lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20200326063441.ymitkh5z6sgevbm4@ast-mbp>
Date:   Wed, 25 Mar 2020 23:34:41 -0700
From:   Alexei Starovoitov <alexei.starovoitov@...il.com>
To:     John Fastabend <john.fastabend@...il.com>
Cc:     ecree@...arflare.com, yhs@...com, daniel@...earbox.net,
        netdev@...r.kernel.org, bpf@...r.kernel.org
Subject: Re: [bpf-next PATCH 10/10] bpf: test_verifier, add alu32 bounds
 tracking tests

On Tue, Mar 24, 2020 at 10:40:55AM -0700, John Fastabend wrote:
> Its possible to have divergent ALU32 and ALU64 bounds when using JMP32
> instructins and ALU64 arithmatic operations. Sometimes the clang will
> even generate this code. Because the case is a bit tricky lets add
> a specific test for it.
> 
> Here is  pseudocode asm version to illustrate the idea,
> 
>  1 r0 = 0xffffffff00000001;
>  2 if w0 > 1 goto %l[fail];
>  3 r0 += 1
>  5 if w0 > 2 goto %l[fail]
>  6 exit
> 
> The intent here is the verifier will fail the load if the 32bit bounds
> are not tracked correctly through ALU64 op. Similarly we can check the
> 64bit bounds are correctly zero extended after ALU32 ops.
> 
>  1 r0 = 0xffffffff00000001;
>  2 w0 += 1
>  2 if r0 < 0xffffffff00000001 goto %l[fail];

This should be 3.

> +	"bounds check mixed 32bit and 64bit arithmatic. test2",
> +	.insns = {
> +	BPF_MOV64_IMM(BPF_REG_0, 0),
> +	BPF_MOV64_IMM(BPF_REG_1, -1),
> +	BPF_ALU64_IMM(BPF_LSH, BPF_REG_1, 32),
> +	BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 1),
> +	/* r1 = 0xffffFFFF00000001 */
> +	BPF_MOV64_IMM(BPF_REG_2, 3),
> +	/* r1 = 0x2 */
> +	BPF_ALU32_IMM(BPF_ADD, BPF_REG_1, 1),
> +	/* check ALU32 op zero extends 64bit bounds */
> +	BPF_JMP_REG(BPF_JGT, BPF_REG_1, BPF_REG_2, 1),
> +	BPF_JMP_A(1),
> +	/* invalid ldx if bounds are lost above */
> +	BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_0, -1),
> +	BPF_EXIT_INSN(),
> +	},
> +	.result = ACCEPT
> +},
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ