| Message ID | 20220810100849.25710-1-liulin063@gmail.com (mailing list archive) |
|---|---|
| State | Changes Requested |
| Delegated to: | BPF |
| Headers | show |
| Series | [1/2] bpf: Fix 32bit bounds update in ALU64 | expand |
| Context | Check | Description |
|---|---|---|
| bpf/vmtest-bpf-PR | fail | merge-conflict |
| netdev/tree_selection | success | Guessing tree name failed - patch did not apply |
On 8/10/22 12:08 PM, Youlin Li wrote: > The commit ("bpf: Do more tight ALU bounds tracking") introduces a bug > that fails some selftests. > > in previous versions of the code, when > __reg_combine_64_into_32() was called, the 32bit boundary was > completely deduced from the 64bit boundary, so there was a call to > __mark_reg32_unbounded() in __reg_combine_64_into_32(). But before > adjust_scalar_min_max_vals() calls > __reg_combine_64_into_32() , the 32bit bounds are already calculated > to some extent, and __mark_reg32_unbounded() will eliminate these > information. > > Simply remove the call to __reg_combine_64_into_32() and copying a code > without __mark_reg32_unbounded() should work. > > Before: > ./test_verifier 142 > #142/p bounds check after truncation of non-boundary-crossing range FAIL > Failed to load prog 'Permission denied'! > invalid access to map value, value_size=8 off=16777215 size=1 > R0 max value is outside of the allowed memory range > verification time 149 usec > stack depth 8 > processed 15 insns (limit 1000000) max_states_per_insn 0 > total_states 0 peak_states 0 mark_read 0 > Summary: 0 PASSED, 1 SKIPPED, 1 FAILED > > After: > ./test_verifier 142 > #142/p bounds check after truncation of non-boundary-crossing range OK > Summary: 1 PASSED, 1 SKIPPED, 0 FAILED > > Signed-off-by: Youlin Li <liulin063@gmail.com> > --- > kernel/bpf/verifier.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 11d8bb54ba6b..7ea6e0372d62 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -9014,7 +9014,17 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, > /* ALU32 ops are zero extended into 64bit register */ > zext_32_to_64(dst_reg); > } else { > - __reg_combine_64_into_32(dst_reg); > + if (__reg64_bound_s32(dst_reg->smin_value) && > + __reg64_bound_s32(dst_reg->smax_value)) { > + dst_reg->s32_min_value = (s32)dst_reg->smin_value; > + dst_reg->s32_max_value = (s32)dst_reg->smax_value; > + } > + if (__reg64_bound_u32(dst_reg->umin_value) && > + __reg64_bound_u32(dst_reg->umax_value)) { > + dst_reg->u32_min_value = (u32)dst_reg->umin_value; > + dst_reg->u32_max_value = (u32)dst_reg->umax_value; > + } > + reg_bounds_sync(dst_reg); Hm, this doesn't apply to the bpf tree. Is this on top of your previous patch [0]? Please squash both together in that case and resubmit your previous one as a v2. [0] https://lore.kernel.org/bpf/9f954e67-67fc-e3b9-d810-22bfea95d2aa@iogearbox.net/ Thanks, Daniel
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 11d8bb54ba6b..7ea6e0372d62 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9014,7 +9014,17 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, /* ALU32 ops are zero extended into 64bit register */ zext_32_to_64(dst_reg); } else { - __reg_combine_64_into_32(dst_reg); + if (__reg64_bound_s32(dst_reg->smin_value) && + __reg64_bound_s32(dst_reg->smax_value)) { + dst_reg->s32_min_value = (s32)dst_reg->smin_value; + dst_reg->s32_max_value = (s32)dst_reg->smax_value; + } + if (__reg64_bound_u32(dst_reg->umin_value) && + __reg64_bound_u32(dst_reg->umax_value)) { + dst_reg->u32_min_value = (u32)dst_reg->umin_value; + dst_reg->u32_max_value = (u32)dst_reg->umax_value; + } + reg_bounds_sync(dst_reg); } return 0; }
The commit ("bpf: Do more tight ALU bounds tracking") introduces a bug that fails some selftests. in previous versions of the code, when __reg_combine_64_into_32() was called, the 32bit boundary was completely deduced from the 64bit boundary, so there was a call to __mark_reg32_unbounded() in __reg_combine_64_into_32(). But before adjust_scalar_min_max_vals() calls __reg_combine_64_into_32() , the 32bit bounds are already calculated to some extent, and __mark_reg32_unbounded() will eliminate these information. Simply remove the call to __reg_combine_64_into_32() and copying a code without __mark_reg32_unbounded() should work. Before: ./test_verifier 142 #142/p bounds check after truncation of non-boundary-crossing range FAIL Failed to load prog 'Permission denied'! invalid access to map value, value_size=8 off=16777215 size=1 R0 max value is outside of the allowed memory range verification time 149 usec stack depth 8 processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 Summary: 0 PASSED, 1 SKIPPED, 1 FAILED After: ./test_verifier 142 #142/p bounds check after truncation of non-boundary-crossing range OK Summary: 1 PASSED, 1 SKIPPED, 0 FAILED Signed-off-by: Youlin Li <liulin063@gmail.com> --- kernel/bpf/verifier.c | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-)