| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20251026163806.3300636-2-kafai.wan@linux.dev>
Date: Mon, 27 Oct 2025 00:38:05 +0800
From: KaFai Wan <kafai.wan@...ux.dev>
To: ast@...nel.org,
daniel@...earbox.net,
john.fastabend@...il.com,
andrii@...nel.org,
martin.lau@...ux.dev,
eddyz87@...il.com,
song@...nel.org,
yonghong.song@...ux.dev,
kpsingh@...nel.org,
sdf@...ichev.me,
haoluo@...gle.com,
jolsa@...nel.org,
shuah@...nel.org,
paul.chaignon@...il.com,
m.shachnai@...il.com,
memxor@...il.com,
harishankar.vishwanathan@...il.com,
colin.i.king@...il.com,
kafai.wan@...ux.dev,
luis.gerhorst@....de,
shung-hsi.yu@...e.com,
bpf@...r.kernel.org,
linux-kernel@...r.kernel.org,
linux-kselftest@...r.kernel.org
Cc: syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com
Subject: [PATCH bpf-next 1/2] bpf: Fix tnum_overlap to check for zero mask first
Syzbot reported a kernel warning due to a range invariant violation in
the BPF verifier. The issue occurs when tnum_overlap() fails to detect
that two tnums don't have any overlapping bits.
The problematic BPF program:
0: call bpf_get_prandom_u32
1: r6 = r0
2: r6 &= 0xFFFFFFFFFFFFFFF0
3: r7 = r0
4: r7 &= 0x07
5: r7 -= 0xFF
6: if r6 == r7 goto <exit>
After instruction 5, R7 has the range:
R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf)
R6 and R7 don't overlap since they have no agreeing bits. However,
is_branch_taken() fails to recognize this, causing the verifier to
refine register bounds and end up with inconsistent bounds:
6: if r6 == r7 goto <exit>
R6: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0)
R7: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0)
The root cause is that tnum_overlap() doesn't properly handle the case
where the masks have no overlapping bits.
Fix this by adding an early check for zero mask intersection in tnum_overlap().
Reported-by: syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com
Fixes: f41345f47fb2 ("bpf: Use tnums for JEQ/JNE is_branch_taken logic")
Signed-off-by: KaFai Wan <kafai.wan@...ux.dev>
---
kernel/bpf/tnum.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c
index f8e70e9c3998..af2f38b4f840 100644
--- a/kernel/bpf/tnum.c
+++ b/kernel/bpf/tnum.c
@@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b)
{
u64 mu;
+ if ((a.mask & b.mask) == 0)
+ return false;
mu = ~a.mask & ~b.mask;
return (a.value & mu) == (b.value & mu);
}
--
2.43.0
Powered by blists - more mailing lists