| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <da8e2759ad57dd96dcc722cfd781141b045ee718df316cec8705e2908e0cb948@mail.kernel.org>
Date: Tue, 28 Oct 2025 15:45:57 +0000 (UTC)
From: bot+bpf-ci@...nel.org
To: kafai.wan@...ux.dev,ast@...nel.org,daniel@...earbox.net,john.fastabend@...il.com,andrii@...nel.org,martin.lau@...ux.dev,eddyz87@...il.com,song@...nel.org,yonghong.song@...ux.dev,kpsingh@...nel.org,sdf@...ichev.me,haoluo@...gle.com,jolsa@...nel.org,shuah@...nel.org,paul.chaignon@...il.com,m.shachnai@...il.com,kafai.wan@...ux.dev,harishankar.vishwanathan@...il.com,colin.i.king@...il.com,luis.gerhorst@....de,shung-hsi.yu@...e.com,bpf@...r.kernel.org,linux-kernel@...r.kernel.org,linux-kselftest@...r.kernel.org
Cc: syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com,ast@...nel.org,andrii@...nel.org,daniel@...earbox.net,martin.lau@...nel.org,eddyz87@...il.com,yonghong.song@...ux.dev,clm@...a.com,ihor.solodrai@...ux.dev
Subject: Re: [PATCH bpf-next v2 1/2] bpf: Fix tnum_overlap to check for zero mask intersection
```
commit 16cbc4520eb13d2065d145c76b97fb93035d81e8
Author: KaFai Wan <kafai.wan@...ux.dev>
bpf: Fix tnum_overlap to check for zero mask intersection
This patch adds an early return check in tnum_overlap() to detect
non-overlapping tnums when their masks have no overlapping bits. The
fix addresses a syzbot report where the verifier failed to recognize
that two tnums couldn't represent the same value.
Reported-by: syzbot+c950cc277150935cc0b5@...kaller.appspotmail.com
> diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c
> index f8e70e9c3..1a75b7c9a 100644
> --- a/kernel/bpf/tnum.c
> +++ b/kernel/bpf/tnum.c
> @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b)
> {
> u64 mu;
>
> + if (a.mask && b.mask && !(a.mask & b.mask))
> + return false;
^^^^^
Does this logic correctly detect non-overlapping tnums? Consider this
counter-example:
a = (value=0x5, mask=0xA) // binary: value=0101, mask=1010
b = (value=0xA, mask=0x5) // binary: value=1010, mask=0101
The masks are disjoint: (0xA & 0x5) == 0, so the new check returns
false (no overlap).
However, these tnums actually represent overlapping sets:
a represents: {5, 7, 13, 15} // 0b0101, 0b0111, 0b1101, 0b1111
b represents: {10, 11, 14, 15} // 0b1010, 0b1011, 0b1110, 0b1111
Both sets contain 15, so they do overlap. Can this cause incorrect
verifier behavior when is_branch_taken() calls tnum_overlap() to
determine if JEQ/JNE branches are reachable?
> mu = ~a.mask & ~b.mask;
> return (a.value & mu) == (b.value & mu);
> }
```
---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
In-Reply-To-Subject: `bpf: Fix tnum_overlap to check for zero mask intersection`
CI run summary: https://github.com/kernel-patches/bpf/actions/runs/18880108453
Powered by blists - more mailing lists