[v2,0/3] Fix truncation bug in coerce_reg_to_size_sx and extend selftests.

Message ID	20241014121155.92887-1-dimitar.kanaliev@siteground.com (mailing list archive)
Headers	show Received: from mail-ed1-f54.google.com (mail-ed1-f54.google.com [209.85.208.54]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2C2DE19E806 for <bpf@vger.kernel.org>; Mon, 14 Oct 2024 12:12:02 +0000 (UTC) From: Dimitar Kanaliev <dimitar.kanaliev@siteground.com> To: Yonghong Song <yonghong.song@linux.dev>, bpf@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org>, Daniel Borkmann <daniel@iogearbox.net>, John Fastabend <john.fastabend@gmail.com>, Andrii Nakryiko <andrii@kernel.org>, Martin KaFai Lau <martin.lau@linux.dev>, Eduard Zingerman <eddyz87@gmail.com>, Song Liu <song@kernel.org>, KP Singh <kpsingh@kernel.org>, Stanislav Fomichev <sdf@fomichev.me>, Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>, Mykola Lysenko <mykolal@fb.com>, Dimitar Kanaliev <dimitar.kanaliev@siteground.com> Subject: [PATCH v2 0/3] Fix truncation bug in coerce_reg_to_size_sx and extend selftests. Date: Mon, 14 Oct 2024 15:11:52 +0300 Message-Id: <20241014121155.92887-1-dimitar.kanaliev@siteground.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	Fix truncation bug in coerce_reg_to_size_sx and extend selftests. \| expand [v2,0/3] Fix truncation bug in coerce_reg_to_size_sx and extend selftests. [v2,1/3] bpf: Fix truncation bug in coerce_reg_to_size_sx() [v2,2/3] selftests/bpf: Add test for truncation after sign extension in coerce_reg_to_size_sx() [v2,3/3] selftests/bpf: Add test for sign extension in coerce_subreg_to_size_sx()

Message ID

20241014121155.92887-1-dimitar.kanaliev@siteground.com (mailing list archive)

Headers

From: Dimitar Kanaliev <dimitar.kanaliev@siteground.com>
To: Yonghong Song <yonghong.song@linux.dev>,
	bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	John Fastabend <john.fastabend@gmail.com>,
	Andrii Nakryiko <andrii@kernel.org>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Song Liu <song@kernel.org>,
	KP Singh <kpsingh@kernel.org>,
	Stanislav Fomichev <sdf@fomichev.me>,
	Hao Luo <haoluo@google.com>,
	Jiri Olsa <jolsa@kernel.org>,
	Mykola Lysenko <mykolal@fb.com>,
	Dimitar Kanaliev <dimitar.kanaliev@siteground.com>
Subject: [PATCH v2 0/3] Fix truncation bug in coerce_reg_to_size_sx and extend
 selftests.
Date: Mon, 14 Oct 2024 15:11:52 +0300
Message-Id: <20241014121155.92887-1-dimitar.kanaliev@siteground.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

Fix truncation bug in coerce_reg_to_size_sx and extend selftests. | expand

Message

Dimitar Kanaliev Oct. 14, 2024, 12:11 p.m. UTC

This patch series addresses a truncation bug in the eBPF verifier function
coerce_reg_to_size_sx(). The issue was caused by the incorrect ordering
of assignments between 32-bit and 64-bit min/max values, leading to
improper truncation when updating the register state. This issue has been
reported previously by Zac Ecob[1] , but was not followed up on.

The first patch fixes the assignment order in coerce_reg_to_size_sx()
to ensure correct truncation. The subsequent patches add selftests for
coerce_{reg,subreg}_to_size_sx.

Changelog:
	v1 -> v2:
	 - Moved selftests inside the conditional check for cpuv4

[1] (https://lore.kernel.org/bpf/h3qKLDEO6m9nhif0eAQX4fVrqdO0D_OPb0y5HfMK9jBePEKK33wQ3K-bqSVnr0hiZdFZtSJOsbNkcEQGpv_yJk61PAAiO8fUkgMRSO-lB50=@protonmail.com/)

Dimitar Kanaliev (3):
  bpf: Fix truncation bug in coerce_reg_to_size_sx()
  selftests/bpf: Add test for truncation after sign extension in
    coerce_reg_to_size_sx()
  selftests/bpf: Add test for sign extension in
    coerce_subreg_to_size_sx()

 kernel/bpf/verifier.c                         |  8 ++--
 .../selftests/bpf/progs/verifier_movsx.c      | 40 +++++++++++++++++++
 2 files changed, 44 insertions(+), 4 deletions(-)

Comments

patchwork-bot+netdevbpf@kernel.org Oct. 15, 2024, 6:20 p.m. UTC | #1

Hello:

This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Mon, 14 Oct 2024 15:11:52 +0300 you wrote:
> This patch series addresses a truncation bug in the eBPF verifier function
> coerce_reg_to_size_sx(). The issue was caused by the incorrect ordering
> of assignments between 32-bit and 64-bit min/max values, leading to
> improper truncation when updating the register state. This issue has been
> reported previously by Zac Ecob[1] , but was not followed up on.
> 
> The first patch fixes the assignment order in coerce_reg_to_size_sx()
> to ensure correct truncation. The subsequent patches add selftests for
> coerce_{reg,subreg}_to_size_sx.
> 
> [...]

Here is the summary with links:
  - [v2,1/3] bpf: Fix truncation bug in coerce_reg_to_size_sx()
    https://git.kernel.org/bpf/bpf/c/ae67b9fb8c4e
  - [v2,2/3] selftests/bpf: Add test for truncation after sign extension in coerce_reg_to_size_sx()
    https://git.kernel.org/bpf/bpf/c/61f506eacc77
  - [v2,3/3] selftests/bpf: Add test for sign extension in coerce_subreg_to_size_sx()
    https://git.kernel.org/bpf/bpf/c/35ccd576a23c

You are awesome, thank you!