lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20251022164457.1203756-2-kafai.wan@linux.dev>
Date: Thu, 23 Oct 2025 00:44:56 +0800
From: KaFai Wan <kafai.wan@...ux.dev>
To: ast@...nel.org,
	daniel@...earbox.net,
	john.fastabend@...il.com,
	andrii@...nel.org,
	martin.lau@...ux.dev,
	eddyz87@...il.com,
	song@...nel.org,
	yonghong.song@...ux.dev,
	kpsingh@...nel.org,
	sdf@...ichev.me,
	haoluo@...gle.com,
	jolsa@...nel.org,
	shuah@...nel.org,
	paul.chaignon@...il.com,
	m.shachnai@...il.com,
	luis.gerhorst@....de,
	colin.i.king@...il.com,
	harishankar.vishwanathan@...il.com,
	bpf@...r.kernel.org,
	linux-kernel@...r.kernel.org,
	linux-kselftest@...r.kernel.org
Cc: KaFai Wan <kafai.wan@...ux.dev>,
	Kaiyan Mei <M202472210@...t.edu.cn>,
	Yinhao Hu <dddddd@...t.edu.cn>
Subject: [PATCH bpf-next 1/2] bpf: Skip bounds adjustment for conditional jumps on same register

When conditional jumps are performed on the same register (e.g., r0 <= r0,
r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier
incorrectly attempts to adjust the register's min/max bounds. This leads to
invalid range bounds and triggers a BUG warning:

verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
WARNING: CPU: 0 PID: 93 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220
Modules linked in:
CPU: 0 UID: 0 PID: 93 Comm: repro-x-3 Tainted: G        W           6.18.0-rc1-ge7586577b75f-dirty #218 PREEMPT(full)
Tainted: [W]=WARN
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:reg_bounds_sanity_check+0x163/0x220
Call Trace:
 <TASK>
 reg_set_min_max.part.0+0x1b1/0x360
 check_cond_jmp_op+0x1195/0x1a60
 do_check_common+0x33ac/0x33c0
 ...

The issue occurs in reg_set_min_max() function where bounds adjustment logic
is applied even when both registers being compared are the same. Comparing a
register with itself should not change its bounds since the comparison result
is always known (e.g., r0 == r0 is always true, r0 < r0 is always false).

Fix this by adding an early return in reg_set_min_max() when false_reg1 and
false_reg2 point to the same register, skipping the unnecessary bounds
adjustment that leads to the verifier bug.

Reported-by: Kaiyan Mei <M202472210@...t.edu.cn>
Reported-by: Yinhao Hu <dddddd@...t.edu.cn>
Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/
Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors")
Signed-off-by: KaFai Wan <kafai.wan@...ux.dev>
---
 kernel/bpf/verifier.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6d175849e57a..420ad512d1af 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16429,6 +16429,10 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
 	if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE)
 		return 0;
 
+	/* If conditional jumps on the same register, skip the adjustment */
+	if (false_reg1 == false_reg2)
+		return 0;
+
 	/* fallthrough (FALSE) branch */
 	regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
 	reg_bounds_sync(false_reg1);
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ