lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f081ab10-f94c-b271-aee9-1b5991b28e26@solarflare.com>
Date:   Mon, 4 Dec 2017 20:23:40 +0000
From:   Edward Cree <ecree@...arflare.com>
To:     Jann Horn <jannh@...gle.com>, Alexei Starovoitov <ast@...nel.org>,
        Daniel Borkmann <daniel@...earbox.net>
CC:     Network Development <netdev@...r.kernel.org>,
        kernel list <linux-kernel@...r.kernel.org>
Subject: Re: BPF: bug without effect in BPF_RSH case of
 adjust_scalar_min_max_vals()

On 04/12/17 17:03, Jann Horn wrote:
> As far as I can tell, commit b03c9f9fdc37 ("bpf/verifier: track signed
> and unsigned min/max values") introduced the following effectless bug
> in the BPF_RSH case of adjust_scalar_min_max_vals() (unless that's
> intentional):
>
> `dst_reg->smax_value` is only updated in the case where
> `dst_reg->smin_value < 0` and `umin_val == 0`. This is obviously
> harmless if `dst_reg->smax_value >= 0`, but if `dst_reg->smax_value <
> 0`, this will temporarily result in a state where the signed upper
> bound of `dst_reg` is lower than the signed lower bound (which will be
> set to 0). I don't think this should ever happen.
Yep, I think you're right that there's a bug there; but I'm not sure it's
 harmless in the dst_reg->smax_value >= 0 case either.  Consider: if
 dst_reg->smin_value < 0 and dst_reg->smax_value >= 0, then -1 is a
 possible value; and ((u64)-1) >> 1 == S64_MAX.  So in that case we have
 to set dst_reg->smax_value = ((u64)-1) >> umin_val (so long as umin_val
 isn't 0, which is the other branch).
If dst_reg->smax_value < 0, then we should set dst_reg->smax_value =
 ((u64)dst_reg->smax_value) >> umin_val, again excepting the case of
 umin_val == 0.
Thanks for spotting this!
I'll rustle up a patch tomorrow, unless you beat me to it.  Can I have an
 SOB for your BPF bytecode, so I can incorporate it into selftests?

-Ed

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ