read
> *
> * as a can be 0.
> */
> bpf_skb_store_bytes(skb, xx, xx, a, 0);
> }
>
> In the code above, "a > 0" will be compiled to "jmp xxx if a == 0". In the
> TRUE branch, the dst_reg will be marked as known to 0. However, in the
> fallthrough(FALSE) branch, the dst_reg will not be handled, which makes
> the [min, max] for a is [0, 99], not [1, 99].
>
> For BPF_JNE, we can reduce the range of the dst reg if the src reg is a
> const and is exactly the edge of the dst reg.
>
> Signed-off-by: Menglong Dong <menglong8.dong@...il.com>
> ---
> kernel/bpf/verifier.c | 45 ++++++++++++++++++++++++++++++++++++++++++-
> 1 file changed, 44 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 727a59e4a647..7b074ac93190 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1764,6 +1764,40 @@ static void __mark_reg_const_zero(struct bpf_reg_state *reg)
> reg->type = SCALAR_VALUE;
> }
>
> +#define CHECK_REG_MIN(value) \
> +do { \
> + if ((value) == (typeof(value))imm) \
> + value++; \
> +} while (0)
> +
> +#define CHECK_REG_MAX(value) \
> +do { \
> + if ((value) == (typeof(value))imm) \
> + value--; \
> +} while (0)
> +
> +static void mark_reg32_not_equal(struct bpf_reg_state *reg, u64 imm)
> +{
> + CHECK_REG_MIN(reg->s32_min_value);
> + CHECK_REG_MAX(reg->s32_max_value);
> + CHECK_REG_MIN(reg->u32_min_value);
> + CHECK_REG_MAX(reg->u32_max_value);
> +}
> +
> +static void mark_reg_not_equal(struct bpf_reg_state *reg, u64 imm)
> +{
> + CHECK_REG_MIN(reg->smin_value);
> + CHECK_REG_MAX(reg->smax_value);
> +
> + CHECK_REG_MIN(reg->umin_value);
> + CHECK_REG_MAX(reg->umax_value);
> +
> + CHECK_REG_MIN(reg->s32_min_value);
> + CHECK_REG_MAX(reg->s32_max_value);
> + CHECK_REG_MIN(reg->u32_min_value);
> + CHECK_REG_MAX(reg->u32_max_value);
> +}
please don't use macros for this, this code is tricky enough without
having to jump around double-checking what exactly macros are doing.
Just code it explicitly.
Also I don't see the need for mark_reg32_not_equal() and
mark_reg_not_equal() helper functions, there is just one place where
this logic is going to be called from, so let's add code right there.
> +
> static void mark_reg_known_zero(struct bpf_verifier_env *env,
> struct bpf_reg_state *regs, u32 regno)
> {
> @@ -14332,7 +14366,16 @@ static void regs_refine_cond_op(struct bpf_reg_state *reg1, struct bpf_reg_state
> }
> break;
> case BPF_JNE:
> - /* we don't derive any new information for inequality yet */
> + /* try to recompute the bound of reg1 if reg2 is a const and
> + * is exactly the edge of reg1.
> + */
> + if (is_reg_const(reg2, is_jmp32)) {
> + val = reg_const_value(reg2, is_jmp32);
> + if (is_jmp32)
> + mark_reg32_not_equal(reg1, val);
> + else
> + mark_reg_not_equal(reg1, val);
> + }
> break;
> case BPF_JSET:
> if (!is_reg_const(reg2, is_jmp32))
> --
> 2.39.2
>
Powered by blists - more mailing lists