lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <68c5d85e.050a0220.3c6139.04d6.GAE@google.com>
Date: Sat, 13 Sep 2025 13:47:26 -0700
From: syzbot <syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com>
To: linux-kernel@...r.kernel.org
Subject: Forwarded: WARNING in reg_bounds_sanity_check (2)

For archival purposes, forwarding an incoming command email to
linux-kernel@...r.kernel.org.

***

Subject: WARNING in reg_bounds_sanity_check (2)
Author: kriish.sharma2006@...il.com

#syz test

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c4f69a9e9af6..4c6000d32f46 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16299,6 +16299,15 @@ static void regs_refine_cond_op(struct
bpf_reg_state *reg1, struct bpf_reg_state
        }
 }

+static void __maybe_normalize_reg(struct bpf_reg_state *reg)
+{
+    if (reg->umin_value > reg->umax_value ||
+        reg->smin_value > reg->smax_value ||
+        reg->u32_min_value > reg->u32_max_value ||
+        reg->s32_min_value > reg->s32_max_value)
+        __mark_reg_unbounded(reg);
+}
+
 /* Adjusts the register min/max values in the case that the dst_reg and
  * src_reg are both SCALAR_VALUE registers (or we are simply doing a BPF_K
  * check, in which case we have a fake SCALAR_VALUE representing
insn->imm).
@@ -16325,11 +16334,15 @@ static int reg_set_min_max(struct
bpf_verifier_env *env,
        regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode),
is_jmp32);
        reg_bounds_sync(false_reg1);
        reg_bounds_sync(false_reg2);
+       __maybe_normalize_reg(false_reg1);
+    __maybe_normalize_reg(false_reg2);

        /* jump (TRUE) branch */
        regs_refine_cond_op(true_reg1, true_reg2, opcode, is_jmp32);
        reg_bounds_sync(true_reg1);
        reg_bounds_sync(true_reg2);
+       __maybe_normalize_reg(true_reg1);
+    __maybe_normalize_reg(true_reg2);

        err = reg_bounds_sanity_check(env, true_reg1, "true_reg1");
        err = err ?: reg_bounds_sanity_check(env, true_reg2, "true_reg2");
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ