lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <CAADnVQ+4QoCU4gYEfTR6Ok122zkfG32s8AxRx-irMcCA1jEhvQ@mail.gmail.com>
Date: Fri, 31 Oct 2025 09:37:54 -0700
From: Alexei Starovoitov <alexei.starovoitov@...il.com>
To: KaFai Wan <kafai.wan@...ux.dev>
Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, 
	John Fastabend <john.fastabend@...il.com>, Andrii Nakryiko <andrii@...nel.org>, 
	Martin KaFai Lau <martin.lau@...ux.dev>, Eduard <eddyz87@...il.com>, Song Liu <song@...nel.org>, 
	Yonghong Song <yonghong.song@...ux.dev>, KP Singh <kpsingh@...nel.org>, 
	Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, 
	Shuah Khan <shuah@...nel.org>, Paul Chaignon <paul.chaignon@...il.com>, 
	Matan Shachnai <m.shachnai@...il.com>, Henriette Herzog <henriette.herzog@....de>, 
	Luis Gerhorst <luis.gerhorst@....de>, 
	Harishankar Vishwanathan <harishankar.vishwanathan@...il.com>, colin.i.king@...il.com, 
	bpf <bpf@...r.kernel.org>, LKML <linux-kernel@...r.kernel.org>, 
	"open list:KERNEL SELFTEST FRAMEWORK" <linux-kselftest@...r.kernel.org>, Kaiyan Mei <M202472210@...t.edu.cn>, 
	Yinhao Hu <dddddd@...t.edu.cn>
Subject: Re: [PATCH bpf-next v3 1/2] bpf: Skip bounds adjustment for
 conditional jumps on same scalar register

On Fri, Oct 31, 2025 at 8:44 AM KaFai Wan <kafai.wan@...ux.dev> wrote:
>
> When conditional jumps are performed on the same scalar register
> (e.g., r0 <= r0, r0 > r0, r0 < r0), the BPF verifier incorrectly
> attempts to adjust the register's min/max bounds. This leads to
> invalid range bounds and triggers a BUG warning.
>
> The problematic BPF program:
>    0: call bpf_get_prandom_u32
>    1: w8 = 0x80000000
>    2: r0 &= r8
>    3: if r0 > r0 goto <exit>
>
> The instruction 3 triggers kernel warning:
>    3: if r0 > r0 goto <exit>
>    true_reg1: range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
>    true_reg2: const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] var_off=(0x0, 0x0)
>
> Comparing a register with itself should not change its bounds and
> for most comparison operations, comparing a register with itself has
> a known result (e.g., r0 == r0 is always true, r0 < r0 is always false).
>
> Fix this by:
> 1. Enhance is_scalar_branch_taken() to properly handle branch direction
>    computation for same register comparisons across all BPF jump operations
> 2. Adds early return in reg_set_min_max() to avoid bounds adjustment
>    for unknown branch directions (e.g., BPF_JSET) on the same register
>
> The fix ensures that unnecessary bounds adjustments are skipped, preventing
> the verifier bug while maintaining correct branch direction analysis.
>
> Reported-by: Kaiyan Mei <M202472210@...t.edu.cn>
> Reported-by: Yinhao Hu <dddddd@...t.edu.cn>
> Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/
> Signed-off-by: KaFai Wan <kafai.wan@...ux.dev>
> ---
>  kernel/bpf/verifier.c | 33 +++++++++++++++++++++++++++++++++
>  1 file changed, 33 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 542e23fb19c7..a571263f4ebe 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -15995,6 +15995,8 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
>
>         switch (opcode) {
>         case BPF_JEQ:
> +               if (reg1 == reg2)
> +                       return 1;
>                 /* constants, umin/umax and smin/smax checks would be
>                  * redundant in this case because they all should match
>                  */
> @@ -16021,6 +16023,8 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
>                 }
>                 break;
>         case BPF_JNE:
> +               if (reg1 == reg2)
> +                       return 0;
>                 /* constants, umin/umax and smin/smax checks would be
>                  * redundant in this case because they all should match
>                  */
> @@ -16047,6 +16051,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
>                 }
>                 break;
>         case BPF_JSET:
> +               if (reg1 == reg2) {
> +                       if (tnum_is_const(t1))
> +                               return t1.value != 0;
> +                       else
> +                               return (smin1 <= 0 && smax1 >= 0) ? -1 : 1;
> +               }
>                 if (!is_reg_const(reg2, is_jmp32)) {
>                         swap(reg1, reg2);
>                         swap(t1, t2);
> @@ -16059,48 +16069,64 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
>                         return 0;
>                 break;
>         case BPF_JGT:
> +               if (reg1 == reg2)
> +                       return 0;
>                 if (umin1 > umax2)
>                         return 1;
>                 else if (umax1 <= umin2)
>                         return 0;
>                 break;
>         case BPF_JSGT:
> +               if (reg1 == reg2)
> +                       return 0;

This is uglier than the previous version.
reg1 == reg2 is a syzbot territory.
We shouldn't uglify the code everywhere because of it.

pw-bot: cr

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ