lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 07 Mar 2020 00:10:23 +0000
From:   John Fastabend <john.fastabend@...il.com>
To:     yhs@...com, alexei.starovoitov@...il.com, daniel@...earbox.net
Cc:     netdev@...r.kernel.org, bpf@...r.kernel.org,
        john.fastabend@...il.com
Subject: [RFC bpf PATCH 0/4] rfc for 32-bit subreg verifier tracking

This series adds 32-bit subreg bounds support to the verifier. This is the
fallout from trying to apply patch 3/4 to fix return value refinement.
With the fix it turned out some code code that _should_ pass the
verifier no longer worked. The root cause of this (see patch 4/4 for
detailed trace) was improper tracking of the 32-bit subreg values. So
that even if a program zero'd the upper 32-bits we wouldn't actually
psas the program.

I tried various other half-measures before I decided it was best to
do proper 32-bit bounds tracking. Each time I tried to "hack" the
result I wanted in the interest of minimal code changes I ended up
with something that was both ugly and usually only matched a small
subset of patterns. Also, in general I'm against pattern matching
special cases because it ends up buggy/broken usually as soon as
we get code in the wild that doesn't do the exact thing we pattern
matched.

So end result is u32_{min|max}_value, s32_{min|max}_value,
and var32_off bounds tracking. See patch 2/4 for the details and a few
questions we should address in the RFC while I write up some more
test cases.

After this series we can do some nice cleanup in *next branch. For
example, add proper types for int return values so we can be more
precise. And flush out some additional logic in the ALU ops to
track rsh, lsh, arsh better.

Please, take a look at patch 2 for a couple design questions.

RFC because, needs a bit more review on my part, a couple cleanup
lines still in 2/4, still need to run test_progs all the way
through I missed a bunch due to missing kernel config options, and
want to write a couple verifier tests to catch the subtle cases.

I thought it would be best to get some early/quick review feedback
while I work on the tests. It does pass test_verifier though in
current state.

Thanks,
John

---

John Fastabend (4):
      bpf: verifer, refactor adjust_scalar_min_max_vals
      bpf: verifier, do explicit u32 bounds tracking
      bpf: verifier, do_refine_retval_range may clamp umin to 0 incorrectly
      bpf: selftests, bpf_get_stack return value add <0


 tools/testing/selftests/bpf/test_verifier.c        |    2 +-
 .../testing/selftests/bpf/verifier/bpf_get_stack.c |    3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

--
Signature

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ