lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 14 Oct 2020 21:27:17 -0700 From: John Fastabend <john.fastabend@...il.com> To: Alexei Starovoitov <alexei.starovoitov@...il.com>, John Fastabend <john.fastabend@...il.com> Cc: Andrii Nakryiko <andrii.nakryiko@...il.com>, "David S. Miller" <davem@...emloft.net>, Daniel Borkmann <daniel@...earbox.net>, Networking <netdev@...r.kernel.org>, bpf <bpf@...r.kernel.org>, Kernel Team <kernel-team@...com> Subject: Re: [PATCH bpf-next] bpf: Fix register equivalence tracking. Alexei Starovoitov wrote: > On Wed, Oct 14, 2020 at 09:04:23PM -0700, John Fastabend wrote: > > Andrii Nakryiko wrote: > > > On Wed, Oct 14, 2020 at 10:59 AM Alexei Starovoitov > > > <alexei.starovoitov@...il.com> wrote: > > > > > > > > From: Alexei Starovoitov <ast@...nel.org> > > > > > > > > The 64-bit JEQ/JNE handling in reg_set_min_max() was clearing reg->id in either > > > > true or false branch. In the case 'if (reg->id)' check was done on the other > > > > branch the counter part register would have reg->id == 0 when called into > > > > find_equal_scalars(). In such case the helper would incorrectly identify other > > > > registers with id == 0 as equivalent and propagate the state incorrectly. > > > > One thought. It seems we should never have reg->id=0 in find_equal_scalars() > > would it be worthwhile to add an additional check here? Something like, > > > > if (known_reg->id == 0) > > return > > > > Or even a WARN_ON_ONCE() there? Not sold either way, but maybe worth thinking > > about. > > That cannot happen anymore due to > if (dst_reg->id && !WARN_ON_ONCE(dst_reg->id != other_branch_regs[insn->dst_reg].id)) > check in the caller. > I prefer not to repeat the same check twice. Also I really don't like defensive programming. > if (known_reg->id == 0) > return; > is exactly that. > If we had that already, as Andrii argued in the original thread, we would have > never noticed this issue. <, >, <= ops would have worked, but == would be > sort-of working. It would mark one branch instead of both, and sometimes > neither of the branches. I'd rather have bugs like this one hurting and caught > quickly instead of warm feeling of being safe and sailing into unknown. Agree. Although a WARN_ON_ONCE would have also been caught.
Powered by blists - more mailing lists