lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a584d6e00a7b78927debb828f252280777d2da6a.camel@gmail.com>
Date: Mon, 03 Nov 2025 10:09:23 -0800
From: Eduard Zingerman <eddyz87@...il.com>
To: KaFai Wan <kafai.wan@...ux.dev>, ast@...nel.org, daniel@...earbox.net, 
	john.fastabend@...il.com, andrii@...nel.org, martin.lau@...ux.dev,
 song@...nel.org, 	yonghong.song@...ux.dev, kpsingh@...nel.org,
 sdf@...ichev.me, haoluo@...gle.com, 	jolsa@...nel.org, shuah@...nel.org,
 paul.chaignon@...il.com, m.shachnai@...il.com, 
	harishankar.vishwanathan@...il.com, colin.i.king@...il.com,
 luis.gerhorst@....de, 	bpf@...r.kernel.org, linux-kernel@...r.kernel.org, 
	linux-kselftest@...r.kernel.org
Cc: Kaiyan Mei <M202472210@...t.edu.cn>, Yinhao Hu <dddddd@...t.edu.cn>
Subject: Re: [PATCH bpf-next v4 1/2] bpf: Skip bounds adjustment for
 conditional jumps on same scalar register

On Mon, 2025-11-03 at 14:31 +0800, KaFai Wan wrote:
> When conditional jumps are performed on the same scalar register
> (e.g., r0 <= r0, r0 > r0, r0 < r0), the BPF verifier incorrectly
> attempts to adjust the register's min/max bounds. This leads to
> invalid range bounds and triggers a BUG warning.
> 
> The problematic BPF program:
>    0: call bpf_get_prandom_u32
>    1: w8 = 0x80000000
>    2: r0 &= r8
>    3: if r0 > r0 goto <exit>
> 
> The instruction 3 triggers kernel warning:
>    3: if r0 > r0 goto <exit>
>    true_reg1: range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
>    true_reg2: const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] var_off=(0x0, 0x0)
> 
> Comparing a register with itself should not change its bounds and
> for most comparison operations, comparing a register with itself has
> a known result (e.g., r0 == r0 is always true, r0 < r0 is always false).
> 
> Fix this by:
> 1. Enhance is_scalar_branch_taken() to properly handle branch direction
>    computation for same register comparisons across all BPF jump operations
> 2. Adds early return in reg_set_min_max() to avoid bounds adjustment
>    for unknown branch directions (e.g., BPF_JSET) on the same register
> 
> The fix ensures that unnecessary bounds adjustments are skipped, preventing
> the verifier bug while maintaining correct branch direction analysis.
> 
> Reported-by: Kaiyan Mei <M202472210@...t.edu.cn>
> Reported-by: Yinhao Hu <dddddd@...t.edu.cn>
> Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/
> Signed-off-by: KaFai Wan <kafai.wan@...ux.dev>
> ---

Acked-by: Eduard Zingerman <eddyz87@...il.com>

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ