lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20250521183911.21781-1-puranjay@kernel.org>
Date: Wed, 21 May 2025 18:39:09 +0000
From: Puranjay Mohan <puranjay@...nel.org>
To: Alexei Starovoitov <ast@...nel.org>,
	Daniel Borkmann <daniel@...earbox.net>,
	John Fastabend <john.fastabend@...il.com>,
	Andrii Nakryiko <andrii@...nel.org>,
	Martin KaFai Lau <martin.lau@...ux.dev>,
	Eduard Zingerman <eddyz87@...il.com>,
	Song Liu <song@...nel.org>,
	Yonghong Song <yonghong.song@...ux.dev>,
	KP Singh <kpsingh@...nel.org>,
	Stanislav Fomichev <sdf@...gle.com>,
	Hao Luo <haoluo@...gle.com>,
	Jiri Olsa <jolsa@...nel.org>,
	bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org
Subject: [PATCH bpf] bpf: verifier: support BPF_LOAD_ACQ in insn_def_regno()

insn_def_regno() currently returns -1 for a BPF_LOAD_ACQ which is
incorrect as BPF_LOAD_ACQ loads a value from (src_reg + off) into the
dst_reg.

This was uncovered by syzkaller while fuzzing on arm32 architecture
where this function was being called by opt_subreg_zext_lo32_rnd_hi32()
and the warning inside this function was triggered because the
BPF_LOAD_ACQ instruction can read 32 bit values so it needs to be
zero-extended on some archs (eg. arm32) but the destination register (to
be zero-extended) returned by insn_def_regno() was invalid (-1).

Fixes: 880442305a39 ("bpf: Introduce load-acquire and store-release instructions")
Reported-by: syzbot+0ef84a7bdf5301d4cbec@...kaller.appspotmail.com
Closes: https://lore.kernel.org/bpf/682dd10b.a00a0220.29bc26.028e.GAE@google.com/T/#m1457e14da8cf6c1d9703b446c224407bca758f5c
Signed-off-by: Puranjay Mohan <puranjay@...nel.org>
---
 kernel/bpf/verifier.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 54c6953a8b84..9aa67e46cb8b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3643,6 +3643,9 @@ static bool is_reg64(struct bpf_verifier_env *env, struct bpf_insn *insn,
 /* Return the regno defined by the insn, or -1. */
 static int insn_def_regno(const struct bpf_insn *insn)
 {
+	if (is_atomic_load_insn(insn))
+		return insn->dst_reg;
+
 	switch (BPF_CLASS(insn->code)) {
 	case BPF_JMP:
 	case BPF_JMP32:
-- 
2.47.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ