lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250913222323.894182-1-kriish.sharma2006@gmail.com>
Date: Sat, 13 Sep 2025 22:23:23 +0000
From: Kriish Sharma <kriish.sharma2006@...il.com>
To: ast@...nel.org,
	daniel@...earbox.net,
	john.fastabend@...il.com,
	andrii@...nel.org
Cc: martin.lau@...ux.dev,
	eddyz87@...il.com,
	song@...nel.org,
	yonghong.song@...ux.dev,
	kpsingh@...nel.org,
	sdf@...ichev.me,
	haoluo@...gle.com,
	jolsa@...nel.org,
	bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	Kriish Sharma <kriish.sharma2006@...il.com>,
	syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com
Subject: [PATCH] bpf: verifier: fix WARNING in reg_bounds_sanity_check (2)

syzbot reported a "REG INVARIANTS VIOLATION" triggered in reg_bounds_sanity_check()
due to inconsistent umin/umax and var_off state after min/max updates.

reg_set_min_max() and adjust_reg_min_max_vals() could leave a register state
partially updated before syncing the bounds, causing verifier_bug() to fire.

This patch ensures reg_bounds_sync() is called after updates, and additionally
marks registers unbounded if min/max values are inconsistent, so that umin/umax,
smin/smax, and var_off remain consistent.

Fixes: d69eb204c255 ("Merge tag 'net-6.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net")
Reported-by: syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c950cc277150935cc0b5
Signed-off-by: Kriish Sharma <kriish.sharma2006@...il.com>
---
 kernel/bpf/verifier.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c4f69a9e9af6..8f5f02d39005 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16299,6 +16299,19 @@ static void regs_refine_cond_op(struct bpf_reg_state *reg1, struct bpf_reg_state
 	}
 }
 
+/* Ensure that a register's min/max bounds are sane.
+ * If any of the unsigned/signed bounds are inconsistent, mark the
+ * register as unbounded to prevent verifier invariant violations.
+ */
+static void __maybe_normalize_reg(struct bpf_reg_state *reg)
+{
+	if (reg->umin_value > reg->umax_value ||
+		reg->smin_value > reg->smax_value ||
+		reg->u32_min_value > reg->u32_max_value ||
+		reg->s32_min_value > reg->s32_max_value)
+			__mark_reg_unbounded(reg);
+}
+
 /* Adjusts the register min/max values in the case that the dst_reg and
  * src_reg are both SCALAR_VALUE registers (or we are simply doing a BPF_K
  * check, in which case we have a fake SCALAR_VALUE representing insn->imm).
@@ -16325,11 +16338,15 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
 	regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
 	reg_bounds_sync(false_reg1);
 	reg_bounds_sync(false_reg2);
+	__maybe_normalize_reg(false_reg1);
+	__maybe_normalize_reg(false_reg2);
 
 	/* jump (TRUE) branch */
 	regs_refine_cond_op(true_reg1, true_reg2, opcode, is_jmp32);
 	reg_bounds_sync(true_reg1);
 	reg_bounds_sync(true_reg2);
+	__maybe_normalize_reg(true_reg1);
+	__maybe_normalize_reg(true_reg2);
 
 	err = reg_bounds_sanity_check(env, true_reg1, "true_reg1");
 	err = err ?: reg_bounds_sanity_check(env, true_reg2, "true_reg2");
-- 
2.34.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ