From patchwork Thu Nov 2 05:39:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Shung-Hsi Yu X-Patchwork-Id: 13443416 X-Patchwork-Delegate: bpf@iogearbox.net Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net [23.128.96.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E29784C92 for ; Thu, 2 Nov 2023 05:40:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=suse.com header.i=@suse.com header.b="Eo2c/t6V" Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-vi1eur04on2047.outbound.protection.outlook.com [40.107.8.47]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 23425127; Wed, 1 Nov 2023 22:39:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iWoYVNkaWa/HwppkdMZcBVeT5hB/saKhby+rI7l0mRk4TIhPGZHNtt+nAK9Q3rRpyOWobGX3F09Jzyi6Wo7f4rswiVzloKJ/eE7GhQdSlSeReqBTi+IiRsgpSyxG54e7WJDlqKQqeHBgUYFxmXOL4B4AGxNivAKJQ+5ajGhXDvHC7VNNrxPQmWSlRO5iBhVGeuv9/CcXHOR/+viuGewFNRvsCFdy+Mugw30Ml6PXj4QcCNzqwiWNrVHQyySknmZuWpSHf8JGrUmBCL8tQXsRsLMobkDS9qWL8YmoFUpzM+50k0d28SkiU00Z22nwWKfQHFOVZ5yObSlYRt7RmIv9ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=CoeMHK1uLtLSRZ3BZi7F8b7wPIodeCsSUeSs0Hy+/G0=; b=GF4KL2MfanMmRX7tpjR5eGbbya08p1D05Tx8hk+tFDSJzPgS3Wrh2fgcqIL34irOCjFq65N+pnpfDfnRo4gew8l1FHkeUZNrDmaTLOm+B5lMPbF1gO6Ljz2Rrd3QIviH3kWUyIVkBqj6aOVRj1hEGw6YDFNaPllMa2WpokjWB5FhlW3/TA65UuYdcQyAfKI2M0hcpbNrUSPNYkrJn7YNC9TnYAOEbKx6zIpblyzTZoHBgnv4Eymnwo6fKy1jSB4ToTiDlFMmFNySJQEX+H4rCRjJQiWzP5S9mf+nxxA9j2L1GFol18LDyose+1RjrEBx5qDaTfihkwtO6VbdOh0MIQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=suse.com; dmarc=pass action=none header.from=suse.com; dkim=pass header.d=suse.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=CoeMHK1uLtLSRZ3BZi7F8b7wPIodeCsSUeSs0Hy+/G0=; b=Eo2c/t6VGTwzh4Bl/b5odNJsLOQla/66ROvZxbAPXnUsGOxB6upyabX1pD/sXfsBQE2vGPmJfpuo1+X7hW8jH3nexYLhlqAt1x0OkCDopyLwZSVwHnQgFtNgmlrPySTIkLRx0pQ50yZBdnf6apZ18X7R5XpG9xX0CZswwMUL554RQQFAni8qOmMECeio5BBemcPHl/H1OJYlkhleAciKUGhultyO6WXLMMpcW+twmWGVMA68Mx7ihGrcwwaUjECEdz0a5/v3mPCy8gDVaxjbO5RaRwRm1wjYxQNa8KZTGoBAQRC+xCva+LbjdbBRgb4UPQ1KgJN9qbh5dLkrn3Zi6g== Authentication-Results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=suse.com; Received: from AS8PR04MB9510.eurprd04.prod.outlook.com (2603:10a6:20b:44a::11) by AS8PR04MB7687.eurprd04.prod.outlook.com (2603:10a6:20b:291::9) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6933.19; Thu, 2 Nov 2023 05:39:56 +0000 Received: from AS8PR04MB9510.eurprd04.prod.outlook.com ([fe80::9f3e:3b47:5ccd:c47c]) by AS8PR04MB9510.eurprd04.prod.outlook.com ([fe80::9f3e:3b47:5ccd:c47c%6]) with mapi id 15.20.6954.019; Thu, 2 Nov 2023 05:39:56 +0000 From: Shung-Hsi Yu To: bpf@vger.kernel.org Cc: Shung-Hsi Yu , Daniel Borkmann , Alexei Starovoitov , =?utf-8?q?Toke_H=C3=B8iland-J=C3=B8rgensen?= , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Eduard Zingerman , stable@vger.kernel.org, Mohamed Mahmoud , Tao Lyu Subject: [PATCH bpf v1 1/2] bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END Date: Thu, 2 Nov 2023 13:39:03 +0800 Message-ID: <20231102053913.12004-2-shung-hsi.yu@suse.com> X-Mailer: git-send-email 2.42.0 In-Reply-To: <20231102053913.12004-1-shung-hsi.yu@suse.com> References: <20231102053913.12004-1-shung-hsi.yu@suse.com> X-ClientProxiedBy: TYWPR01CA0041.jpnprd01.prod.outlook.com (2603:1096:400:17f::16) To AS8PR04MB9510.eurprd04.prod.outlook.com (2603:10a6:20b:44a::11) Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-TrafficTypeDiagnostic: AS8PR04MB9510:EE_|AS8PR04MB7687:EE_ X-MS-Office365-Filtering-Correlation-Id: 21093481-b571-4f27-be44-08dbdb662583 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: TlkcW0bz/cnsBBJwUveg5h3ESl1tFfDPIhqdBoNXamUBPSJGY8eEFlscCnGkG8ZpfCFxzfsGLbLW10rbG94kKjyLJ4/UZIxZ5dIuR0nwvB268R+ZCQVNnDAajT07roQuIGX5BL20Oa9xAYbh5QK1YQM0cGGwczQLR5MyWqJie0m4J90XtNilNx1w+qfhem6fz/XP5ceL7CtXPPG0GrmyKfhz8TdW/yJrwMflJ3a0EAgMykWnTswjBE+PyAqTzEgcAdpk+7uIo0fdXyCNUB5DBg8/EXI5W/YssRaRFsDvB1pj9t+AbTxOM4QsQcMAJIIMQQwqdBOexfapdkwYPNqgJKQNI2UGacte/HaU5sg2PgYaZcsYPgwfUmZWwshXEUEBdboo5Q7qqx9oL56L6iBfA/bRXgi1Xxk+OLsqb7iw/cx/cgDSoxbcbZAlOvCiW37nqgUeAynmoAqsi+awOQVHznEwfLQQdZjuv/5t/f35Fn+TE2720QbRSSeMaoMqCMg72vRpmF7i22YxTPLIEx+QOb3OzGCL5zuA2fkLTPUhTVw= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:AS8PR04MB9510.eurprd04.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(136003)(396003)(366004)(346002)(39860400002)(376002)(230922051799003)(186009)(64100799003)(451199024)(1800799009)(7416002)(41300700001)(54906003)(316002)(6916009)(66476007)(66946007)(2906002)(8676002)(6486002)(8936002)(5660300002)(4326008)(478600001)(966005)(38100700002)(6506007)(2616005)(6512007)(36756003)(83380400001)(66556008)(1076003)(6666004)(66574015)(86362001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?7qwtlniY7PkvdGjb8z09w+wb6i+q?= =?utf-8?q?A3vp2M31Ay7BqYfyodIe8JtqvLXeUfg/esIOxLygFYYzZOvaoS8v08PdqjBilM7bH?= =?utf-8?q?7WrA60U6tomAd2I4B668red4eSYzd6MJwG24BUwsQSWEXFPhauD420EJLUu1upnpt?= =?utf-8?q?gf1mDgiyx/byaG9puEhP6ft2lI1I8aWSM3kLjLm+V45SGfEFzMSF6BAI1WwvZYEvS?= =?utf-8?q?1saBPwcwgb40OhBv6WSxZBbXQAJOqKCB6NmmcpCwTi/kj+373D1kwKSdm/YVjg/TF?= =?utf-8?q?DDsmfzWmjZzf6LTrFcGEnj8ua4T/TmoWqyQ63XuYDV3ezSw9EtyVs2IClVW2cJZY8?= =?utf-8?q?bggVI4IiIm+F6kfaAYdzLMtEhaXUL04TWdC7dKNed1bluIQ/h7XMmadvdcwpo7wT5?= =?utf-8?q?o/vwLIdFEq2WxUx/glhXpGl1MWaKXnZea1Hc0u7uqNBQR8XPqXl97ugcW4KoPhruL?= =?utf-8?q?5JDfo+/zPVp8bvp8NjcPdroq8NsxJ5PZRT49KZN0nA4eADljbUKlygP4HsBkSgvTU?= =?utf-8?q?h9cljMfHi4gb2KEqZGRHZd8jwvvyEddFrbRt4vNhPXn6DIJ431FKMsNduzITPAj9i?= =?utf-8?q?wlTUONBiu5nD5Ghu36mEBdE2J+fpw3MmIkKz3/PmL3QgpKGXzFKzuBNZyA4cF9OK6?= =?utf-8?q?bT6VPf9/PlqLpzn79MorvB0mjsGSx3GldCBtMuTfviQmLkN0mh9ZXNjpV102RrovP?= =?utf-8?q?cRTIecfGLJx94xqxyGVy/KKWrfM2HHxKgvIQfuhVee72O+oNsY/CNOvqbpNZDS5qA?= =?utf-8?q?jS5A5PgJHA7CEWVam5Y2NTlwGeKGdY0L1Rf+T0Q9ZbnGf/SUp6OTJT6aYulgHzINd?= =?utf-8?q?laeUv1HVcMJNZg1xQNduyKVHIiBOP63u7S/nP3ItHlIMY12CBcKn6CxESetJVyBr6?= =?utf-8?q?3WKKiGogtWI9t/nuYI1mllWuynvqb0LC9xJ7sS+WJ6BdPxjk8fG1fpcouhGX9Rhfu?= =?utf-8?q?3b4rMCSng9T5EDP+rW+480cAmDtSxU2ts/UIp50AxnN4PnEoFn5GcxbpkVbm9d13F?= =?utf-8?q?a8ZIW1/N0n7ZAQpU1zgGsYBkwhnEwPTv6tZUjJJqw5WBrHWtl9jWzA0LKji6LOJqi?= =?utf-8?q?2NIQRwM266DslPG9f56vkw8UsLhAfzciuNHwTh2uAvwdGkz1Vc6lrRs3ctBISlk5n?= =?utf-8?q?kWIcRrEirVe9mig4SorzFpX4b/A8mc6VqFlgnb378ayf6miv6s2V/bpSwGQ38L77s?= =?utf-8?q?45IxqdM6IhpAs1jD1Ksib8Hiw+bQ1jxxO6KOhmUCVBYu5Rz1WhBeI7MN2lsMNX7+E?= =?utf-8?q?/IJYQSspk/ZoOOZgaM1QVrmKLQ0xLu0Mgq2z8e3EhJRy6kNI7Gu0Y0C982VT7q9ga?= =?utf-8?q?wMZbFlyMS7GfXlFUFriHz4EX2zCbZBLddB5fk7Hq6B2lM34i75ujFdcLFTZWpUvXn?= =?utf-8?q?CUENZQEUUeCSWAQ2B4L7JIU6GhU/imxevRxYBgBhdLcd5xwUVddydcJ1QEhWCgJPD?= =?utf-8?q?5LUe9GGcWDx8e/joIyQVDOBLjOqfq9NlMBpKLxNyjnnMkrev3t5WvabZV5m6k0ilA?= =?utf-8?q?12ycR7M+UGIVQvPzWcQw8vL9l/Xpa1biRj3uM+A1tU0WWcbG/lOL8EAyNysY59xla?= =?utf-8?q?cDUyl/eXpi6nZaLK3HO9APfDaQClUTpBA=3D=3D?= X-OriginatorOrg: suse.com X-MS-Exchange-CrossTenant-Network-Message-Id: 21093481-b571-4f27-be44-08dbdb662583 X-MS-Exchange-CrossTenant-AuthSource: AS8PR04MB9510.eurprd04.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Nov 2023 05:39:56.8708 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: f7a17af6-1c5c-4a36-aa8b-f5be247aa4ba X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: T+gSebNpj7dKuCAAy3DjecUoUtdWpBKyjStwNuftHm5wsjhutbTedswssDLz/gGMVEfiOarbD0ei6PfjkZTB0A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: AS8PR04MB7687 X-Patchwork-Delegate: bpf@iogearbox.net BPF_END and BPF_NEG has a different specification for the source bit in the opcode compared to other ALU/ALU64 instructions, and is either reserved or use to specify the byte swap endianness. In both cases the source bit does not encode source operand location, and src_reg is a reserved field. backtrack_insn() currently does not differentiate BPF_END and BPF_NEG from other ALU/ALU64 instructions, which leads to r0 being incorrectly marked as precise when processing BPF_ALU | BPF_TO_BE | BPF_END instructions. This commit teaches backtrack_insn() to correctly mark precision for such case. While precise tracking of BPF_NEG and other BPF_END instructions are correct and does not need fixing, this commit opt to process all BPF_NEG and BPF_END instructions within the same if-clause to better align with current convention used in the verifier (e.g. check_alu_op). Fixes: b5dc0163d8fd ("bpf: precise scalar_value tracking") Cc: stable@vger.kernel.org Reported-by: Mohamed Mahmoud Closes: https://lore.kernel.org/r/87jzrrwptf.fsf@toke.dk Tested-by: Toke Høiland-Jørgensen Tested-by: Tao Lyu Acked-by: Eduard Zingerman Signed-off-by: Shung-Hsi Yu --- kernel/bpf/verifier.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 873ade146f3d..ba9aee3a4269 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -3426,7 +3426,12 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx, if (class == BPF_ALU || class == BPF_ALU64) { if (!bt_is_reg_set(bt, dreg)) return 0; - if (opcode == BPF_MOV) { + if (opcode == BPF_END || opcode == BPF_NEG) { + /* sreg is reserved and unused + * dreg still need precision before this insn + */ + return 0; + } else if (opcode == BPF_MOV) { if (BPF_SRC(insn->code) == BPF_X) { /* dreg = sreg or dreg = (s8, s16, s32)sreg * dreg needs precision after this insn