lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <ed4e9b731744dd0f80f5f909649dc429cd38d662.camel@linux.dev>
Date: Tue, 28 Oct 2025 22:01:50 +0800
From: KaFai Wan <kafai.wan@...ux.dev>
To: Eduard Zingerman <eddyz87@...il.com>, ast@...nel.org,
 daniel@...earbox.net,  john.fastabend@...il.com, andrii@...nel.org,
 martin.lau@...ux.dev, song@...nel.org,  yonghong.song@...ux.dev,
 kpsingh@...nel.org, sdf@...ichev.me, haoluo@...gle.com,  jolsa@...nel.org,
 shuah@...nel.org, paul.chaignon@...il.com, m.shachnai@...il.com, 
 harishankar.vishwanathan@...il.com, colin.i.king@...il.com,
 luis.gerhorst@....de,  bpf@...r.kernel.org, linux-kernel@...r.kernel.org, 
 linux-kselftest@...r.kernel.org
Cc: Kaiyan Mei <M202472210@...t.edu.cn>, Yinhao Hu <dddddd@...t.edu.cn>
Subject: Re: [PATCH bpf-next v2 1/2] bpf: Skip bounds adjustment for
 conditional jumps on same register

On Mon, 2025-10-27 at 13:09 -0700, Eduard Zingerman wrote:
> On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote:
> > When conditional jumps are performed on the same register (e.g., r0 <= r0,
> > r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier
> > incorrectly attempts to adjust the register's min/max bounds. This leads to
> > invalid range bounds and triggers a BUG warning:
> > 
> > verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0]
> > s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
> > WARNING: CPU: 0 PID: 92 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220
> > Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2
> > 04/01/2014
> > RIP: 0010:reg_bounds_sanity_check+0x163/0x220
> > Call Trace:
> >  <TASK>
> >  reg_set_min_max+0xf7/0x1d0
> >  check_cond_jmp_op+0x57b/0x1730
> >  ? print_bpf_insn+0x3d5/0xa50
> >  do_check_common+0x33ac/0x33c0
> >  ...
> > 
> > The root cause is in regs_refine_cond_op() where BPF_JLT/BPF_JSLT operations
> > adjust both min/max bounds on the same register, causing invalid bounds.
> > 
> > Since comparing a register with itself should not change its bounds (the
> > comparison result is always known: r0 == r0 is always true, r0 < r0 is
> > always false), the bounds adjustment is unnecessary.
> > 
> > Fix this by:
> > 1. Enhance is_branch_taken() and is_scalar_branch_taken() to properly
> >    handle branch direction computation for same register comparisons
> >    across all BPF jump operations
> > 2. For unknown branch directions (e.g., BPF_JSET), add early return in
> >    reg_set_min_max() to avoid bounds adjustment on the same register
> > 
> > The fix ensures that unnecessary bounds adjustments are skipped, preventing
> > the verifier bug while maintaining correct branch direction analysis.
> > 
> > Reported-by: Kaiyan Mei <M202472210@...t.edu.cn>
> > Reported-by: Yinhao Hu <dddddd@...t.edu.cn>
> > Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/
> > Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors")
> > Signed-off-by: KaFai Wan <kafai.wan@...ux.dev>
> > ---
> >  kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++
> >  1 file changed, 32 insertions(+)
> > 
> > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> > index 6d175849e57a..653fa96ed0df 100644
> > --- a/kernel/bpf/verifier.c
> > +++ b/kernel/bpf/verifier.c
> > @@ -16037,6 +16037,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct
> > bpf_reg_sta
> >  		}
> >  		break;
> >  	case BPF_JSET:
> > +		if (reg1 == reg2) {
> > +			if (tnum_is_const(t1))
> > +				return t1.value != 0;
> > +			else
> > +				return (smin1 <= 0 && smax1 >= 0) ? -1 : 1;
> > +		}
> 
> I think this logic is fine, but it needs tests for multiple cases.
> 
ok, I'll add tests for that.

> >  		if (!is_reg_const(reg2, is_jmp32)) {
> >  			swap(reg1, reg2);
> >  			swap(t1, t2);
> > @@ -16172,6 +16178,25 @@ static int is_pkt_ptr_branch_taken(struct bpf_reg_state *dst_reg,
> >  static int is_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_state *reg2,
> >  			   u8 opcode, bool is_jmp32)
> >  {
> > +	if (reg1 == reg2) {
> > +		switch (opcode) {
> > +		case BPF_JGE:
> > +		case BPF_JLE:
> > +		case BPF_JSGE:
> > +		case BPF_JSLE:
> > +		case BPF_JEQ:
> > +			return 1;
> > +		case BPF_JGT:
> > +		case BPF_JLT:
> > +		case BPF_JSGT:
> > +		case BPF_JSLT:
> > +		case BPF_JNE:
> > +			return 0;
> > +		default:
> > +			break;
> > +		}
> > +	}
> > +
> 
> I think Alexei was against my suggestion to put it in
> is_branch_taken() and preferred is_scalar_branch_taken() instead.
> 
Hmm, I misunderstood that. If put in is_scalar_branch_taken() then just for scalar cases,
just confirm that.

> >  	if (reg_is_pkt_pointer_any(reg1) && reg_is_pkt_pointer_any(reg2) && !is_jmp32)
> >  		return is_pkt_ptr_branch_taken(reg1, reg2, opcode);
> >  
> > @@ -16429,6 +16454,13 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
> >  	if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE)
> >  		return 0;
> >  
> > +	/* We compute branch direction for same registers in is_branch_taken() and
> > +	 * is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET)
> > +	 * on the same registers, we don't need to adjusts the min/max values.
> > +	 */
> > +	if (false_reg1 == false_reg2)
> > +		return 0;
> > +
> >  	/* fallthrough (FALSE) branch */
> >  	regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
> >  	reg_bounds_sync(false_reg1);

-- 
Thanks,
KaFai

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ