From patchwork Fri May 28 10:37:52 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286601 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DE524C4708D for ; Fri, 28 May 2021 10:39:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id C7E40613E9 for ; Fri, 28 May 2021 10:39:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236652AbhE1Kke (ORCPT ); Fri, 28 May 2021 06:40:34 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:44056 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236551AbhE1KkZ (ORCPT ); Fri, 28 May 2021 06:40:25 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAaPMc004646; Fri, 28 May 2021 03:38:31 -0700 Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra1r-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:31 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=Sy16MYyPUkVW8H1+i6e557O8ujOugF0DhwUdkt2s44lxvDxe/p1Ey6KsXjs21Y6+Og/wfNW4rJOA3taEzoNfz+vX4MVS55yzMHTtw17Pa30kuyhs3NFDtKVWBk/b9EgxUk3IPVtHQ0HJ/RlBdWfr/5gpom4Jk1mNJaHqQUPB4Op5syB4tSDBWxgq674n78aNuHyTlogHyk5hitmQw5h1/MQrhUG6+Yi1ef/PImR5Unw0Xauc1XPPuk4qRZEOmZjeLMLSR6Oe4NVWTOo2H+4Vxz02QMcwjRIjxRe0sk+PdrhBtlTOw7i2T2W4wwdfTLfi9QLsx988AW4832GYFleVGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j0bby5SxKYX4E606Iza3GDlGax7ytfNFUgUtXvYvMLo=; b=PNbM45y9ouFQmd4n90MpVmwRsGnQ79sjPXKK63jLC09U18Y+3Nnoxq7lhAO0JX64s2b7+bXl9AmRCwdNNOHy4WJSIdBCPXi9BjLOaoJg2UCIjaAAL1fxbIPpZXhHl9G14BXoohk0izESszN0gTYZNq3qzaBDnkKGr1/Ee1LfIdQziyjD+WZub/G3FlKKZ9yyNILqbP9ZewmckAoe4YPRn6Y3a1oMLZ0qt7M421wwVpjH/MyK7ulE0Wn9IpRH0M/6ub0U04zDDgM7ZIo37FEn9j0MjvmiMBBjRscJdh9kmrB2fKCH3TgmiV93R95lIYnYx/xFcsJB7S0FJ7e/kbX9/A== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=j0bby5SxKYX4E606Iza3GDlGax7ytfNFUgUtXvYvMLo=; b=gIPMbH2bxSwX5CXDmPggvvEigTWuPzynC7asPZ0V5W2A3QxSApBlzDzHkTYv9WSHln0cOuCnEXmrefNqnyXPr5NppgnFScHOZ8NYwKbTNNUZw6E3zbxcm70mwqNuyLb1jDY9UqwMw5dggMmOZ23CE/yip5LPOqdmDagnfxKFNsk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:30 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:30 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 01/19] bpf: fix up selftests after backports were fixed Date: Fri, 28 May 2021 13:37:52 +0300 Message-Id: <20210528103810.22025-2-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:28 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 068414e6-835a-4753-e0ba-08d921c4bbbf X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1148; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: NJbwpm8eAgf3g8UUhs0cJu72O/fg5vX9enWiW4SC3BFlwO9Boq1ZHfU+9QNcMWdUTy9mADt8qLaD1JvIk+AMvbkHK4zAI2WMjX+0kwGmkNCJ8CWAh1TVfU8KaZgn+fjDi4AafwYpTi3d2NiO23fUu52IFSTdq7YWhgHIUmPIQ2h2TzY5iCQjQwVRuHtCLyk+GwcFyI4Oa59vE0sEea5Kl1KloYoXP3049+lB+U2mQ8KpuWS0OMAF4s5IcMGAaWwX5ktb1odWmPk89rKMDZSDjtq6tbd279jNkRj2+ORz9u/474Mbpz+nRcByFtqUhvevdAkZ5f9ZLQAapugEOb0GTW7gQA6oBaBG2fjKqU4s2lY+aLj3PmfNcD6panuZxxjAovxGKqCp0kcVJrzRcgnwm746C7sFerx6RrCT3jyX1PQRGiC8ONR2BggFyI+urZ7EjjfRnndwsLOCku838N4DksOxzCtrBkE3RU9Yh4EoCxgkCVDtp8oKOOHGrVbnAMk8bbFwxZVAfyd+RxnlAn24ziRBoFmqVWWVQWn6hzG6+yA94/wDrJtcxxNb+EitWZf1coNjRdvIjH5yt+DqaQApteX/YDRxTIUXTO6acQopMO4TMhlJH5Svi+xdlMeruj3rPRqecEculKZp+TD+A/wwaLrkaG+TnkWFUQbQ1sVQIfQ= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: JOmP2tgAyOIY4uzRgpdxh/tHiPY2fWHW0Q12dMw3GtXvYOiAySnafMV1mvdkpAsQ2qtB+omEE5dRLekAMoXTnKSOpPVUb+oOw0jc2CgrPZTZU4dNdG1lpxLGHH5+vB9R8Fs2cN3uS1rC7/NIK8IfOrf7738BpeptT5G8FkgS0cEMDMPAs5T076tsapIufccx2/Pqize3Fpl4XX2XuI/rdKQvJqxZenHEE/PtBeuHHgkSW2DLdm2tuhyOiLTmkAl46idn7lY9S0f4lYfFToeDagPxx69E4x8ADlGJH4QDVJ2FX14e74TuQmjaFBNH3SJFULHEegHnywKpEucb3k0ZAfEDQCBc3KH3vd4AStwYBmX5UsqQJQmtGAFyVbM1lEyJXc5qFR3AkOmYa331MBtWhfE/J5msRRGnIur9cQ+GXIS04zQE2nO5OgJCuJ817jb1sPVBzBaPB5apml4tOdrd/N+IBJ/FNU4XLvBf/WQ4AWaSB/7F1VM16MVZsBSlzwnEmChMprxP/wmxANY3X6eW/rpK0XidpI0Q+xVNHTHC46pEXjVe7ybUOBrTtv0TpnioyyuWKlqLR9PD4sQJF7xvbEFGIZQ5gDrM0Ezra5O0l/dOfNMaNcFxTgcu/pzdNgZXFX2e5fsIQhw6SY2n9SfkhbTN15GaVaTdlgxDlK2mq7RR3lYcPb8YJiE9H7HoWckSJ97eCzVTzPcXxmM1vKlFWpzBeKd0xJ/BWVOK7vgfwyG3fLMgLm5lcABg/1ErO1TSlwPWaiNxyQBSGQyPqKqF5ZkaRlDfinMGImWaAlJsS+GeCeLHeFW56hofCQNsLDrKjBdOmRokqDZYuVZLatrHWKqGZrnUCa8l4aYADr/zIKdFaJbJP1D54FUP/Fb9o7wyHGO2X1rmTIsRp+96iRwdhSb7H+UAdiJmFR59GPZO9PFOVGsaQaCuesPo36l11f1Ku3Fj69hcZhkNdYihKmUMIJEDkr8E+nFPlxsxtOGTBD8fqnzPKjNRwRWgKGH0uwxlbRPu0P9Y+cWVFzP4T0JWzD381zs3c6kRB/rfDZxDZWe9w/lzUcP+BiQz+rk8uYy1shK2ykdCL+gzVcm4RaNHfKgp+3wfH7NbO8GqHhUR34Gv+JFNZyhxZ2YPa5eLD2u5m1I1PzD2PSDLG3sYqLSA+WNAy+5b9+0/lQ3Jwr75q3d0NmNjpdRUCSPFBXaWQmIRY7/LHR6Mumd9vnwZ8jY3Gb+ItqP+SBbSymY5vpXWclB1+dIur7VnWEncfM+ZqRYw6qVH2cDvHV4w2cdjXxCeXQOWNGPdb1nW1xbtmZRmCAkRXWlr1w7ZbNpBKr6lpruh X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 068414e6-835a-4753-e0ba-08d921c4bbbf X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:29.8316 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: FukP5Hn+AdQkMCViz/N7Nqa+/Wiot2rOR23HMuigXq0CfN+Gr1U3IvbqinZfcM563nwXoLP8Q8DKBjAmb4DeX1xlhHIHGQ3cBCtCJxnWDJA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: o4zpOX62f8nDvdWiJvjicyn87akVYnbh X-Proofpoint-GUID: o4zpOX62f8nDvdWiJvjicyn87akVYnbh X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=959 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280069 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net After the backport of the changes to fix CVE 2019-7308, the selftests also need to be fixed up, as was done originally in mainline 80c9b2fae87b ("bpf: add various test cases to selftests"). This is a backport of upstream commit 80c9b2fae87b ("bpf: add various test cases to selftests") adapted to 4.19 in order to fix the selftests that began to fail after CVE-2019-7308 fixes. Suggested-by: Frank van der Linden Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 9db5a7378f40..fef1c9e3c4b8 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -2448,6 +2448,7 @@ static struct bpf_test tests[] = { }, .result = REJECT, .errstr = "invalid stack off=-79992 size=8", + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", }, { "PTR_TO_STACK store/load - out of bounds high", @@ -2844,6 +2845,8 @@ static struct bpf_test tests[] = { BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", + .result_unpriv = REJECT, .result = ACCEPT, }, { @@ -7457,6 +7460,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7481,6 +7485,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7507,6 +7512,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7532,6 +7538,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7580,6 +7587,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7651,6 +7659,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7702,6 +7711,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7729,6 +7739,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7755,6 +7766,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7784,6 +7796,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7814,6 +7827,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 4 }, .errstr = "R0 invalid mem access 'inv'", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7842,6 +7856,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, .result_unpriv = REJECT, }, @@ -7894,6 +7909,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -8266,6 +8282,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "pointer offset 1073741822", + .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", .result = REJECT }, { @@ -8287,6 +8304,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "pointer offset -1073741822", + .errstr_unpriv = "R0 pointer arithmetic of map value goes out of range", .result = REJECT }, { @@ -8458,6 +8476,7 @@ static struct bpf_test tests[] = { BPF_EXIT_INSN() }, .errstr = "fp pointer offset 1073741822", + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", .result = REJECT }, { From patchwork Fri May 28 10:37:53 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286609 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 9F6FEC47097 for ; Fri, 28 May 2021 10:39:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 744C3613C9 for ; Fri, 28 May 2021 10:39:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236602AbhE1Kkh (ORCPT ); Fri, 28 May 2021 06:40:37 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:37580 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236590AbhE1KkZ (ORCPT ); Fri, 28 May 2021 06:40:25 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcXlT011402; Fri, 28 May 2021 10:38:33 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx0a-0064b401.pphosted.com with ESMTP id 38tfbh8nsn-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JtIUCNdvEHEyaJgR9gltVCwyvdBt5fLXkgxKjteL+iGbzu+OOdsckzDTOUy9dVV5OsyFZZvwFuzcH10AasRNOwvgIAPiUWzjE02o4Hs4NLLCGDZSR6pHcgfX6LnF3qGq+ODtQ875/ZsHBtC/PZoxAc5QM5/EihQw5TsEldyeCk6evan/j5Yd3ye2IW04PSrZS/J7Bd1SivEG4TSKsNIlhEMo1gjNzE49AlUvhtqa1szFrQG3gefIfXXRJ21C1eAaQ3+YxmdPOv+gFt8YMiIbSi7MSVb81KCuM9RcVuBDMurJWsI24Exwlkv0VCiq5rFnGrXDicI9XjlT+qCFYbfDqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UZFtFZQ19dtiGu0q4A91o88mfw7+X77N4k1AxGl1Uog=; b=mWa8oXkWbLcQuadmbdAr7t1EvOrOEDyQogAcPynml78iEFg2qIiLdr9x3adRZ2rRgpSsmxsvyjLN58EkR3OVgdGau9JCvo6rT7PuaHEuG6xG4wGYStD02Sj7FAQ485wPeuU6HWhEuqQKKxCoPqhGlcXjQMA2y7wdlXsd91l3FsYyBsMo79Y4CpuXtOAT7sPXEh427VaAl1flPOQCH9awAbCbyBdCDBwlCOwbn53LMBJVqzCVag7veK7IgtCMBhxGZUdRBxJcj1wJ9MUb5MhqJXvj2Su+7p8x01ge1JTvl3uuCjQ5oRks8pjrJzD+fzYgOQ2Fr8W+gtFbji4eBhUb5g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UZFtFZQ19dtiGu0q4A91o88mfw7+X77N4k1AxGl1Uog=; b=GmjUMDFm5kK7uyJXcZQs9122CE5r2QvI9hBfYMp1+cc26JUxr6E2aOnxSXLze2FHJFKzDNZz8R9QW/I7us/ZaZyRwIuTiz0GejKjsdWzwVN1i5PbWE7zglFBMzEUMgKdyL7cnzKBe6e7+b1Rq1t5uOymjab57LHYU18fzgIzKoc= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:31 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:31 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 02/19] bpf, selftests: Fix up some test_verifier cases for unprivileged Date: Fri, 28 May 2021 13:37:53 +0300 Message-Id: <20210528103810.22025-3-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:30 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 546c8293-68b2-4128-af4a-08d921c4bcd6 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1060; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VzcCnIYGAzzEOvSHMhJyY+YDUj2hsZT1rh/hUGK78iVT3qek7vuapsZOCuFYSGDIoQBVqAQaIuqINrgqKzaD8+gfjlpnncgiTV6EQ5PbwB4Iv6zNt2+xz2KCxawuvP2r6G3OnQuBX4gRB7farYPgZ7dY6XjYFcVqlWU72Tb9KfbsZdTzuB/UYOl4ABF20MiuJPtZnCqQP647wkXZNH9KnQd4fYuphE+ELv9cyimt81MYq1LJmK08dCi+nm1gPGlsGHOhCibVe3jZ3ExbBlJWYVFYFJ4BtxxTRe2fMZDPZSXAXYdmdWIUeS50mrMyTNz91Wnbg0jT/5VXtVBSWP+jpmefptM8BtBO7URta/XAuNPwF5VQm/njC79wM8er0cVx0HLhXOVY1SbKCCKAr25vNcBAqPZS0qsLOjJi2dNguCN6TPioVdwRtuPYxIVztGor0BedvYNc3qdmMh1dRtxGswiMuWA+WPZ0VHdXsGxVOAqmH+Tw8ePfuKxGi2K9tvP8trCbHMlvPm/nNNS+VB7bLYE04h74i9ggFvv9MMe/ggsdUE7qQJReUdG6zZUvag1lY3fR7ht93eLwXsN0BXMKvFzf0haa3xqE0XrHVJQZJwsYlfXyMV/+R5VNDNVox1bQlmH9yGJ7BPd4lMjBR/4X6w== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: RFyr/usDKseozWR94zD/dJLUq6aZ4sNICi1UFDvilSze4wz3Asg3efXSYnmqr0VbcRC6w+k2WVQqyCWv6u5F1ORJap9vQw47LboMRT9Bo0eAFvYY6MGi4yHr4nfwtM5V+fy/iG93C/hPx8yZWmDBmYm6TWOjsbiaH1ppfV/TaJ5IERtqjrInUJW/ITWqLFA7tjHx0D2ZcSAhibHaqD935rW/WN3Wl2uxHpQXcOW2O6mAMAXdwv7p3PAPVA2UxVo6PCIQfQHMv+tuCHUdduPp4EL5hXZP/209MOv4265bPnahFbEkRxWdcFuQuzSyRxRIIAKxP7QqF7TsjTmKczlswchVvviOwrgFFonV/cdb0X9Rrz25IUghhFvCSKNDfaqAMlbxaahkWg3z12QMGFLoIATlZSYt/aLmM8O+fdfvEj2CGNqo5sHNzXliQ1KW1pl4FG8g354I3aj+VjBS4g10mrZ7Zu/hJBWtclwFEhdwfS98c0TWhCe3KznJSPBTShUJyhBp0ZgZ24QiYBHEFbbZK9mkOXDrwvn4sxENQqHpSii4JW4eg7DLxKfg5RH6/7eTwXPSBW1QCDvIT+m9uG1IAJC8Bp5rgiHZa3EFeVgcvJb4h1AvRTYhcUrsT6ReMeU3hWNq4GHzaWIUs53vpjpul+/GNvddXzk5Y4ZdhVQiQ+6PSGvkT0p+7Q97HMJAFeVpgJ2lF5Mi+lY7g/n2RqMsnRqSdxpiYbhzjDA7u3bDHlERIOmHvbQjLOWAevr8r22/Xu8VqlM9QUSumkxYNgw3dVJKrA+Y53w0mcykfjnm2g3URij+JhlR/dV7Rxph52lUwQ/NKYQML1rjAPmHjMi79TQOtliT8PwRVUc22tJMDWnpjZC/Kqvf+/TWwRd3niTO4wEXmvDt6uUq385jwDHAmdpHcR6E1IccbEV05KNwOWL06PEYcTq39wBwj51D9tyNPA7N8CsnjkRRAuCRK8Av9T92Cp1UyIc8CIRerckq8zq4UWnqaJMm/2w1TroDx8/HMkEhfjSz6xyY7CiK42XwDV0XYOA7JReYW55zQzntpwY3rqIpfRulmmZ1ccRAV+q3anXAwBP8SazlK9glpq7AiKjQypB03YRVMqpU6iVT8ICo5ZYMS+/XwNzKwdntYW4FNaMerKuNZ4xgLEgxVDs7Ro1fChwWQjP/6e5iZnvYizkZyXUa3pS9ZIv35hoXH7ZPqzqnSSwM8ePZ9r/uFsAbZFvyIxO/UBO8pccJXfqfzGiKoUS/QWyY4S/f6iBp0u8guyFw0KCzYAOBVK4sJHyu4vzmKAP7aKBR70kMPOd/xi6oEnFTEwAT5uHQ0S7PFpBY X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 546c8293-68b2-4128-af4a-08d921c4bcd6 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:31.6707 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 1wWCnGkkBcCjFjmWQIq3M2ZomXxpPqREKAbFawaqADSLiWiFWdTrD6+ofFjD4lf07T9WL9O/kTQ58+0S3ihVQPaK42iq4TBM1ay4Br1mMpg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: rcu0JJm-mhB2CxpfCTdztvKB-X-Bsz7Z X-Proofpoint-GUID: rcu0JJm-mhB2CxpfCTdztvKB-X-Bsz7Z X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 clxscore=1015 mlxscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Piotr Krysiuk commit 0a13e3537ea67452d549a6a80da3776d6b7dedb3 upstream Fix up test_verifier error messages for the case where the original error message changed, or for the case where pointer alu errors differ between privileged and unprivileged tests. Also, add alternative tests for keeping coverage of the original verifier rejection error message (fp alu), and newly reject map_ptr += rX where rX == 0 given we now forbid alu on these types for unprivileged. All test_verifier cases pass after the change. The test case fixups were kept separate to ease backporting of core changes. Signed-off-by: Piotr Krysiuk Co-developed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov [OP: backport to 4.19, skipping non-existent tests] Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 42 ++++++++++++++++----- 1 file changed, 33 insertions(+), 9 deletions(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index fef1c9e3c4b8..29d42f7796d9 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -2837,7 +2837,7 @@ static struct bpf_test tests[] = { .result = ACCEPT, }, { - "unpriv: adding of fp", + "unpriv: adding of fp, reg", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_MOV64_IMM(BPF_REG_1, 0), @@ -2845,6 +2845,19 @@ static struct bpf_test tests[] = { BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .result_unpriv = REJECT, + .result = ACCEPT, + }, + { + "unpriv: adding of fp, imm", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), + BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), + BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), + BPF_EXIT_INSN(), + }, .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", .result_unpriv = REJECT, .result = ACCEPT, @@ -9758,8 +9771,9 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", .errstr = "R0 tried to subtract pointer from scalar", + .result = REJECT, }, { "check deducing bounds from const, 2", @@ -9772,6 +9786,8 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .result_unpriv = REJECT, .result = ACCEPT, .retval = 1, }, @@ -9783,8 +9799,9 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", .errstr = "R0 tried to subtract pointer from scalar", + .result = REJECT, }, { "check deducing bounds from const, 4", @@ -9797,6 +9814,8 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), BPF_EXIT_INSN(), }, + .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .result_unpriv = REJECT, .result = ACCEPT, }, { @@ -9807,8 +9826,9 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", .errstr = "R0 tried to subtract pointer from scalar", + .result = REJECT, }, { "check deducing bounds from const, 6", @@ -9819,8 +9839,9 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", .errstr = "R0 tried to subtract pointer from scalar", + .result = REJECT, }, { "check deducing bounds from const, 7", @@ -9832,8 +9853,9 @@ static struct bpf_test tests[] = { offsetof(struct __sk_buff, mark)), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", .errstr = "dereference of modified ctx ptr", + .result = REJECT, }, { "check deducing bounds from const, 8", @@ -9845,8 +9867,9 @@ static struct bpf_test tests[] = { offsetof(struct __sk_buff, mark)), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", .errstr = "dereference of modified ctx ptr", + .result = REJECT, }, { "check deducing bounds from const, 9", @@ -9856,8 +9879,9 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .result = REJECT, + .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", .errstr = "R0 tried to subtract pointer from scalar", + .result = REJECT, }, { "check deducing bounds from const, 10", @@ -9869,8 +9893,8 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .result = REJECT, .errstr = "math between ctx pointer and register with unbounded min value is not allowed", + .result = REJECT, }, { "bpf_exit with invalid return code. test1", From patchwork Fri May 28 10:37:54 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286599 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 065F1C4708F for ; Fri, 28 May 2021 10:39:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E6EA7613DA for ; Fri, 28 May 2021 10:39:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236596AbhE1Kkf (ORCPT ); Fri, 28 May 2021 06:40:35 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:46590 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236608AbhE1KkZ (ORCPT ); Fri, 28 May 2021 06:40:25 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAaPMd004646; Fri, 28 May 2021 03:38:35 -0700 Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2104.outbound.protection.outlook.com [104.47.58.104]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra1t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:34 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=eRI6keoGm/dXKfsAd1nJHgwUfHp50Pm2rWTW92rTMgf/2zn8Sp5C7wJGJuTzrIVidTJfUv1C/wz0PQhtjTqfVK1EbsPVC+VI49JCWTfF3gHwpq3xBwNUa8drJ2bAuDhJ2Qr+GTxr+NpuoOY596Oyrx0n9EOrZDEtepXarfru86qkms/Ay48khbgnKdoE+psAzw92EiJLJVh/2+16GQlniMyygXB/cuDnbdmtUW90wSirygu52SLu0xt0/JMJPx+i8+hfm/jfAOcga0crP0hEx8ZTORIbc4pAMnC2j+n5kgxQizS+4W/nMEWuSh/3WUU7wA2L/HoS9O9PMZw8Ok3/iQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xRmoQRVmrgXAjw29R5fGwGAKf7Spg0d+6ui2tLZYW10=; b=jI/kjfYd0EaIWDTjHJcLr+FNNslXxzUgbN3WFvzTgGi7jL/ahfibJzXN501icJEfT8R1A6r94mWNmOTACrZ5zSNEvd8p06BUgdOVVo+0j9lpDtNpMliQMg19Iajg7eK4+kG26NqtfQQWhUlYp5SF+uKn7tc2PhnNRFI3eCsqiYV/CTRAepXKHXhuKP4Z9ivf43cTzoNvAf3fDPubafIF3WH82F0icG4K2pYCjvA6ic+x6e4YvUYOs4zyzcnEpIaGJ0hNmJp392PBT2TXtAAF4nVVWoxombAn/TYTtGYcJgirf18LB3xyWC7URHZ1CgLsov9yOIlPnij2oZe86vWq5g== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=xRmoQRVmrgXAjw29R5fGwGAKf7Spg0d+6ui2tLZYW10=; b=IgHyIH3iHXNafuuAOiK5oNV63PSTYZpB4MWHTgf1JZX60Lz8TqiRNFBhh3nrjx0HARG6w+u/VdAB4z9rOldjlBhrh9z2XUN9o9T83NKxv1Ob2C6zdG4onbap5DYvWPtRNnLNxLn6xz+gCOB/gfFdzr1bh79cQXZUuoJ9NmhvMEA= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:33 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:33 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 03/19] selftests/bpf: Test narrow loads with off > 0 in test_verifier Date: Fri, 28 May 2021 13:37:54 +0300 Message-Id: <20210528103810.22025-4-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 85c01f51-ff58-418a-2fc3-08d921c4bded X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:121; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 0DHIGv9IsICCeGz85ZIYHJ8HXI6JK6Ih4TeVjVu5XFcofwL6tSwrdGHQ2bdcogJSRKWiR5Fh9ae0gCwsZU24sdo5X0VixRNRxPMyxIJ/R1R2pYeMcT10EO2pfht9hx56d4gVExFkn9nfsjPpy+ZvVqjHDZSbhjpLA8XpNBR3D8Pxt2Wsv3dgv0e5v4Y3VYiJQaz1pB6BujByb4mRLRfsKm53Jd7BlVuJvKU/1WBqW4fgpm5Hdnwb4712jPBfi92kKBD0ooGnBPCNP2AKEOMeW8air9NgDzNEb0Cgjn0ZcGvT23TnE/sCg0N0gdn1Dx9PkA7GW8zaGpVZDUd2TZnQSHeguh8fvX8DpzRJJG5u8zDuZkDZgOXdGVQiGebRg9mwX5kf9udEbDhO0kDksVDuEU3NRIsX77/iMCqYL/sr6hrWynOI4XWUwnX7V3CZgL4kwmYfpTNRzRF2jx/pgqLuM8NF9w032PmntwnhDcg7PCvjxRqvn7tTyc8PSyUSgXYXjQEGAjG21y9T7HS2+8GCQZPZLEZ65S9nUbsD7O7+n3V85VkYPYV5VzfXVygQxAGl9ZhYaMKhUZDLHmPzoDE6U/1e7k3kd1cLM3Kbp7m5GNGj988Livrs0wZZL9QbZSHybtlZCgdDOjce2HezcQHTfw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: SktyY1+r6SZHhKwKoqKu8p5Czry05t0G//L5tX9G9Dz9sToSdJSnmc+SlLJeTI7o+KU/PbPasq1DwOUGtZ42XD0UKJ40VFouyFSNOtXAUWflZXBYgIM+2H/RFKTOLF+m/GdYRaSG+ZpxtS+Yxura4J5+YD5c90rYBeOTrYhrG2T/VFGn9RokrqtX7uZsrfZy4+yYxYDQr9Pmz0fdGwg4iKGnVxAplcG9uTNXazzKeWDNsa/BEEJvCe7FZdwsM1VFSZMqzl7EWzfHBFMHg1CC01hngYq9zCHSlT3qcxcPFH3PqYXXtx6O38P3OuJ2I4o+k6LCbqYpROefQj7FMs5FuNwyWxR1+OdqG2gzlbl/YHH8oFdUUf9YzTdbemnFjto71dA09JGQp8WASPDDMyMUkEA5Gv47cx619mU+QnfzyzwAjTM3R3PB3CDhIIMhJFjZtnVac6I+BX1HKmLziNqtAqEXzhkf6SwVdYodka39V2POd6DBAD7z2hkDcW4ARmyhR0FZyUr1y7GQJScnx5OFMC3Op2qiLWCBIXzYvrranSkaSmbRkoETjQEJEoM8H6kXuZaH+Vds9z2abrFfJVuLNmU4QsIdynlrsecdG/U8a4/YO5DGUdQEb7nKpoq319foROLtgXldD8Pq4AFPDn9ZeTPUqLpYPy4FTLr3A26m+NqNfxtn7EoNYvVWtXd/xF4dM769wr4tgnCgM6H/yhDkrAGJG88YkTmL9VjgGovWN1hc1w1zGk7z4RnS7kr2rNSPf64ojWpA4SP+Gvct/s3hgZxfSeMGX34Z1ofBjCxXpN5Updb8CWFZpvV6veV1jnTU30Suv9O/GD67YMG5pUPEC8bUPGJ/xYKSDIv87AauOM9VW+8EYrmz+kQoDghZwvdvtxXYCa6BM5GjIuMUeW/bxqN1Csjx8u30JqA05GyF5AQupLePHaqW0iNh5Uxg/w6lXk1N0W0RDD6pRL4jrzJq6F1stChOz9t8KCJOnwpWwukbTLUqTGEpdXe8de9/j4HT+whnGDyAUiGJnTX5xeHcONv+Zk/PQsNnVbUWomAuY4fo9IbsG2T3cPWTUDzPOzTKetrC15nHEet++CFB023MAuDPXCh06OMZMRP2N7/MWaB+EhqHP7wIPNarGr0kk1NgEQ6piWzN08sD2S+CXLq2/P3M38XOyH6GeZ1wQhp72kWuTraCPBo4zGgqhvzmbRt0cZWBxBbKb0U9Lzs2TJq7I5lyge3fkGgYInEatEJDYj04noSoU31VaM6w3zi5qw43lmoUDnUOfKgdblWwVlchn/pdYeRO3UuOjG/TaqoxeG7qklkBra0B5dB9aFSxrinv X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 85c01f51-ff58-418a-2fc3-08d921c4bded X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:33.4909 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: fH9r1UBwwpz/ysv2TRIz4qvJUm+OYUtZjc8B2XrUnrBKyal7KK0qdW3XIpMDg7GgXkO5ee7Nl/+YmAgjUPR30DATP2lxWALonDXg4hR+R7Q= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: 1pnuoV-cOfeMHnQf-ZDQYK52KN_Iu2dI X-Proofpoint-GUID: 1pnuoV-cOfeMHnQf-ZDQYK52KN_Iu2dI X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=880 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280069 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Andrey Ignatov commit 6c2afb674dbda9b736b8f09c976516e1e788860a upstream Test the following narrow loads in test_verifier for context __sk_buff: * off=1, size=1 - ok; * off=2, size=1 - ok; * off=3, size=1 - ok; * off=0, size=2 - ok; * off=1, size=2 - fail; * off=0, size=2 - ok; * off=3, size=2 - fail. Signed-off-by: Andrey Ignatov Signed-off-by: Alexei Starovoitov Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 48 ++++++++++++++++----- 1 file changed, 38 insertions(+), 10 deletions(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 29d42f7796d9..fdc093f29818 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -2002,29 +2002,27 @@ static struct bpf_test tests[] = { .result = ACCEPT, }, { - "check skb->hash byte load not permitted 1", + "check skb->hash byte load permitted 1", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, offsetof(struct __sk_buff, hash) + 1), BPF_EXIT_INSN(), }, - .errstr = "invalid bpf_context access", - .result = REJECT, + .result = ACCEPT, }, { - "check skb->hash byte load not permitted 2", + "check skb->hash byte load permitted 2", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_1, offsetof(struct __sk_buff, hash) + 2), BPF_EXIT_INSN(), }, - .errstr = "invalid bpf_context access", - .result = REJECT, + .result = ACCEPT, }, { - "check skb->hash byte load not permitted 3", + "check skb->hash byte load permitted 3", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), #if __BYTE_ORDER == __LITTLE_ENDIAN @@ -2036,8 +2034,7 @@ static struct bpf_test tests[] = { #endif BPF_EXIT_INSN(), }, - .errstr = "invalid bpf_context access", - .result = REJECT, + .result = ACCEPT, }, { "check cb access: byte, wrong type", @@ -2149,7 +2146,7 @@ static struct bpf_test tests[] = { .result = ACCEPT, }, { - "check skb->hash half load not permitted", + "check skb->hash half load permitted 2", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), #if __BYTE_ORDER == __LITTLE_ENDIAN @@ -2158,6 +2155,37 @@ static struct bpf_test tests[] = { #else BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, offsetof(struct __sk_buff, hash)), +#endif + BPF_EXIT_INSN(), + }, + .result = ACCEPT, + }, + { + "check skb->hash half load not permitted, unaligned 1", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), +#if __BYTE_ORDER == __LITTLE_ENDIAN + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash) + 1), +#else + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash) + 3), +#endif + BPF_EXIT_INSN(), + }, + .errstr = "invalid bpf_context access", + .result = REJECT, + }, + { + "check skb->hash half load not permitted, unaligned 3", + .insns = { + BPF_MOV64_IMM(BPF_REG_0, 0), +#if __BYTE_ORDER == __LITTLE_ENDIAN + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash) + 3), +#else + BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_1, + offsetof(struct __sk_buff, hash) + 1), #endif BPF_EXIT_INSN(), }, From patchwork Fri May 28 10:37:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286603 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C98F1C4708E for ; Fri, 28 May 2021 10:39:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 8D97661157 for ; Fri, 28 May 2021 10:39:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236436AbhE1Kkg (ORCPT ); Fri, 28 May 2021 06:40:36 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:38372 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236602AbhE1KkZ (ORCPT ); Fri, 28 May 2021 06:40:25 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcaDm011407; Fri, 28 May 2021 10:38:36 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2100.outbound.protection.outlook.com [104.47.58.100]) by mx0a-0064b401.pphosted.com with ESMTP id 38tfbh8nsp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:36 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=FiX9t2uct68rotCQaX5BN3X8aesn5go75ATDRMDfcbgp+Fa4jAX0ZZW2Ijv7s7N5I98edIn0OfsJK/q7vg4Jsu6iGNrGnkXgCUFMIQj6oEBCWltoJKNO7Yofd3FiMguwtXwdkFt+5wWhj4kPh1cGvrQ+03KJ0GiolzfqeDe5K/xlDdQF6JXwppmV5T2JEPwFo0b/dMe/Z2u0F89p21y66A2ERfsMJ6Tqs+60KBZfiJOMs9yeaf/LVOpRbRFGjdFZglwRq7VeKibJq7hC2BidZY0m1BmrfuqlIW6DYi6iK6HygoY1P0o4g5AnwzcCRpqffL2MJb8pXpQ7RlV0K8gkfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=As597d2iE9g0Vbbn1Aql6UOGayyPdCiCXtOknTT2X7g=; b=aMV0S9Yk9AyLBO9aM/NktE3bTD9fTC5DDYPFqfXpSIocX/yO8C1RAb5veAn46l+sbizCqYkXXu9Z6sschGDkhDPKRCofWi5h3ns7MjURcyyNldj1AcbiMhOUN5WWiDm/bYnLaPEfI/spn8CefZOi3e0H0UMnTXtfLu+Fy1NAZlBJmf2ZSmuOSB8owwSCwpEMUvgz5DNsnuOv6n+I6XQ8N7Uk1CTnJNEkLa+bPx0TOiGxsybMv+groEWjX0jL8wg82vpPG40xGe4rG8n+pLGEPQZcp1CAqPGDKhnjH7lWPXEMocr5S+BUJdyih9l/GvwfYKS/YvDRe703aJn16jJ7vw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=As597d2iE9g0Vbbn1Aql6UOGayyPdCiCXtOknTT2X7g=; b=o4tnwEwQFr/eb7oCZujzZxBMSPOJde1FfmgztY2oG5UACbmIMRpFDA1QY2vPh333zj9Kk48BOV6NN63/5X9o7Vk9GHWnTzGkTUDHkoidIe2nHQLA2Xv1LxjClTImHTcxgDlN1gzxxLYGyqU1FktgsYtAewyztgqFF4rJqdiwhpU= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:35 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:35 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 04/19] selftests/bpf: add selftest part of "bpf: improve verifier branch analysis" Date: Fri, 28 May 2021 13:37:55 +0300 Message-Id: <20210528103810.22025-5-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:33 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 319b8b3f-000b-4fe4-c5ec-08d921c4bf02 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:128; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: X8FfozKeMyYcMqItKzDEBmIi81fuwip/zmEC3ukphjqZxM9az6gSFUja0ieGiud3PPg+O9Xp9mMH6wL9DQyOEuyFLYuJ1UfwNH3kntkFSJrmLFFi6wOYmpCh9Y6asevV05LxDrNNOh2D+/fqxZxH7jyHwEhbbhvpyWeD3GR/M6KY+kOFzzs0LbJTTfp/SQ2tQyHjU8AkcWtcTR0/o5W4mkDs9EONtNM9rTtrx4QaLxYhp4Mi8y8XHCGuBvFtAzz5K3YPQmxymafPPbeHL4HC3gIQIUJp6EK/Rd3cRyoSTceQVZXAbKwv0KyT/8lzCL8oymP08osXFEqeBN222oq9s9EWpLkasLOxrqwym5aTeaOkKvLrYFKHDolxQmwGko3qReahk29DJl4woB+WVBST/iOZNioHOVz+bx8ujB+IR/MEKtUS3bURFQUw7H7IeUeYcSD2Pvgx+e1x5M+n521Rh4D4ZFN4V8aDgts7qb3n6pf6AXtyd3V6V61eeYm+ruXSwE8H4JivJYZXz8eMdYDgWov4meoOhK130Y/T7EZaTLtDmgI3DiNyse7jCbX8ag+gqADbrHwn6NW6EcazILcnRlP2sA2quhPq6l/bbbUqLga5/OJjEov3Eu61hClnsWvjY8w0UInov+Yu26YKt3cQHw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: c7wSTcdFIvqiQH5M+bz+1QvA3IevSmxcwXynHqU3xf1cF9jPfNUNWpqYYDmR7N98lnteXMnI99xYC3a02cvq5xc+7qrQ39In4iCJMU81cZEXYGZMGY2w5OfJyc/YNd6j4Pon8pmaQgAzCQOn7jKmsB52TYfmcyASE+bZwoLI/QLdWoyy16/KW/86srnuFRbEOh4TAjkQ2WYnE+ih4RG8CoOjqRucwu/2MI63i9yJiN9HkW63ijAWHF1xDOTZczdoiU7G+FOL6Q5iTNk0dq/z7iebUtUTw01nlBNM27ZMemnDdKvYe2nU8wyQ8gUNxIj7kU9vEYjTuvaKC6hbU12frP93emnmF3Ao3dsMjo1ohDEGcpR+LEsfv1coBGxcxdT+0E73w7E+aiGdOpNHcYa+/ECf/1AyMOptBdHkseVdEWzx2MPZwKU4EBgaoqiPqfMVfnLvanUB0pkieINbkVbiWlVVF3HPCfrflSQ7OP950N+2AgTK16+c8/C0oHr6OzRd3RVdrgoi8PHzrz8FZapO4gYntm4q+dN6AFcL94shNwiZSYqTkJY1M3QCGjDuuRlnGsVNrHrh9rITM7SaNpiJDpiH29tj5K2J5j2tzqo8NdBt2nblwX3W2C6Bbh6I9kRKtdFXOwXGuOEaQKSlo/1EJZnMiWWP2Zd9kIfWaIqYUwwQyoADPcwTHRO6kGWvQrif/SXthukLFQcD9PDPbP6Sk0tg275SVE7cVBEkaUbt8Ska8Gb10w3xPKAhGrMj0eJpreG6ULIyZgHZA6ArMQoh27obIXx8P9TjdddQlmN7OVESQE//6mQjLfIARhUOHn7ZGvnV0hfpy0HixHi1kYg6/Uc087G1sFyyrld+B8DaCgGIU1qhM1h+v87RCQvxXxBtDgmreziyvf8EEFARrgfvKGPRHH/BlXoFMbeFfcj+mJPhHUcbztW87rw6bnG7IH7S4KB9jbjL1bD8Xot5HI0MG3b8o1Gp3g4MbfKidSrZbSTijO/sStPAiewyDYwuuWyp1ZL5Lek8I5VVOVE8DQztaVMFrnc9zyKEv1/vsNUuFPFGAquYT4+pZDY5g/R0DnC7nM7IAcAkVGnGYx289liB9Xm9WxxsRYozzz9IVtPvf9BcroBaZoAzeA22sYHgr3dUjT9ICKxY89s4CS7MG0/uZoqrm+ZdUpIzLzGK7J+fMh4Q3v05s2DBIiIaiid+6WffZSO4B5gm/uLjFN1Io7Cczb43QaBjnW6WcMPu7su5DcggPTSUsHeao2UJdM8PPGM32JNCw0HmOvYizcwjoUiR6mslJzS9dVvLnS9g+HqiFqHbHfTMUIFEFhHlicdghvCq X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 319b8b3f-000b-4fe4-c5ec-08d921c4bf02 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:35.3511 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 7XjmhN/7EQ701GJp2o+TPkEjqtbi+C1MrU62yMHwiwAvpdgoT5jP3cLJnLY6sJSXpuxBOybh43i8wEr3oBnxXF1sqpiW8/ZsrECGW3fJc9A= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: _H9OAHss6QuC05TukDQcoKft3obKMmjs X-Proofpoint-GUID: _H9OAHss6QuC05TukDQcoKft3obKMmjs X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 clxscore=1015 mlxscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net Backport the missing selftest part of commit 7da6cd690c43 ("bpf: improve verifier branch analysis") in order to fix the following test_verifier failures: ... Unexpected success to load! 0: (b7) r0 = 0 1: (75) if r0 s>= 0x0 goto pc+1 3: (95) exit processed 3 insns (limit 131072), stack depth 0 Unexpected success to load! 0: (b7) r0 = 0 1: (75) if r0 s>= 0x0 goto pc+1 3: (95) exit processed 3 insns (limit 131072), stack depth 0 ... The changesets apply with a minor context difference. Fixes: 7da6cd690c43 ("bpf: improve verifier branch analysis") Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index fdc093f29818..a34552aadc12 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -7867,7 +7867,7 @@ static struct bpf_test tests[] = { BPF_JMP_IMM(BPF_JA, 0, 0, -7), }, .fixup_map1 = { 4 }, - .errstr = "R0 invalid mem access 'inv'", + .errstr = "unbounded min value", .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, @@ -9850,7 +9850,7 @@ static struct bpf_test tests[] = { "check deducing bounds from const, 5", .insns = { BPF_MOV64_IMM(BPF_REG_0, 0), - BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), + BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 1, 1), BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, From patchwork Fri May 28 10:37:56 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286607 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18302C47087 for ; Fri, 28 May 2021 10:39:07 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0C1E661157 for ; Fri, 28 May 2021 10:39:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236502AbhE1Kkk (ORCPT ); Fri, 28 May 2021 06:40:40 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:41484 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236568AbhE1Kk1 (ORCPT ); Fri, 28 May 2021 06:40:27 -0400 Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcdwq006243; Fri, 28 May 2021 10:38:39 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2104.outbound.protection.outlook.com [104.47.58.104]) by mx0a-0064b401.pphosted.com with ESMTP id 38thqe8hkb-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:38 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=oOGcv5NoGVZcm40NzC6/62B1iCyNux20Lee/IoNYq7I5BgJ1yvh454CbV9RFk9LTdFGILzoJ+fYvNoGol3XsjFo8TpVx6WipTCs/ilu6Reanom3DHMMB5DJmyaP1EaYxlcyeCrmwsl0AlfoafmwntUUh3efDeFoIQDTI0/tj4TeMIQv4mYg4m1pTkUVoPJTZdzWfL+mxWq/98eVpn8XXZjUoLpTDIejAbpLnJXP9cIsj9lS+2knK3u00wr2/4hNyTsq+k2pPRV57jyBm6MhA/sP+r+63znhxWFnbTpir62sWb1H4d+gDII9T6I6SmooZy2WZET8LZOwCuZLVIHsx0Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qtQ1QTu2Jgj28ues30pwS+GIgIKRZlo9rhQ2BbjyMfg=; b=cX08RufK5JLKjDVKSAoMM0VmjbCjG44kf+iQfhpHDZPexRS544zfnwmCBvVwMHJjnXRD2CXJxd4zTN8IAxPbm+9E676cYfdYk4tTsrjdZYt1mH6MU5GkARTzMiU0Ku46cTBylhZpkqzzWN48iowassb26gDqzNh9UHl82C2bs/xTZLwRhci11jpsFpPAF0Slz9Es3lnCxLBzXHf+Yp/PgNK1JWxKjQ8u90m9cnSwGrvF7lYno/yzrmudOyUXriKoy1dnYg0xYa0rhCBHQZZMr6icMdKSv7/boNOap2OUo/QeXaD/yYEcNtAxMr2cXEWL/JY3kI2i7ya908FRo0QXug== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=qtQ1QTu2Jgj28ues30pwS+GIgIKRZlo9rhQ2BbjyMfg=; b=G6sujwuebyDo0IYIhvIMpYDLI6OQKDJFgo3+Cc0s+rAhxFJ7yYz9Mo7PC5H5ISwLwez/RWsS9XfwcVgC43AkcE+PbUrJyuFVqKyFNEPWMR6FNFUmuRxi3WHO5eIsnNEbqIr1KJBDJ7Y17VTI7RIKokPI0WM8vggc5zjsrEZvnH4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:37 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:37 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 05/19] bpf: extend is_branch_taken to registers Date: Fri, 28 May 2021 13:37:56 +0300 Message-Id: <20210528103810.22025-6-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:35 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2d3b1cf1-7c7c-404d-690a-08d921c4c01b X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:326; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: oBAAvNiZLjKAaPU3Cbxn3vuY62SFjk8Gfsdt+3ggrdPQ5hsgC4QAzKtonwYOpm5o1LkC2IBbNLXLbRoTd6MKDqUpNBzhP2YQbemIcQXfuaHBbyECUDN44NWQaSDd+O4MXZxoQ+xgnlKt89zPXIx7CXLeVuUZoccuiym7v71TJMKCZCgv+R4+++4pmSIE07XBfC6etqnyEJD5p5YxKuX8m2rZZkbRp7A/hbU02AgmtOvlSLdrqWq4+qRD5+0D9LuQSnljJd6vyVBR7OG01ivtJ2xti/avBEfAtRqWs9Ig5e3Kps57Z//lqq1UuboTTT+lFu5Qor9QW89XJWj31RFHFht5OxFY6TazFp2c6ch1JbDplgqhJ2sMDT3htE+mv8JK3pMZGya93b0+2d3hBCNLGoiyjsmBS4JVYe4ONr+T4yOsx8GYRS0302HzlqQBjPA6QBFDvRdb0TxvJ4Cx1vxetrVTLYk1ZUU4YAlC7aC0yqSaRuJOF0SadybPFzY2/JRrKbtJoU132rGq9ZypjGrR/9PeT40xHXZbHPMMWRJdHNE1izBJnn12R/TNf7/qXsu2s29CZ5TbrvESl+oTnA6ByT5Abec7kVI1LZDtoHp5A/mepRWRZ0bF4f2eSCk+Mtx2UNV8sTHE+yoGyrUqODXU/Q== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: Xktn9Yy1cRWh+lTibqQSOg6tNLnWb1IsND+LZfdHskeNSd5eVAHPK6PDyTcDU7Ccq2HUR8Z46TumMHunrWzDARORHys/HiiEUcbqhLO6j5KrcFpJhy0acqpmglZA3pn5Ewa+fVtGOtuIaEP0Wg101cPnxNsNrQjEQs4gEu5n1gPAr7lvN1T+ZHbG7XbChpvJEJQoHl8tSCP2CHhkyyBCUuyJoTT/0bawLwTRQcyQoPeEEm03eyPkkjNmApf4CDuTqh4W8zfZV/wBvsoBKN4MIGYZxn0ohC215yhrnFNh0gusdSI3ik1Mzure9SJtxfqiH1r7y38unW3x/LhL2AiSsuRlWZLkciBopAwkPnz2WJNpkHN/vqgx+CmD6Xa9lY96K1JQxAa8JNdX8HV3k+DCz80NBLc/43PuAXtgjWIiCyKqwhEF3hPsqbrF9vTMfej1r2NZOdeXF3oohnuXSjY9FM0xlLg/sjrz0BZ+tjP9C1Zq5SI9pa9dtJ/mYYnpPS7FczqAjzWm6JkHKQdi2ZTv2wIJzX6M/0z4Sl1nFZKCzbwxDozZcCIVIO7NZZ7Y7R5OjOGwe94WWseUdefJPQw8P39QahF1tJlWLfosgwTJvtOPlR5Lq/9yzHRwGYP1IPSme8ZY0ZLV+VZyoBJh5ZYx9QERAyhNJbG8hNNKtiFcDpwqUfiuju6SSlVW7tbz4jrIkChXJkf+rDcJw41gFACIyPrLrohg44do1S/zuhbl08nXxNsC8CQp9xr+XlNErOMfYQM9fsfNOhECf/mGvz931+47uP3Z5CTNTsStH22VS/grMrRHfE1yBNFw/3U6d9UezmToo38oi7EEo+ruApdhDiag8fMbM/2Dxs5mnRB5XaDA1ldfdQDB9OMirm5hcumiPjln/5ADcBAcquNKWflYReClGbI5r2xhn5i3mzahZTXpHSD/tRLBPKTgUrzzHkXRjTyJgkx23G5rlnqF4XqqnpAowEe4lZeuQoWSC1MgF7im7uH/qo2UPKASNwwpsiaY9KL0kTjricG/TWGRA5/kOEawKIzt08J0OlbeFWhkIjh95NloS3z+w3oBlVHpZxBwl9l9BrYBOCXWiQ3Hbmg9mUANQH5BFylhDdx5niVtH73r+wW4cBqwFXKaKdrEjlmMkv9lher7VFxc/VNkwxEkvkZ06gMgftTe3tSf64bc0HRd/snYn4yBWShOVkvyv7N/s6YyKqLVsw3FIqSSVQrZGMIMhzbHxiUaXODDJ2J0LJgmYZCTN1HfJSCeWYZA1ZaLaVt6hG12YBsb1XoKCbKWCH/Nv6z/BcHuCue3NaEPOAXp3ue3DlTaICXjW7auIuVY X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2d3b1cf1-7c7c-404d-690a-08d921c4c01b X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:37.1513 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: lf0Ajmknof4xcWSNMIlzhtL/K4iT9gbCbvw3gElINj2ZwEyUwSdg5k9UzS7Jw+h+U7xcrGsQAFXiP4Fr8Fc7cBRkiP4lal1z9kygtlAe+3A= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-GUID: j4KYjalWt4WGF_cb7oNxLG6BnY51XqyE X-Proofpoint-ORIG-GUID: j4KYjalWt4WGF_cb7oNxLG6BnY51XqyE X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 impostorscore=0 malwarescore=0 bulkscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Alexei Starovoitov commit fb8d251ee2a6bf4d7f4af5548e9c8f4fb5f90402 upstream This patch extends is_branch_taken() logic from JMP+K instructions to JMP+X instructions. Conditional branches are often done when src and dst registers contain known scalars. In such case the verifier can follow the branch that is going to be taken when program executes. That speeds up the verification and is essential feature to support bounded loops. Signed-off-by: Alexei Starovoitov Acked-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann [OP: drop is_jmp32 parameter from is_branch_taken() calls and adjust context] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index f49f84b71a6b..275c1078d80b 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4127,8 +4127,9 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, struct bpf_verifier_state *this_branch = env->cur_state; struct bpf_verifier_state *other_branch; struct bpf_reg_state *regs = this_branch->frame[this_branch->curframe]->regs; - struct bpf_reg_state *dst_reg, *other_branch_regs; + struct bpf_reg_state *dst_reg, *other_branch_regs, *src_reg = NULL; u8 opcode = BPF_OP(insn->code); + int pred = -1; int err; if (opcode > BPF_JSLE) { @@ -4152,6 +4153,7 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, insn->src_reg); return -EACCES; } + src_reg = ®s[insn->src_reg]; } else { if (insn->src_reg != BPF_REG_0) { verbose(env, "BPF_JMP uses reserved fields\n"); @@ -4166,19 +4168,21 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env, dst_reg = ®s[insn->dst_reg]; - if (BPF_SRC(insn->code) == BPF_K) { - int pred = is_branch_taken(dst_reg, insn->imm, opcode); - - if (pred == 1) { - /* only follow the goto, ignore fall-through */ - *insn_idx += insn->off; - return 0; - } else if (pred == 0) { - /* only follow fall-through branch, since - * that's where the program will go - */ - return 0; - } + if (BPF_SRC(insn->code) == BPF_K) + pred = is_branch_taken(dst_reg, insn->imm, opcode); + else if (src_reg->type == SCALAR_VALUE && + tnum_is_const(src_reg->var_off)) + pred = is_branch_taken(dst_reg, src_reg->var_off.value, + opcode); + if (pred == 1) { + /* only follow the goto, ignore fall-through */ + *insn_idx += insn->off; + return 0; + } else if (pred == 0) { + /* only follow fall-through branch, since + * that's where the program will go + */ + return 0; } other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx, From patchwork Fri May 28 10:37:57 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286611 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EB881C4708E for ; Fri, 28 May 2021 10:39:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D873F613E6 for ; Fri, 28 May 2021 10:39:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236631AbhE1Kkl (ORCPT ); Fri, 28 May 2021 06:40:41 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:42516 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236564AbhE1Kk2 (ORCPT ); Fri, 28 May 2021 06:40:28 -0400 Received: from pps.filterd (m0250812.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcfUf011416; Fri, 28 May 2021 10:38:41 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx0a-0064b401.pphosted.com with ESMTP id 38tfbh8nsq-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:40 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JxBH5w8y5h/CsFhrhojehuAVhfkfYs6rk2KwkbFnQg3Uel/4UWpe/K4azBcFdrSTOVH3mPca2ajOhBxgnJMNrLayKYEym4gA93yU9fkM31dGxhVPAirSJTqMza/R71KM/46+ZXDp1IDoc1gOo1+26i3nUqjx510bFfW2q1bPS21w1KkE9U9F3CTnUFK+OryGQ95qozXaOgSibD4vktbA3UT2UBSz6w+OgKZXSuaTnr2AiOk8SMhVASD+1M7Wd5ecWhCTvHsRUHuHYWRJPsCRUYAonw3pmVr5Yf9laD0zy5HuWz5/4ttF7bZE24pChnjJxtVord1b72/9jF2uNUAhXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pgOr4zXICQXz1wkrbSV1bW6ZLKPkDuxtqFMx5UmhsTA=; b=EY5hGXVd/qxgp0ZVMEaqEOLoO77Y0kihLE6oNVfSHkADTzE0cH3VjYK86CJmrdETvUSZBfuGz9TSCkXqqqYhY87gXNom9lm2W5MowgspW/iA665QytZicHIZ3tCzfoA3D4agvWuiFKaE4aRJZYLkploU36c11fC+GK24X7bPfJNyTWufb0jBMN07FqYnYwJqPSihQXlJSdpFfYoGrqRFIYWcuMk+/pxSl3/Yi4B6+TvjP3Hzpi2Z0yk3vFZxvOvzdbNhBvmi/x6v/sCiYadD19F0sewoVYFUvGkEGryhagjwtxWGa/2b4bHJjJBHkLd3ZOeA80WuoQ8OLUaMjCQbRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=pgOr4zXICQXz1wkrbSV1bW6ZLKPkDuxtqFMx5UmhsTA=; b=kwF+Gkj/ixeW/9nhvVSTbqh6rWi+36EtmLeJpxeKCydD/kE6iRU7ykMKV0eZbL6Appy6Doa+O6v3QsI6TLJscQswgg890/5YdUBtnJBUuUSeFhivWfDynletoKaSVVyjtcvLsrIX6qPXL1+Dtd/T+b6HoU6IHfXn6Jdehz6+N+0= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:39 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:39 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 06/19] bpf: Test_verifier, bpf_get_stack return value add <0 Date: Fri, 28 May 2021 13:37:57 +0300 Message-Id: <20210528103810.22025-7-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:37 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 8591658c-f637-46af-edf1-08d921c4c12f X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:655; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: E8O1Rwn5vqJnRtkF2b12I6uqVVx6Q+X3hxQlPo7qvexqURnMbgm3d8zyVBrn4IeVgSjqaHVoLULeS69Y5atdU+hIJGjyosh2pcS4vEoM6AYxKzBBnxfkVz6egvKSsFe8gzKS+SDc+DK8ATvsj4X1zftiTyogt5Tla4OTuk3EyPIcZLIFN2rlQwMZZBeIHHNH8nf7quGkiMFF7gLo2DPs9wyfx0Pua4owXoh5TEzqnHD0+XDv3/DyimLeLy6xX/9yLebevyvggB53P35fmLgbWAZPZVhv0Z9TdYMcnFP0DcRybXQjOeIN1XVn6iR8fqTBjYYgOafk48Gf49OGyKBjGSYeUXRwYBLFX75Wg7SpgkO4faiQ7j6PJLop1RqcRYP05q+KCk9GtfnZ6nY1iwX36k16ijvPsS5MpVS59TsGmHq9pWeCu8cP7yg0ksHSCrYhRHwm8v0T6+OhJMSP0930Bh9P0CtNrisfKXfVmDIaQMuEJ/maW7NtW4eLdKDGmvVGfBRGF/vM/G2wSb7+ZlLgqvYQ3Ua/q9H+r7di8dMPRALelF3qlwf2o8yUyIuRT/TsyIrdc0s2fNWR8osymxuqGemeqxWDiQfkooosJpBybj9R+CfAVMbs6hADKHtAB43ZzyGrQc02G6KuW8smfR3UUbEEgMC4RYioz6kdcjOyvyBh1lV7sXtsx9SJrWOuTx3o/tvGyQwYDdoBu7n2YyFxNVbpkPf4pyZex976pA04zeooAPjdn97jM0kXSHooulbZ4vlh4de2r8kKI1jyg2a0Eg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(966005)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: /IwwyIM9jnHBlTXMosrsmKB4xcwlmga3PYvaWJJcm6Xk/gENpwvliHIWCTG1OPLm8Rg4+EmEDpPIBP8O4YDpN6BoBuboiC8i6Bu5/Hnb6U0QVuVNmUdFz1Vv776wwDJ4W/md2BsG3H8J39/EEqQDjbSmjhPoqI3zrWhF/OrxsU8t4gZdFuCD4edF+fRyqU1N4H9nZHw5UiARTz4I0A0XvtpDkRj94M47hDej67S4W33cHIVP20lg66aYXZ07ittwdbd4gIPq6h+k+GMxD8PDsT+DJxL6DKWGHH9hIvPKpYis2JR1ebXn6D781SGFC7MXDQc5OfcyvEJILZFOUHtsHhlDcvYshLNN/Ibw0YWIFDzWGhLx21uR+0TsYLhRgk5pfLCS5Eai0ww8XhWTqhScN3OaPJZIbo5QqkZ7NURTzIIXBdNYvUI/xEdZRJMsYO/6Yi97LvpSEAuDsHXC6+ZuvvpebyY6DMNv/fsOx0EKVLAgIxlW6JrAGiHaOvJOwgwhRrQLDZvDQOEyQPEAVvKmqmwOeSeetbey8htIilmdp9zrpGFyJVJ+Abfs9DW3nUs2TBKD3eH6hVwvyru26BDFIt637Bb1uuDwqAyWZ1MI+iNMDXdl+3U8e1xfVCKChy8wMB6AfFvIJ9FSaSg9W0VjL9xY02rXvgbRa+MjfCrZDKt8rsCIpipdQqGHh/z5OQ/Bt8qqh9ZhS/dJH2UW4Pvg7weSE2A0apcZQm3f9dm2HFVfetu4Cw2JKWwVtgcNtLG8Xd4Wf58zlc8MYdsVPNcZwgjLJ/9FWeZH5wzNqpyC3K7kYhLnyQIoBeQgb08aFOK2VVUe+X0fZbuyfq6+y6Uas6FtcsEQaQMyhaJAzlU6GYobD5eHomuH3PCyVr5yj01CxwoVpNjRNYeNjdzQoJPuCOq7qkHKlAq6Qo10oYe7kHhOtyqpEAmk0XcScbL7LZnQulIG/K8L506sh/H3wivmr7FtPbaqp85wtGrffIhd0WyUxYJfZ9u9zmdQM/CEWySHw7WNIEjhOTLRcKcBOp2o009NQ2SBMHGaG0d0kLM009stKn6Bnj/vKb6BEbdyrunS+4sh+3SVZ5GcM7HBH4m5yyoUyjAxVhwIbVcznaiI0ydPcFcBXzjzZzwx/fDeja0NJCw6MLip7knpJ5vDr8wXxqclHGVSeLS5h8y4snMCjyReLNEqLZyiKIn2VKlsML1Pt5JRZnthVEctFE7Rdp4Acc4G7Zb/NdOpWfISsV5BgubgIEO3wzAkYriBvhiZwSuIdmffrSmYMtyExMiPeou045t7oqPmFh+bpncakNztpwMeMnZZZnp69IDH1yp/Prb9 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 8591658c-f637-46af-edf1-08d921c4c12f X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:38.9715 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: nh+JYmHzx72ssKGEIvaPO7roMarJ8P1OLfGdemtwYTCdGN4DoDPM87dMbE7rBL1vA74N1dI9Z3H9GhKoQOmXpgpV0jU22fAi2lZP8h2gz1A= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: 5rh8cE6EknC3_xtlQ6C4d2SzAOTYfn6W X-Proofpoint-GUID: 5rh8cE6EknC3_xtlQ6C4d2SzAOTYfn6W X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 bulkscore=0 phishscore=0 lowpriorityscore=0 mlxlogscore=999 malwarescore=0 adultscore=0 spamscore=0 clxscore=1015 mlxscore=0 suspectscore=0 impostorscore=0 priorityscore=1501 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: John Fastabend commit 9ac26e9973bac5716a2a542e32f380c84db2b88c upstream. With current ALU32 subreg handling and retval refine fix from last patches we see an expected failure in test_verifier. With verbose verifier state being printed at each step for clarity we have the following relavent lines [I omit register states that are not necessarily useful to see failure cause], #101/p bpf_get_stack return R0 within range FAIL Failed to load prog 'Success'! [..] 14: (85) call bpf_get_stack#67 R0_w=map_value(id=0,off=0,ks=8,vs=48,imm=0) R3_w=inv48 15: R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) 15: (b7) r1 = 0 16: R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) R1_w=inv0 16: (bf) r8 = r0 17: R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) R1_w=inv0 R8_w=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) 17: (67) r8 <<= 32 18: R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) R1_w=inv0 R8_w=inv(id=0,smax_value=9223372032559808512, umax_value=18446744069414584320, var_off=(0x0; 0xffffffff00000000), s32_min_value=0, s32_max_value=0, u32_max_value=0, var32_off=(0x0; 0x0)) 18: (c7) r8 s>>= 32 19 R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) R1_w=inv0 R8_w=inv(id=0,smin_value=-2147483648, smax_value=2147483647, var32_off=(0x0; 0xffffffff)) 19: (cd) if r1 s< r8 goto pc+16 R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) R1_w=inv0 R8_w=inv(id=0,smin_value=-2147483648, smax_value=0, var32_off=(0x0; 0xffffffff)) 20: R0=inv(id=0,smax_value=48,var32_off=(0x0; 0xffffffff)) R1_w=inv0 R8_w=inv(id=0,smin_value=-2147483648, smax_value=0, R9=inv48 20: (1f) r9 -= r8 21: (bf) r2 = r7 22: R2_w=map_value(id=0,off=0,ks=8,vs=48,imm=0) 22: (0f) r2 += r8 value -2147483648 makes map_value pointer be out of bounds After call bpf_get_stack() on line 14 and some moves we have at line 16 an r8 bound with max_value 48 but an unknown min value. This is to be expected bpf_get_stack call can only return a max of the input size but is free to return any negative error in the 32-bit register space. The C helper is returning an int so will use lower 32-bits. Lines 17 and 18 clear the top 32 bits with a left/right shift but use ARSH so we still have worst case min bound before line 19 of -2147483648. At this point the signed check 'r1 s< r8' meant to protect the addition on line 22 where dst reg is a map_value pointer may very well return true with a large negative number. Then the final line 22 will detect this as an invalid operation and fail the program. What we want to do is proceed only if r8 is positive non-error. So change 'r1 s< r8' to 'r1 s> r8' so that we jump if r8 is negative. Next we will throw an error because we access past the end of the map value. The map value size is 48 and sizeof(struct test_val) is 48 so we walk off the end of the map value on the second call to get bpf_get_stack(). Fix this by changing sizeof(struct test_val) to 24 by using 'sizeof(struct test_val) / 2'. After this everything passes as expected. Signed-off-by: John Fastabend Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Link: https://lore.kernel.org/bpf/158560426019.10843.3285429543232025187.stgit@john-Precision-5820-Tower Signed-off-by: Greg Kroah-Hartman [OP: backport to 4.19] Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index a34552aadc12..da985a5e7cc5 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -12253,17 +12253,17 @@ static struct bpf_test tests[] = { BPF_FUNC_map_lookup_elem), BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 28), BPF_MOV64_REG(BPF_REG_7, BPF_REG_0), - BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)), + BPF_MOV64_IMM(BPF_REG_9, sizeof(struct test_val)/2), BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), - BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)), + BPF_MOV64_IMM(BPF_REG_3, sizeof(struct test_val)/2), BPF_MOV64_IMM(BPF_REG_4, 256), BPF_EMIT_CALL(BPF_FUNC_get_stack), BPF_MOV64_IMM(BPF_REG_1, 0), BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32), BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32), - BPF_JMP_REG(BPF_JSLT, BPF_REG_1, BPF_REG_8, 16), + BPF_JMP_REG(BPF_JSGT, BPF_REG_1, BPF_REG_8, 16), BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8), @@ -12273,7 +12273,7 @@ static struct bpf_test tests[] = { BPF_MOV64_REG(BPF_REG_3, BPF_REG_2), BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_1), BPF_MOV64_REG(BPF_REG_1, BPF_REG_7), - BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)), + BPF_MOV64_IMM(BPF_REG_5, sizeof(struct test_val)/2), BPF_ALU64_REG(BPF_ADD, BPF_REG_1, BPF_REG_5), BPF_JMP_REG(BPF_JGE, BPF_REG_3, BPF_REG_1, 4), BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), From patchwork Fri May 28 10:37:58 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286613 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B5FFC47087 for ; Fri, 28 May 2021 10:39:11 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 00ECF613ED for ; Fri, 28 May 2021 10:39:08 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236597AbhE1Kkl (ORCPT ); Fri, 28 May 2021 06:40:41 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:45170 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236450AbhE1Kkb (ORCPT ); Fri, 28 May 2021 06:40:31 -0400 Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAbdBc005736; Fri, 28 May 2021 10:38:42 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2105.outbound.protection.outlook.com [104.47.58.105]) by mx0a-0064b401.pphosted.com with ESMTP id 38thqe8hkd-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:42 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=JvWQV/rG5kq4Y2ZQVZqXN7+4sakh/JEPi16eUskN0NFC3335uTaeALuGCF5yr3VUAEAcn9Mdl1e3MGDlqyn53T+zSImF7tZMvf8shgk5aRAyk692WBPu7vXJGuuTvMzX4gQ9QGtCyrFu47PxI00pCWsO65qbeXSW+CX9CYSm1I6mp+i3AR/cmSROm1eTd7dVWqo1/e7ynK9SSP+lp3zHl2aQxoWIfXkEgoZRkjKB/suLo7AXp6wx39e3jPD7S32lOTUeqlQx26S4HbVyIJq0bZHbRkT5qEVLp4wlunBsEKzahJh8j3KNdoTS95tXDp8K+zxNJckq3oVpm16+xYVDVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k4qT7noI1OEzVYrPoKVIu5aFwxO+xcd9frlrQtHDc0k=; b=U/yITiSAUrV7mGOJb8s0wrrLmUomn+zbYUKiuFi53mnOd6RayfRXD4UP4HqQ7qY3YIC01pEgQ9a6iiQa63vR3dJ9yS3N3ZSM4R2AJzlVQR4E1jMJWqHUo0yCsOEYeQ069LZ86PB4+oHO1jwgYlULxazH8QDYkkhMfLeefDr8NDOQglpoZGEJ+Igu99no6ZOTQ1xmXx2ZOmPwXMZi9GUD1arvFPvqmUUv1fK42epcX6/oKUQss36waIMBff9be5Ec7gn1szme81n/1IGSqxI2Uu4Swpx2mDAo5KT9s5tlUEb9IrLsXA1fXbWSuWNSJ+pbfgzT+GN2k77GFL58zYohpw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=k4qT7noI1OEzVYrPoKVIu5aFwxO+xcd9frlrQtHDc0k=; b=IMJLu3AN/NEO6tkW/mpN9pAi9Kc1+JVGWmhHzhb3GR+gl5iMNa4OcyOrNAfFD6kkkc1afRJ0Uvlqdg+/sAlG0B6EdCHXB5hb8SYyQgzZC5XQyEQSmVwitPc6Fa0vrk4ZIomhpn/PoQVAFCvgho6VbJN3gLCi5EiDnvbhPzvXRU0= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:40 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:40 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 07/19] bpf, test_verifier: switch bpf_get_stack's 0 s> r8 test Date: Fri, 28 May 2021 13:37:58 +0300 Message-Id: <20210528103810.22025-8-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:39 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ee65c974-4dc7-4953-99d9-08d921c4c244 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DL3QqXRIOBOjKgRfFQr/j3DXQsPaylcpCsX9dWQ3+okTaaf5diH93VRFW53Z4nrS+MEQzrEsdWecs/BG+zRv/aaWqlCyFXzOek19UjOQgXa1B4JrRLjUsdb0IdErSctmOpz55LZFYiPvoRHO1ZaRHFHzWLZ6aO+1De+eVNP/eBV+b8wehgeVcjYGZDBHW7qDaeF4mArjf6Ie2/BTw69VKLhhU7wIo7Rnou/s0v1rfSOluE4NlPA6flyJbSVdmcDY5Ij9AMWQCEln4N/s6tM/iL2hOYDo8kOqgteK0z4oNNmi3P6e1ybxNk6xjRHSNfVs6QuY7TWgsN/t6tYF5YxAHv6Fon5r9H2qeAi2Dow4fbb5ivisuXA7epPeQIiKCAS3aqV9oi9+cfjB4DQCsuFA0ZGq0RLVRAl+96oW2dWIrD/8BPjWoOc25NabxhjF9F9+8c+9Z205iipv9XZDU3a7aMp+IrpK9qyog1lwNoUZvfI1do6XlDpPUpgbqAyyxypXzD+J8JuKnSnXaFT8ARmmvnXb38Dw/HoYL9BWJrA/SU/LfOE9FlJGnHzaPm/NvWoRdhI+C1LR+Hj1AnqG/wB+KlGIzNIHuH8Q+SWl5mmp18NgVuFhrhG+sPmnY+BEIxlKchglOssdWkTWCNjd7AV1Bg== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: dCcetdvs0UMkRq6ZL3Yal128xuWdSNij4uphe4v+m5ZYdUXV8lwVn61n0mZyN+URBEnuvxIoK4xBA65oTN0l2N0qZkloLaxPloGYpvf+tn72fxatdz+bcQu4J7EypcDyOmo5OyPgv9g0SccC4AZb6L8Vtku0JiwbobwHLtFtIbsfm23jW7xdY8Vmu0J6hT+P4BXdo+QI5fGeYpi+YofrSogCCBaXXnTYIz2BnlTDWwJvlOWva6tkrkSDladX+032GAy1QKi1CRORCY8uWPoq6idFof3JejNWo+/nQTCjpweJEu0uysUqk1NDo8JE0Nc14rrNRRhXEHDOBAKHoWbc9+7QmBy/fdC55asH8abAZBcOBsptHPMwI6jVtUZdLwpLcK0bVZvJIjyfFK2isB3PsBU7pSAetTnzEbJjH3mUQBZOkOjsK3ou1fwbJlhTqk3INdFLcGlJzFnC7y4+MGU0guoo/RWYNuF44bwEzg92imcIpU1y3QRXWkyO/GQ7c/D+6pmRykmulViA5o4+mHpdhlusozaRh5H6cpX3Pr/VWmW8jV4YSaQNxFyKwChgufy6ZpuEHhEdI73324YeogsucI73TQ+lxnw2y7toEmOsaUlDaf/nnn35SpkheFZLq+OvK72X7gSSDZVuTEcThrFag1LJ7J13qi+asE4cJ/Q1pUXPa57QbqgCz7sri1tXUqp9mBnU9WgLmtjiySAqVmEDzPxFt1Jflqal3ouuOFkFUMkVf7DX3MgZPd0zlfKJVEZeqS+AnbST2JFOnzYEuxRQGr0kyehJHon2tmg3VkyWgMz0Xu7DRosu3rjQtVvoWzl6BO4YBEutnHlRR9cf7fxoBUKXdcZ2++MU9I9WO1HFZ5c2kYk8R4CNTNcYMSbQ2udKvsS7U0krIUiOMmTw9Tzp0F0pY+fgtIBmqbZ3YgTkHKphNC8U1iiRINJD+k+XsLSjZGX2/Xsa4/dRqIG3f6YHYj/Fqk1XhAj4OfgQxMdyEHvR2Jh8Sutq2cZW6ARHAL78Ss7fe/PNAJubXIkWzw/eGY0c8ucJhSKJp1uWupv5T7NmHtq0wTOwzM1ZVsO/Gr4M2BX1OC3VIq8saLLe+9bZUfc/Oh/O02vsUMeOjPwTJTaqzFencibSvdkuPQwKkuDtSlhVR2/l2YMiI9RGCE4OCJ3VW5bUAeEhT4VJfFRpwLCKilmlo9MHRVBnuesH000/6tB3iYoGwcQoluFhey+p7Im7K3PssQNcoz+V5ycFD07+YyT5GJNRcni3Cwca0v+kzdwr2kbmLrZM/grrxQmzobaYKban+ZnJ387VNZIlWAgqXWHHNnAURlDZif/bHGdA X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: ee65c974-4dc7-4953-99d9-08d921c4c244 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:40.8137 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: vpQ5g6jfWTZSi38Yx3mZQpMxurt0hHTG+m6VjGaw+rZwA6vGF1aXuoW1Ci9m3c2eNU/dqAlylu696iiEN0Lj7QVd2S+FB20DI/rkxUWauQg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-GUID: Lv_AH_yUjLJCKly_YXy67wNi9YBbd1T0 X-Proofpoint-ORIG-GUID: Lv_AH_yUjLJCKly_YXy67wNi9YBbd1T0 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 impostorscore=0 malwarescore=0 bulkscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann [ no upstream commit ] Switch the comparison, so that is_branch_taken() will recognize that below branch is never taken: [...] 17: [...] R1_w=inv0 [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...] 17: (67) r8 <<= 32 18: [...] R8_w=inv(id=0,smax_value=-4294967296,umin_value=9223372036854775808,umax_value=18446744069414584320,var_off=(0x8000000000000000; 0x7fffffff00000000)) [...] 18: (c7) r8 s>>= 32 19: [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...] 19: (6d) if r1 s> r8 goto pc+16 [...] R1_w=inv0 [...] R8_w=inv(id=0,smin_value=-2147483648,smax_value=-1,umin_value=18446744071562067968,var_off=(0xffffffff80000000; 0x7fffffff)) [...] [...] Currently we check for is_branch_taken() only if either K is source, or source is a scalar value that is const. For upstream it would be good to extend this properly to check whether dst is const and src not. For the sake of the test_verifier, it is probably not needed here: # ./test_verifier 101 #101/p bpf_get_stack return R0 within range OK Summary: 1 PASSED, 0 SKIPPED, 0 FAILED I haven't seen this issue in test_progs* though, they are passing fine: # ./test_progs-no_alu32 -t get_stack Switching to flavor 'no_alu32' subdirectory... #20 get_stack_raw_tp:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED # ./test_progs -t get_stack #20 get_stack_raw_tp:OK Summary: 1/0 PASSED, 0 SKIPPED, 0 FAILED Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Acked-by: John Fastabend Signed-off-by: Greg Kroah-Hartman [OP: backport to 4.19] Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index da985a5e7cc5..662d6acaaab0 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -12263,7 +12263,7 @@ static struct bpf_test tests[] = { BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), BPF_ALU64_IMM(BPF_LSH, BPF_REG_8, 32), BPF_ALU64_IMM(BPF_ARSH, BPF_REG_8, 32), - BPF_JMP_REG(BPF_JSGT, BPF_REG_1, BPF_REG_8, 16), + BPF_JMP_REG(BPF_JSLT, BPF_REG_8, BPF_REG_1, 16), BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8), BPF_MOV64_REG(BPF_REG_2, BPF_REG_7), BPF_ALU64_REG(BPF_ADD, BPF_REG_2, BPF_REG_8), From patchwork Fri May 28 10:37:59 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286615 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0CEC8C47090 for ; Fri, 28 May 2021 10:39:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id E71E7613F4 for ; Fri, 28 May 2021 10:39:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236642AbhE1Kkn (ORCPT ); Fri, 28 May 2021 06:40:43 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:54268 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236629AbhE1Kkb (ORCPT ); Fri, 28 May 2021 06:40:31 -0400 Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAVG2a003650; Fri, 28 May 2021 03:38:44 -0700 Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2106.outbound.protection.outlook.com [104.47.58.106]) by mx0a-0064b401.pphosted.com with ESMTP id 38thst8j2b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:44 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=iFhX/DM+oiH8ZddOc54+D6H69ZrYLjMFwKtKqvZFWox0NCSPcvR7ZN/EjbBhSnk7okKk22Jvsh/k5Xj7FlLylVCGGnMOvMhawWKXZa6Qc6LaHpTrfWuNvQo9qfaWuy5iWhqQBleMqxsUrOEFAQOkqcvWCsavjhfDfMUVby2alLMgLp4nIZv3f1v5nHhFVM8/97ewQeicb0Ah0/T308zNvUDbAkSjUhFM6aa86gLOtxg2edVta1BURQvmIGvHANUXFLJK+MCq6jG+2qeGUzvFeTJOCOCnXA7QGEVX62zBVUgguzEjnVttYmGgM45AIxCDGHttEyLPSthhdjDwUwBdYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UcodndmaRyao1haJSGj9TgUMEVSUz2jKshDkUJI+Jqs=; b=JakKqVGDXQ3o7a7OKfarb97iluITaTZy/+VWzlp0NXHM2wP6m4aDDviHk2315H1PfZqd2/y2eupUMXP42WBrmhC2YhR9nsTtqmlP1AA7D/6e6xLZll2q8Lmdu1uUvKkimZsGFANSJWVBrAriwTHVopRQi/TXRHPph/1JAV1YZdhDOSDIbv5uHoatjTb3JPcZMqbr56Dkz1wcn65WHE3qC5GjRCGwY1DaGTFuU4ZKXkomTRxzEPGfGlCU4gE2vwauIkT2CsCMYB08tnaECWeZvmiDnO2mrEkKEE7wmAcYKwsVfv+6daycvoO113E0YGANsi0Ap4ifn9wQUcwfBq0xEQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UcodndmaRyao1haJSGj9TgUMEVSUz2jKshDkUJI+Jqs=; b=WPNXwbZRpog7R5fjOx8mv0nIit4Iny+t47AWRnN/o09bZOtD1YURvWvg+SOcPRFaa9uEhEXEa6AMSpck3+C/eNPTVPu0axC9L2Jg/lrAmLLlMbIauHJpEJKNOeAnSNL8JgAOlgO7dbiwhBJ6Z5LLGgabUmlKX18Ym+Jt3KyufOM= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:42 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:42 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 08/19] bpf: Move off_reg into sanitize_ptr_alu Date: Fri, 28 May 2021 13:37:59 +0300 Message-Id: <20210528103810.22025-9-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:41 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 7be07470-4bbe-49c7-d4bd-08d921c4c35f X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:751; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: vu0w9i5ryCWLFLC8iLULynMt/TGqDeIl/LCcE6uEexfxHJ1IQOtiUd0VnoBXLm2RjqS6rb/4iUT0CAvNf+0OFleMS3oJWbEc6r1ICLXB/qABXmHtu3ZcNmM3KUdXZxzcDTl8ymz7eMCdYpHqk+BpMV8KwDhy7zCii2CW23/oYmT1FBZNS3pjfRZnAO3l+ppI7FBlVQoizQPxDeNprLA9peF+xJeHJfhWQVEetu4t6mWxg4RUY48PcSBUBNfPZ8LgBcqsq/0PZVSkStw/LVAFt/8yAL8nDJtXM7BX4mpmNsy7a2ST0Uobc+TdMxwZjFaMXvQTLLh6ST6LAJ+h43VdDxfCyF9OeaWsIX8+YDoRlVu729i9mD3cgk82RyNIQ3t0ZybqWJbv25zAu1PltDVv+UUGBJnZQnldVdMwuRJEMln2nptVIy+Zj+fXr5OY4dXJrLOBLz0aJjjBFRyrfdfzHQHIfy+oZbukNzCqEMVTqmf3zCjFBrwROck5XoA0UXWoxoqyljoMyRIDH4e9C/u2Bta/A9CVTHBgGv4jcTv9Ub0sy8gQGuEjXQQBR1uDVDwal/r+PT7kc1f06CjI13gCLlHhsECVBYLBKPtWiyux1pyJo8jEKywFZ/JJ0lEJ9f21shfiufzhzR2fQ0rFqZce2Q== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: FkPz7lBvlSz1AYoxZNyRIH36kDRdSfflp7+Gn+Hd9IjVKMIo9UvOpm7o2YM/9zDZQR9EKOMshR1hNRPSzoTJ5H5p0HhNwkp7aKfzYAXO+4EPejnWPHyByDfFlcEroZXMKvKaKlik6p7udpcIwfF8HuHrEtuSQISju1x0/tv/9Q7mi7G3fjwWZUo+9S1rZh1EhF+y23Sn9Pa68PgRbOs2Ypw6B7Xh5qzxjTSFChtj3c7Y5QNaTCQedJ71SX5ByuiufWSCkmEIslOaBkjDrmfUxwN46ITiPV33AKWOlsi2VWDC/3aOd7kxM4HIAH/JaWS0675yfCzDpMNXIJ9IICuvQC9cxXuY+/F4tuHhvGI/Eab5I4YWbtmKMmhsLCH1BqQXIBk3sFsYP7enSKnYNN5a5HDHgt9CVxb22pnMLnxKiEjmrrHdiWZEQBm2XoBDSpGSUuWyJs6GEzz12ix9G6axeRYi4qNg8HwTNwjMYkFg0fa3XFzs9eqCn2vsXThXEYKL+59YwL1AY18Ph4K6I/i4rN6xcnk0jFUjxlURzmpC5nx2Yg4kPHWUHf8oMH6F7ltf6B9HXAxTeRLe3UtwzGlB3pLg1RqMJM0lcrJKcXkPHo8G7vhE6hKgsMm+UwQukO7CqCiJ60iX/1AjbuLmh0c721zM96T7Pu7C3bmQn3XMUsShzdPPGWHnnUNj6Z2gETAR/hlOq53Xvj7qefxCf4ZzscPl1c/j0TjTkUNFNbZLbl74lIhvigJdUMd3Pduj2uEv9sfXk2lO7ijk27N1OT+qClE4t5Nh1hM65HIXV0aBhZPmgJHmY8/yYvl/milKknoMpIOTHKxOAAH82UDV6JKPxYZ9W1l9jBfUKHtIr3SpzGouftZ4zy8iJOLkHQ9uZ2P+dl534zGOkUVC0dkWzC+oxFH24ejPVpavykUweoTvGJg0L8oMWgszyuPyhZqE7Q+iYDuZ7li6lToENqzNpVkuGMtpWxLClIkq+826iih8GTaiiUpaXq+CAp4iIOMxhqHQVz2w09Zga0HrRyPZlLe0JPrYb6d5Cei81EQW9XMBwTxP9JjzpX7QZKi2qYEXOlC63aELxQzZBdZm1XDhcESHPqWcAB0kZYo5CWjKzNGbixnlmuqCrBqJDSw0CNS3ZANp4109owocx/9RVU2osOb+CUq5276HyZs/1gxjJ1LehEQrLKsx4sUMnq2fsysMWsiysE9pSxwNLaIfcRdbQ+qVJbnx63ggOtApmxohjlydD1F0EXqYYjp3qWMKHn0+RbcIftXWKYFEm0c/S4oCGazcdOoG8K0Yw/k9zz6FzzgrOR2JT6A04O5h3uEzEyclU80D X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 7be07470-4bbe-49c7-d4bd-08d921c4c35f X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:42.6339 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: bXOVDm6UslHo9h0UFu6vTX8jGAYVVKUr92HHj3WyDr6gBHQgp3iU6bUkTNZmRlAdiSLRAAXjPi/e7PcDRKMJ+ZAaEgBci4/Z9GpBVHH8Zks= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: E-tjGpeAGEdAVDkmhTfvd0EiiIdSXUVP X-Proofpoint-GUID: E-tjGpeAGEdAVDkmhTfvd0EiiIdSXUVP X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 priorityscore=1501 adultscore=0 suspectscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280069 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit 6f55b2f2a1178856c19bbce2f71449926e731914 upstream. Small refactor to drag off_reg into sanitize_ptr_alu(), so we later on can use off_reg for generalizing some of the checks for all pointer types. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 275c1078d80b..4edae9b29cd1 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2799,11 +2799,12 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, static int sanitize_ptr_alu(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, - struct bpf_reg_state *dst_reg, - bool off_is_neg) + const struct bpf_reg_state *off_reg, + struct bpf_reg_state *dst_reg) { struct bpf_verifier_state *vstate = env->cur_state; struct bpf_insn_aux_data *aux = cur_aux(env); + bool off_is_neg = off_reg->smin_value < 0; bool ptr_is_dst_reg = ptr_reg == dst_reg; u8 opcode = BPF_OP(insn->code); u32 alu_state, alu_limit; @@ -2927,7 +2928,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, switch (opcode) { case BPF_ADD: - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); + ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg); if (ret < 0) { verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); return ret; @@ -2982,7 +2983,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } break; case BPF_SUB: - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); + ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg); if (ret < 0) { verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); return ret; From patchwork Fri May 28 10:38:00 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286635 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4EEFC4708D for ; Fri, 28 May 2021 10:39:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CA391613B6 for ; Fri, 28 May 2021 10:39:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236661AbhE1KlF (ORCPT ); Fri, 28 May 2021 06:41:05 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:7230 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236613AbhE1Kk5 (ORCPT ); Fri, 28 May 2021 06:40:57 -0400 Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcdwr006243; Fri, 28 May 2021 10:38:46 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2101.outbound.protection.outlook.com [104.47.58.101]) by mx0a-0064b401.pphosted.com with ESMTP id 38thqe8hke-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:45 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=id9T0hCL943tDZ4M9hGNX9FGulVvV0zSiuKNsXro7lZuJrWtubUq7Iyw8PLyclih9m/4+yDoGxFVD3nbijs2SiyWbrqxT2d+IwggR9PBH3kcaf/ZNCeVaN948fYcwyNay4L0xU+okGY9Dy+ON6sr7arnwoB2uEkEPUFptaRvxAI6zSnUcRyzIfTWtkuOUrc/HgGxH7UmmlAqsrSq7AP5bgQ4yNph+KoZiZvDc08tKUVDloP5SDHqJ7kRD3mG5dwDxkthA40ue7xbNZBmd7eT/JwnLs9xO9EOZVmPBr7Jro3ibbjO4LIcqdBaFeVuX+8xe5PCl+yE/RbYo/E42SqAfg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aqG9SAr//t02oAGFy3zm9t8VGjOb4sHhPCyfH4uNOcw=; b=Q0xURDPiUgf1sBn23ELL9rNFgpJtEwm63bca4mMJP3ZpBUFpI2iSaEjSxAB64d0bxRnaOQBl/mUJdoWGb+kJCLbGtKVOSXY7ZD/FlkMPAEWG9ZplaRdI4KQGnHEy58jaYPze13pZmteZEFDHxLhuErEPX7V1Hu6Xycvyi+ity+zBrnClqjBwPRfs15Qn0mdbrThl6jHVuf6i8ahJ7aEbo+fV48yOyuscsRQHC+4HJcLCjytrLrpvmkTAJr16vrlRisGZIOmFKwi3pmp6jbCCiNpSvyJGZVm1PTe/jVhrc7F3Z3FnHgM/1lH0y2eVSollf3WTLZ3x0w9LDIg/0MkUxw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=aqG9SAr//t02oAGFy3zm9t8VGjOb4sHhPCyfH4uNOcw=; b=P/vC316tYx55uDokKGY+drdGlTaZ51AXpwUXH5BD6XSdjBJ1uBmhRFqZK+hLB8yDtOD4vIais7ZmKZRFfRnnCEQ0t0lx44rmAZUVKnFzPdWgXAudWMhKRVtIQLIn/M3FNRfe3XVx4mH7Zj06eSWGar+b4VmcbL0fvVGW1JYiLco= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:44 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:44 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 09/19] bpf: Ensure off_reg has no mixed signed bounds for all types Date: Fri, 28 May 2021 13:38:00 +0300 Message-Id: <20210528103810.22025-10-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:42 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 326fdbf8-d4d9-4553-0fe5-08d921c4c472 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VCKZ6VbIglfz7vDijp985i7jus01sSKSIJknjeC6YeV7VVAsMisShuKVc1tl+dd14cDC3bvd0uLRFGx406HfEjoAc08fEu4sdEW+vtMd1j8rJyaSTXvMTrGAB46VC/ndSPKcWlm12OKEfvU5lbld/ss0OD4iuESaO3OEiI6AjojMw+SCjnsV+FAvL6l3/qgDDKUSQ0shKoDf1/U4yqNokmkXmMtfXlzU0QZiXGUDrC1H9tiuCNm4XNLpyU7eYLcyuua0AshbFhMh1mJfKyxUYC3oTnVXnPWzyrdMtcf2RH3fHjRjih61k4xlOAy/Hi1N062aGpx+z8pJHZ95EyAvU26OQz/iF7f/D9j8FE5kPrL0ZHgrzFVvEwBBqNDuBpAyVzurLdn8hEv0Nwi6jrqVb/iP3nlnMncAp2Bd/6a01FZaEJN/9Q827ypvdQ5I7w69pT2E0afsFg1shCzxDbl2opWmuzL0CsvQF7LA/ZXvZVigiH4Wr89tAEkOR36/B3IeFEUfHKDXACoCaFPz+JpfF/+JfQBJaN/nTp9PaNaFj02QBgiwNz3oWvgbA1IUjL4MYyeg7y46jGkn+XV50qaBafzJ9ClV4z2ucqMy2l/EE6SvpUCxOy0eLeO1BGgg7oZUK/KFSq3tt48xvYHU35Olfw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 2uiyyM1MJI38jRR5ybJDrhT6m2/yhKcRpqmfQT0gK0mQWfRSDLaBx1/HQzPlV9EuBtIOFAHelnaJrE4v5zfEwXVvWRsOVlECs7UcrHREaOgEqSWgify3woDgpfwumQK5KyFmWPpVKUtfZ5ODNNqIvU24lE297D9cQoURnB0n2JF8DNALq7S9PNY3jZ75L4xNupzvsFY91LlIVwZ400f4tkUj6ENoGt9/5DBAJVo6VSfqgEpe3MmLSkO33a8oyX1dZIA2xyHt3+0tNtoYkgHHEjCj7GqTF5QSNmQLJuVf1BZ9dP2vLxnAwfUhIup2PtKX3l3mGYA9Z88oCj1CWDurpkkb7r67tjJkFXb4uHC17NcYoSShlRm4/e8LX6he833PLmELGuSnZgS4Mi1NTKQHSx+u0y/m62cyU8mm79HQBV7VZ1/fbNGGmWQeSalmdchNuTpuF2BDoG8OvlNYHftcu08fbC7t02UaWyM/OVxkb9HsiJqz7KHkyWVF13jYLtNh4CzZK1t3anGK0JvgXXWbYQQJD3fiizsFmq7SHLYgPk8MsCpCQOLtYcnoeq7pSJflZVUiqdz0Wns9gbOrK3FQ9+/D4brFmYf9xYr0pRCDUnUz+R3TWGIWBddyvwybWgP42ebhUQJMpdL78MHpyuZxX4PzeEe+36BMF7vTRmOlun++XiOx+YPudFjiGmLzkm0cnRgOdbP17e3wplPCDHe6qYyfg4rDD1W/z1oikUd9hDq684nMZdCizhDIPBBcZSHUNohy5yNrGiuaT/OEP5LkPWD+t7SV4xImEOk8+7gYTS7s6IUZJOngP3gPEMUs59QXfGJBpW5xjGaYhTsILr/pm8oJBIFIKTyYNNUhT0fDKkW6qg1Ojw904rqzvB5Ko+9so9l1gw2n054qqBJGjFrJuRKrSGpf4vWDEs6d1xcc078v5tfVCBLWL31PKQdpKGZvPCzrFchugyvHvJiBW9z+LW5UwtnQpoJpuTDwtB4GXyPcagIVInYMJBEOXlKy22R2KE1eXWgSpWMSggQDO4h5xcKjRT+CkaWioeSuAtf3G5y+K21f2syUTpTzvLbqBucpDGqvWtNtQ/6kxMUB9UhXjtZqdvDiocziDrwBwdA5SmtMSd1v0UBgsuPUV903oQ3rcMskR9YXK+Kji/tNJtkcJ/TeYTQdEPcXNtQkB/lOzhuuE0qRsiH0THzP6vAcB7bEbizZwjYlHJsEddjmWWQ/meqiU48A9SfaP69rsDUOGE1rQvEqftKG0Z7UIwC6GSl1mIu6IQPNK+LaU87RfcF39QtmVTXnB+wn5Q6pj35JdKClBsjj9a2uVKVjfOyQy+YX X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 326fdbf8-d4d9-4553-0fe5-08d921c4c472 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:44.4261 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: jSTqG9pdWcP49NSrWDKzoo5iL09Y34+0zCFAre5R8q1RJO2UdmkvUquceJik8arZ+1TAUs0jMBnyT0/tt+0Qgf9b48bkbi8Qudlk4h01Klg= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-GUID: SbiQ47F-OjNyN_HKCxKRGdDjb9i-6Osn X-Proofpoint-ORIG-GUID: SbiQ47F-OjNyN_HKCxKRGdDjb9i-6Osn X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 impostorscore=0 malwarescore=0 bulkscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit 24c109bb1537c12c02aeed2d51a347b4d6a9b76e upstream. The mixed signed bounds check really belongs into retrieve_ptr_limit() instead of outside of it in adjust_ptr_min_max_vals(). The reason is that this check is not tied to PTR_TO_MAP_VALUE only, but to all pointer types that we handle in retrieve_ptr_limit() and given errors from the latter propagate back to adjust_ptr_min_max_vals() and lead to rejection of the program, it's a better place to reside to avoid anything slipping through for future types. The reason why we must reject such off_reg is that we otherwise would not be able to derive a mask, see details in 9d7eceede769 ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged"). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov [fllinden@amazon.com: backport to 5.4] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman [OP: backport to 4.19] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 4edae9b29cd1..cdef8c7769ef 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2730,12 +2730,18 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) } static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, - u32 *ptr_limit, u8 opcode, bool off_is_neg) + const struct bpf_reg_state *off_reg, + u32 *ptr_limit, u8 opcode) { + bool off_is_neg = off_reg->smin_value < 0; bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || (opcode == BPF_SUB && !off_is_neg); u32 off, max; + if (!tnum_is_const(off_reg->var_off) && + (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) + return -EACCES; + switch (ptr_reg->type) { case PTR_TO_STACK: /* Offset 0 is out-of-bounds, but acceptable start for the @@ -2826,7 +2832,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, alu_state |= ptr_is_dst_reg ? BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; - err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); + err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); if (err < 0) return err; @@ -2871,8 +2877,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; - u32 dst = insn->dst_reg, src = insn->src_reg; u8 opcode = BPF_OP(insn->code); + u32 dst = insn->dst_reg; int ret; dst_reg = ®s[dst]; @@ -2909,12 +2915,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst); return -EACCES; } - if (ptr_reg->type == PTR_TO_MAP_VALUE && - !env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { - verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", - off_reg == dst_reg ? dst : src); - return -EACCES; - } /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. * The id may be overwritten later if we create a new variable offset. From patchwork Fri May 28 10:38:01 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286617 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D67C2C47092 for ; Fri, 28 May 2021 10:39:13 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id BF9D961157 for ; Fri, 28 May 2021 10:39:11 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236170AbhE1Kko (ORCPT ); Fri, 28 May 2021 06:40:44 -0400 Received: from mx0b-0064b401.pphosted.com ([205.220.178.238]:51646 "EHLO mx0b-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236608AbhE1Kkh (ORCPT ); Fri, 28 May 2021 06:40:37 -0400 Received: from pps.filterd (m0250811.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAclHu006603; Fri, 28 May 2021 10:38:47 GMT Received: from nam10-dm6-obe.outbound.protection.outlook.com (mail-dm6nam10lp2100.outbound.protection.outlook.com [104.47.58.100]) by mx0a-0064b401.pphosted.com with ESMTP id 38thqe8hkg-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 10:38:47 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=c1i9i9rqOriZdD2NpItcm0HMP3VUZO21LhDdcV0cNPIrNAVhnb+05AKEohLQXjZNgYcfyEUhO75OXaMmox+YpdGVPAVt6SzwS/K8Rwbych3UhZLSlnXHjJLrV3yvLavJBZZz3HaX1LTgQwiTkXVojMFByIyh87C6yVKrT1lkIESIOHl8zNS1gGfZY90SqT58okjVtVdstXAnggMAV7vldjbvGGyYTmx4hxswZyWEp70Ys0vnuqRrweA6gcy9LBLPZx3fr8tYijsUIPhoWLpiHhPIAwg6DD0hIyYoi1x32PZpjv0yFKD3IlT93tJscP7tJ+UtLW+B3u/EETCpDwhnbQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oeHy7BDpf8VqCZ03gmsoKZm4AMG/N9rdMwBNZ6rocm4=; b=gYuyvUyF5QoIlRJbfcOO2m0s5iFfIoHzZYm7hP4VQzTiIu/VH2Fqgco/pJ1JW8JQa5inQzSwrvfQe2Wwm8xC2nnMYaLAzTFJYUKdnYd0Fm6lpjdwfqqtr9WsdHqP9pQCHAq26G/p/8crWFpv8eL/mjjzmDVFEJbs7uSKuDrQ+ISJpFfnAurBl1rnYyOxk71oR0WTHcNEWdy/5LUyr8IcAIHarmKc3eegJDyHQ87xHKhc+qzhC/n7ABiFw7Toa+QhDREj0/dxR/dLMdI/p8W8heC8reu/kFoETBZhnir4dinpwzQs79FaJpZO9dQJZMVXpF+5gws5xyGGkJ2bxcb0DQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=oeHy7BDpf8VqCZ03gmsoKZm4AMG/N9rdMwBNZ6rocm4=; b=fIq7d2g8cM91qjGJfNQKCQ80gbLkf7ofnSEl1hjK3cW8qewRTARZmrsaXUuXaYoaOjGm0/FMKxWPUARmFtu0BqfkmetJWxEh9tgY/g0bftRUz9bTQbUE9vEVcSIB3JfDqk0yM73bIpQg3Dm7Rgcgq67ro46LDC2xpb6yvBMWZkQ= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:46 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:46 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 10/19] bpf: Rework ptr_limit into alu_limit and add common error path Date: Fri, 28 May 2021 13:38:01 +0300 Message-Id: <20210528103810.22025-11-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:44 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 2a29b8ad-0525-4c47-f891-08d921c4c585 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:400; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: gCt2mDGCYk/GtDydWZRjDzpevlq0IVxeycudx5G6RtwqIp3Z8LFEQs1sZKO5HHgkr41Xhho6FWg/7hkttctINQhGjwyIi7s4nJHt311CF1WiVbh2CWqsn4DbbVDbXsmc6zW5PaosI2H7YKHsk/HOxdm8nJx2xFrJ+DopFJF2fXnnnMXJM8suERhQgw8/ABvlWNYH8zLis071oa1BdrS/1WmgOWm+aNbm7gDCU+e//pGtVTURawUS2cIWfpcw8en7VO1X6HwM4WkK54efzNdGErMprEsk/IdQdG80CwidIyhq0pS2/UZG+FRKOly5R/7UEuS7sb6YvxurCDmUjm1jI+X1Y2N5e3FywxXbXWmM97iV/Y3dCGK2kiOr0INYa6sOx7jYtD8R1fWoNZltSsTICnNETHSLyXsvxd4A1jqrX71VsrMHqm/lFRgMKyn+cvZazcKmHzYxDVO+Owqe9VpMk88b3DSwqcp0HMwIEiRoivO2hdfEI4gpgo9uDSLC57EGxAVxOYPTB/NcGE9FeHKKQQy5AwE0GwAeyHQqcZs6CxMYnMJ/Haf3eGBPwSqsMiRSCuCh2y7C59NPazrZ9rs0Ip/M85jGffz23gy+yNDWa3Jlf93Ci8GkbE6fFRO4a3oAE/krknbvzPOn3C4E59w8Kw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: IJXH/VQIJx5dwmoLl+BUrS39pXhWOKoFTZooWP/pM5BujXaypmPEVs8sZfd0k8IqGwixA1kA8biZx3boYtLdarUMqojp2Ds+7ua9LtM83utq5pcqoD+5ps6FLfJmk6RibPkE9IHkhpV7c/wgMmI3kd+Lxk3euDI9dP66KLkl76uq0XAJas5s7pF6QCsxodFp1o3N0gMKd+35M3GC5pQZoj1gP4K4UepgF+N0cZkCxWFOY9EfPWMU7FlYO5fLGYDV0w3QfRXoK5ChpFs7AxX5JAlCnKwxsu6KOrW/6lrNYvlzOwxzAAIhold+6eZ/S9GiVfbZdmMIHR9j6A0nWRjQYCsit0qCy/grfgUDrLR54UzrMsgWnFFYzuZbaiDmMyRwVHwj9it6aggAMhg9FiVlXYiYJr5pDVp46NdpnI7bTSOFVMTro4lCj0CDuuB4nq2mfc2W1sBLErMwvGomN1Z9BLz2B3C9hmQLL1dA2LiBU8W2fQA281W9ybOR9KWaf4ckypaEiBlGBh60o8ntdKoe6ghJAKefFbJl01Oi69mAd2Y8huSJ91DNOqRzwM5ffIbl9Q4lPC4pN8nDP0e9YpZUBSFmtqbbwfEy7MJXtQwmmzxS5CvzcmdZQA0oKI/XsthLlOJeAgoq2CRFY23ZCInmUoSRTL2S72zadCk8bI/bjBDp+h6yedhOVBIspnGt2d2jv1t6QNSDmr8l1JXsHLp3znCy4vkJxTN+hcGkBekb0gK8Y3DCf1NZgSajW8q3o2M0/OurGetpfkCOOH4KEjIbM5JxVgBM9Pvp/OFvV3xheSDqQDI4k89LocMswdkqVJ12AWPP1gkuvnAqgRayqhweXNYMPHgGZJAnKtBsDIKO1WZDnyAuJ8TccfVtbRKeKDNXlS0DFEqQz4tuseiGrEuWWwYO34dZuKCv1ypG4B7nzFoz9Yw7UiKSBuI3s1EfXhW6EfXsB2iqGrfAREVMicTDv0x9vHV8WFHU8p9ezDNY1LhS5Qx3oc7/TNWq1w9EQyBraHRQiXzjmi07ZW5T6/I000oYceOv+uAdpCjTQ2Oc3JfoeBjuCCSlnjKpot3BnH1WIjN0gzZ8q0ZNl3U8nQKgzjjJCoLa8QBwcfCPdbMsiDxKYgah2NZTH6nr+aaj0l51I82TO3lA/gI14uXn2VNcucowXxyfrbBhPJyupU9NWmLrq71ZZA7wwoATlfl642lps3CIM6/C4Jqtr6EM+otBRv24hpYi3f4FUQxpp1xBOepx8Fw8npFVX1VfccQqgTyc4QvnyjeSTb+dUm4Mefnktc/6XcpF1ar/OGMg+rGPcV8kPjPLjcnQf/fZnqYjdUhl X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 2a29b8ad-0525-4c47-f891-08d921c4c585 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:46.2363 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: N7Q3lrv0q8b9ay/xMIEERwcdJ6kNxSz4ll1wIuRsc8cjA/TS2pCL5NaYVZntx99BVjO1/CbtmKirFtCPAQ9O1X1ozM1u714hd5SIhNlDVas= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-GUID: wEKu88zW8MN5P3hm2_CsRrtjcDEfAx4M X-Proofpoint-ORIG-GUID: wEKu88zW8MN5P3hm2_CsRrtjcDEfAx4M X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 suspectscore=0 lowpriorityscore=0 adultscore=0 mlxlogscore=999 phishscore=0 mlxscore=0 impostorscore=0 malwarescore=0 bulkscore=0 clxscore=1015 spamscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 upstream. Small refactor with no semantic changes in order to consolidate the max ptr_limit boundary check. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman [OP: backport to 4.19] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 21 +++++++++++++-------- 1 file changed, 13 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index cdef8c7769ef..adc833c6088f 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2731,12 +2731,12 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *off_reg, - u32 *ptr_limit, u8 opcode) + u32 *alu_limit, u8 opcode) { bool off_is_neg = off_reg->smin_value < 0; bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || (opcode == BPF_SUB && !off_is_neg); - u32 off, max; + u32 off, max = 0, ptr_limit = 0; if (!tnum_is_const(off_reg->var_off) && (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) @@ -2750,22 +2750,27 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, max = MAX_BPF_STACK + mask_to_left; off = ptr_reg->off + ptr_reg->var_off.value; if (mask_to_left) - *ptr_limit = MAX_BPF_STACK + off; + ptr_limit = MAX_BPF_STACK + off; else - *ptr_limit = -off - 1; - return *ptr_limit >= max ? -ERANGE : 0; + ptr_limit = -off - 1; + break; case PTR_TO_MAP_VALUE: max = ptr_reg->map_ptr->value_size; if (mask_to_left) { - *ptr_limit = ptr_reg->umax_value + ptr_reg->off; + ptr_limit = ptr_reg->umax_value + ptr_reg->off; } else { off = ptr_reg->smin_value + ptr_reg->off; - *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; + ptr_limit = ptr_reg->map_ptr->value_size - off - 1; } - return *ptr_limit >= max ? -ERANGE : 0; + break; default: return -EINVAL; } + + if (ptr_limit >= max) + return -ERANGE; + *alu_limit = ptr_limit; + return 0; } static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, From patchwork Fri May 28 10:38:02 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286619 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3321AC4708C for ; Fri, 28 May 2021 10:39:18 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1E48961157 for ; Fri, 28 May 2021 10:39:16 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236671AbhE1Kkr (ORCPT ); Fri, 28 May 2021 06:40:47 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:62004 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236664AbhE1Kkj (ORCPT ); Fri, 28 May 2021 06:40:39 -0400 Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcorG015137; Fri, 28 May 2021 03:38:50 -0700 Received: from nam11-dm6-obe.outbound.protection.outlook.com (mail-dm6nam11lp2175.outbound.protection.outlook.com [104.47.57.175]) by mx0a-0064b401.pphosted.com with ESMTP id 38thst8j2p-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:49 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=bdAesr/V578vQyuOWsmZdYaoNhfBmz7kttHxOYnBWDJuak6XQpzS9DHhQpGa3hs5lBi5tah6tj82uC4LqcgzZjtBO1mUb46prXnKPc2woYvQ9+Ga3lZ0fz7wo2AT9h+MhK0u5d6N6ZXItIe6C2MPV/CJTryA0nQi3+ARrRpnEBrdz5APa4USBrMlrlNH8PvGPoSfmFWt5C9NRISXAOUJEUPkoAVYFMEVgGxIba6t1PAyOdoOnF/6UBQQ8OWl9iKXNpPzIyDKKwoOf/eQy2ssiOP4TcY1TDFCpRwJaPQZlHzYMk0rSSYD5y4YKWtO05hQH0wmSxQ0qPL8ysPdIjtu9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBBCImEv718YD4m3c0xM0qcvMe1+QUQUk63881AhFI0=; b=Q43yj16fSiVt2//1PtHBF0eGY9zaUMiCV6ISmdK2/HOawB8wvnWn1V463sNYBxvCTgixrxIef0ayPZiUQHaVnT9hhoI31J6L+h+vwHsZFsPD4MpuVCssnan8xyEZv2RWe+e1L0BkpE4ymDsvqqYGsfSBU+VizyIFppGEn5oePDuPhQAQEkh4S7BU9QwUtlV08Ui/VNl8TV5lmrIOONYv+4fuHhdSjZHwnOLz20kZL2Ag9IReR7Wp1QsWRIKZO14ecuh8R6b41AOgDrXGJrdcezds05ZOnCxt7sYRergmWWSpIC9qFjcuVlKIQoy1d32iDsNX2ajR9e3fVp+T/t6WLA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=rBBCImEv718YD4m3c0xM0qcvMe1+QUQUk63881AhFI0=; b=onqkcprsme6Zv18dTVLTLrTwjAVgiKejXLnVareumeX+IPKt3y1gOwogwWnIjjw0AmWrDDJn9Bq0n5pmdjPSZQK/RcJJrZrmZiG/DGiXanUrFMJJP+i7bSO+qX6AfGsqrEEHeP1nZ33yc3SWs8kZOG+XrzL9FzJj4gdOyMkTmuw= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN6PR1101MB2097.namprd11.prod.outlook.com (2603:10b6:405:50::15) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:48 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:48 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 11/19] bpf: Improve verifier error messages for users Date: Fri, 28 May 2021 13:38:02 +0300 Message-Id: <20210528103810.22025-12-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:46 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 24cd3853-2cd7-4680-33c7-08d921c4c698 X-MS-TrafficTypeDiagnostic: BN6PR1101MB2097: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:206; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: OmuZtT7DCn+BE7lI+JUbp7UjOZFi5FRXORl6CvWqpN1wajcwXoAnxYM+erxfjxsiwQom6Phfh/8K3gBpiNUxjHhNsC1VIS497vEpm/Zpcv4qt+Bhk6bJEQXvNLrC1500qaOw9GrEBw71mquzCMj+25s5mUB4k/VKpQZPRPbL73CCoeFHo+I7a7bq1LGhRz0KhGVUCK0KO3jesw+k6UtuzFXe46F0b5C81sQSwOHkaO/mgTUt4ZLvzOF+I9Zsf2KoTfltOJt9b7rYQlZqGpn+w/rCIh+ZdYsC6KvP9CpQkCk/8YP5PAKLMw8TezH1JY2S0RhMUYpMEpqU05wns49b5kRzTSxoR+iOAlsuTNXOJqMieWSOpdkwOIAw4/s05ggnN3D4s1O4BQaK+ltzLud2JohOKglzwgm1LpJrAQx41CgdQfXOmEtn6x7NFxCl8cvHBin7Hds0qBjRfS/K7wXmWwMEheFT/J7G0Ityq0ZV97a2Z+y/dFUTU4ZnU7Q3rgdYc05iqOFQmEmPSBArVpNaiX3CIteCcaEOkiJnf/IggoagOWGTEvniTCcWew0qNyDwLcMKYuyrhhnutBxP4pP7PVNugndeZ99m2c6DV+5IFQMos39WGqo/K3fEVQgemqZWeJpgwKbfj7xX0GKd/A3Fxa5USeFT7DyjH+myrxwILe5JIOfsBGgLuzabdcnQjGW4 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(396003)(136003)(376002)(39840400004)(366004)(346002)(15650500001)(86362001)(478600001)(2906002)(6666004)(38350700002)(38100700002)(4326008)(6512007)(66946007)(66476007)(66556008)(316002)(8936002)(6486002)(52116002)(1076003)(5660300002)(956004)(26005)(2616005)(8676002)(16526019)(186003)(6506007)(44832011)(6916009)(36756003)(83380400001)(19860200003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: 7Z/wfJYRww+ntAaQbxqOeCNHUyfQ7DaFREUCIVc/rM7aqW8+vm9hM2dCFOIsvm3VIm7TfPdEBzWnuie2RcVDRZUfp8wo5Iemix5CftvD0PcnO49JutgkfqP4ln1dwAQWj4kuvlv09beqHoW9bJnxfI9im+3SPf+KJ1KkJimNZTH0eky3qEv71cXWaCRQ0JjeQyfVAE/mpPLKEEaz3265dX0fHNPfiHGm+oAsR4o6Jeccn8uanBqnLPIBXgn+JfbACtJjjAjsxwRzL7lbnkCZodtckGXhpfx1fCyBVRvkz7/e8C0moymYlVj2QgSaySnApUzhTDj3cuV8mJlulfLpBLaHpkuqY3Y2citCSNyOc2QaUsbhS0szMuggpksKU//j6nL2Y0d0PaO3WwcPee1/+GPHHlJ4W5m0rOjFYVSnWBU/zzEYB6s4OuPN6htD7H9Wgr545d2hhZkzRTRNr14WsKPKkj1JK5cpVgJuZbt0Msq9BawhaHKgAeyiHY+Jbcve0yGdLLg1BJB06sigsluxs1J7mHwn6ViyyOFlO3ss7gROBkLvGRs5TsMC0sNtPAoe67YNZRV6HKzsIZC0WP1LuRQKy75ODAQtEt830w8ZUhutnB2m+/y06wrED9yCXIY/c5SRWE2RCop7iEQCETVsJj+Q+WRzX3TQBYXJ/0g3dw0AVSIn6J7/Vyjez9R1RLU2IpG1Bd3GcJf7/eKXJEUbr8nfUVSRr+GOKsQyOd22Rr7D59Q9kMOVq5yJT1TyCgo/SFuUbL1sMqGjZXqMSmZ5CV7s29LDOtGY+d0XS9bt8BGYDDxqaZIvEZyn1H7jTrvVxQAytvuKZArRG2fUFRlgw0ovZcMA1oqgfzEb4bUipps+McPoaYfv3V0Db5BpXqOjASltzV5+IFJE9EGLKJWyX2Sn/uaf60Iy8TD3iBOD+zjHHSSjdxbjVHi7wSB0kULQVMzN1kDympKXcsmgsCZ60Pkg/UQNz9AFsQd0lF7rbfB205jLNoR8SBQGp2QxCrNb2GCUWa3nSAwmwVkGI99kk4ZNf3o1JGIKrSP1oBMSrvAZSOvVeGigtaAW9bsQjmDgvVlVPBpYKqi6CeSAPJovwme8LTazcOWaRns9O7AYU7tnM/SMgPYp50scjCt2t7+mLIc7zcmiKJ3Ezn52pUaOWk0s+ffbyIxDfXdTGmc60/zNjms3bIptmf9EgLVYkJQwDBth5rDxyHbParBgItoZnYok3hZaWyQMowBfeafvfKXBB5trOdVA61qPndc+m/xawUDrkTkNTpJac/MbjndWLhp11KXRmLOEq/dsLPiWVxuVoJrafOy9Uo1SxEIeHBi2 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 24cd3853-2cd7-4680-33c7-08d921c4c698 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:48.0315 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: r/Tbq8Bn3bJHARWTRmU24ramHV7oCnqDTydkuKMqeORcswA9slw6Itzl+tWiVOCtqio3eh6CP2XIR3NcwoRwY+GDuQ4t+K6ax8lG1OIRqj8= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR1101MB2097 X-Proofpoint-ORIG-GUID: pZryBQlNDrSj3iSyRecno_7X2cybZesp X-Proofpoint-GUID: pZryBQlNDrSj3iSyRecno_7X2cybZesp X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=930 priorityscore=1501 adultscore=0 suspectscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280069 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream Consolidate all error handling and provide more user-friendly error messages from sanitize_ptr_alu() and sanitize_val_alu(). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov [fllinden@amazon.com: backport to 5.4] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 84 +++++++++++++++++++++++++++++++------------ 1 file changed, 62 insertions(+), 22 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index adc833c6088f..473b59126f61 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2729,6 +2729,14 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) return &env->insn_aux_data[env->insn_idx]; } +enum { + REASON_BOUNDS = -1, + REASON_TYPE = -2, + REASON_PATHS = -3, + REASON_LIMIT = -4, + REASON_STACK = -5, +}; + static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *off_reg, u32 *alu_limit, u8 opcode) @@ -2740,7 +2748,7 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, if (!tnum_is_const(off_reg->var_off) && (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) - return -EACCES; + return REASON_BOUNDS; switch (ptr_reg->type) { case PTR_TO_STACK: @@ -2764,11 +2772,11 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, } break; default: - return -EINVAL; + return REASON_TYPE; } if (ptr_limit >= max) - return -ERANGE; + return REASON_LIMIT; *alu_limit = ptr_limit; return 0; } @@ -2788,7 +2796,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux, if (aux->alu_state && (aux->alu_state != alu_state || aux->alu_limit != alu_limit)) - return -EACCES; + return REASON_PATHS; /* Corresponding fixup done in fixup_bpf_calls(). */ aux->alu_state = alu_state; @@ -2861,7 +2869,46 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); if (!ptr_is_dst_reg && ret) *dst_reg = tmp; - return !ret ? -EFAULT : 0; + return !ret ? REASON_STACK : 0; +} + +static int sanitize_err(struct bpf_verifier_env *env, + const struct bpf_insn *insn, int reason, + const struct bpf_reg_state *off_reg, + const struct bpf_reg_state *dst_reg) +{ + static const char *err = "pointer arithmetic with it prohibited for !root"; + const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub"; + u32 dst = insn->dst_reg, src = insn->src_reg; + + switch (reason) { + case REASON_BOUNDS: + verbose(env, "R%d has unknown scalar with mixed signed bounds, %s\n", + off_reg == dst_reg ? dst : src, err); + break; + case REASON_TYPE: + verbose(env, "R%d has pointer with unsupported alu operation, %s\n", + off_reg == dst_reg ? src : dst, err); + break; + case REASON_PATHS: + verbose(env, "R%d tried to %s from different maps, paths or scalars, %s\n", + dst, op, err); + break; + case REASON_LIMIT: + verbose(env, "R%d tried to %s beyond pointer bounds, %s\n", + dst, op, err); + break; + case REASON_STACK: + verbose(env, "R%d could not be pushed for speculative verification, %s\n", + dst, err); + break; + default: + verbose(env, "verifier internal error: unknown reason (%d)\n", + reason); + break; + } + + return -EACCES; } /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. @@ -2934,10 +2981,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, switch (opcode) { case BPF_ADD: ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg); - if (ret < 0) { - verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); - return ret; - } + if (ret < 0) + return sanitize_err(env, insn, ret, off_reg, dst_reg); + /* We can take a fixed offset as long as it doesn't overflow * the s32 'off' field */ @@ -2989,10 +3035,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, break; case BPF_SUB: ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg); - if (ret < 0) { - verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); - return ret; - } + if (ret < 0) + return sanitize_err(env, insn, ret, off_reg, dst_reg); + if (dst_reg == off_reg) { /* scalar -= pointer. Creates an unknown scalar */ verbose(env, "R%d tried to subtract pointer from scalar\n", @@ -3109,7 +3154,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, s64 smin_val, smax_val; u64 umin_val, umax_val; u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; - u32 dst = insn->dst_reg; int ret; if (insn_bitness == 32) { @@ -3146,10 +3190,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, switch (opcode) { case BPF_ADD: ret = sanitize_val_alu(env, insn); - if (ret < 0) { - verbose(env, "R%d tried to add from different pointers or scalars\n", dst); - return ret; - } + if (ret < 0) + return sanitize_err(env, insn, ret, NULL, NULL); if (signed_add_overflows(dst_reg->smin_value, smin_val) || signed_add_overflows(dst_reg->smax_value, smax_val)) { dst_reg->smin_value = S64_MIN; @@ -3170,10 +3212,8 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, break; case BPF_SUB: ret = sanitize_val_alu(env, insn); - if (ret < 0) { - verbose(env, "R%d tried to sub from different pointers or scalars\n", dst); - return ret; - } + if (ret < 0) + return sanitize_err(env, insn, ret, NULL, NULL); if (signed_sub_overflows(dst_reg->smin_value, smax_val) || signed_sub_overflows(dst_reg->smax_value, smin_val)) { /* Overflow possible, we know nothing */ From patchwork Fri May 28 10:38:03 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286621 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 35CC8C4708D for ; Fri, 28 May 2021 10:39:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 23564613C9 for ; Fri, 28 May 2021 10:39:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236456AbhE1Kk5 (ORCPT ); Fri, 28 May 2021 06:40:57 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:2948 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236486AbhE1Kko (ORCPT ); Fri, 28 May 2021 06:40:44 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SActBG010271; Fri, 28 May 2021 03:38:55 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra29-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:55 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=KY3ynFpavXy4MCycyazpARc/v3A8GiOSzgTs2YoI4A3lkOH7A2iT19alLbmHTAK5YJnQVNodYuKJDb9ctBtqhdljZWXerd4k1IU9hoEeDs0YJWstjmzhJia1dJmN3oVfNFCpLDrSHEaSF667rcndDKN1kJeV2UMSR0gEuky1OFYUyuSSBWSLOm7Af755nqkifKVt70Ht4hUEw0i9A7Z9thKSWgPZGcjHDxCWRsM0xLuXXxnBYgeYbiRiryyncFS2k1XQWoy549hFmOPEq6S2RFGqjMS8uQY67gi0ivEwJ5cEAms7Uy+bSkLEtrIHnR3LchpW3BsyhaKgklf6y0NFMg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n6bcr47je2zNKmK0Gr9jLC9NZjzh7ZJ23C5ts7hRMic=; b=L99GT81TGZNKGcBx6zooDVWe/8X5H0PMeyRoU1HrJ7xQ+D8sIrBMH0Y2OtC/+3J5KJwJrk+EHd6B4Q/RbkfSk6z7Qn+cl0VdJWK3Y5P8cOeUvE82HOaI8fU/X6kuPj+KvBeNteKDLHRfKQA+MHitkUbUh9Ttobog8yZ637+N2mkPB9WB4N9hJuiJswOqwLni6SBvzmik3bGRg6byHLlaqgymW3CbZoN1EsUAPAgZDZ3HSV4fAkgcuQJqwx+AeWyF5fplKl/m1h1FMkD9ewbIWTLAf3NN5ewpj/G3Oxv2ajyglReuqpo5DVfJVWCDU4Ic2e6O4mGsN4HqyBXSn9UxRA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=n6bcr47je2zNKmK0Gr9jLC9NZjzh7ZJ23C5ts7hRMic=; b=TFHkAsXzuDhwAs9lLRonI6LYRLT69mef6xK+rIaQptAVQxypjYDVPBPOS3KahCXVWXHe2fTMx29SqnWDxx+MivgUe5LhcF8y/lFEfcWQbgFHj6/kSsVUIfjgFhZDkMs8U7bm0/u4mKwByo9sa/1y7yDfo2nWuMkmJjW6ZEkkJ/E= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:50 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:50 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 12/19] bpf: Refactor and streamline bounds check into helper Date: Fri, 28 May 2021 13:38:03 +0300 Message-Id: <20210528103810.22025-13-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:48 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 6e7590e5-ddd5-4301-afd7-08d921c4c7b0 X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:2958; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VcZKHNhnCsMNMPEnp7sMLvV1SZRX73MRcvMWYMoI9kZsdi13WFr+Ow2N06cwxZYxBEmhVvudZUblUccz1deDW0uJ/b8tUO42mPNzKQZzxsRS8iBGNHzGbWkV7occwWxSouesanAkythCwwYZoYyEv6hew+O+EiIdywW3t0D++117+oqWKWhPaXFyXEu9RjeQu/Cgv7SUK+QWA5m3z+KaCRzeSM8RJfUCBIQm8m5Gy6iomQ9Gc8JcGVRwKWwcqlCFSGS0ZuCFEzHHotzFHr4sH0wkqg3E6T6oqRthq4xzJ68mVQejNXcrgs4n/MWI5nn23fC84twTM4+dNKzIywHqn7Fu15VbeBwLxj9EtvG2nw1/q70DGq7aiVA5mSjobbvhqhXb4DQz7U67QtJW4pxbmh8dCh+nUh/NwMuazF2IgqsK2z+awEhGFWBx9gsPYUoE1b3DmhNLg1PElbJ2HtRFrUV4UZDx50qPqMXjp8UEtEsAE/mbkPzOgOrmU4liuNV4TF7EOygEgwKmdAGiaFdBSFSAbj2kfPGO500jzIisrraajm/CyZYWE9JVnUXtpZb5DRP8A5UefWNCh5Y36JENoH8ksMD1JjIs/EOa1xigQttlfVA5rTmX4K4Bc9hILUg+Zrq6ezd4E/EvhdWRKImugVVAXy0608P1ehRAbYFMQhU= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: TLo2CxyrIWsvQ1xhhyJFtdFJW7apIGtqTkI95f8LJZhEVtcF85ljmer/Qrrn1j7r7ZaescNqk7iiz1vvoR0IRH4L7N/FWTEexuatT1gtQA2iuksN0f4POU1t9EAnKhjILNirN94pm2r9AdxsHUKre5sXQvjCBr9lOj6UDIyKxlUatXsD2tKkmZo3PCDPRhXEY8/ZoNglMclPQ/wbGQ6zr3CCnQ/Pi261nS35SSmT/4Kp3x/i771wQgTLcAo+TymA82Ojkf3gPCfG5xWFDQs0kDwE6hEha2NeKxQQEiIORvGV0REOK/xQKgCapC91jqWk6n4BOLCAF6gRtbJyTay3oSGMFdiur+tG3AfDh/5MF/8J5+6nipnKWfZyy/ibBDdU0wJH3lAhmdcmplGko6wzdH+QRWrDzmmUOz9E0rejn85+pKthjTIMAJf+Qf5OCyQkAstu2eJdmw70pk3dyr9pqItTsIQ3z2mTaju+AAGsvHP2Lpc9ZICUrVSRxywUJoQu8qPqFGzE721vqJIjnnenkwbzG1sq3xGdJkDO02W2SDdaBFFBx2xsenMUtATYLhFNSf4UUatUozUF4czCU77JsCxUCdRt3vUVVVuwij1uqYuZHbBvUX4R4FdIQ/dafTfEiZMqbKiob2ke2265HEY5P+xirvi2YNvyOJa/qtht8cN0MBlVI46WgyX37XILIpxCmYqHQcZyJI/jF+yMDRXFkN2hkx6sBe621raJIEyaEGZmt4gcGisAw4s7cgoprvEYDOwdv3elQX5cm0BzFL3kzJNQeGTm6nnPh++2L7Pcd5FcHiDZRaQmExU1pmeEIc1AEw4gciqucrj100svhoCQE8JUzpGtEVMwFoW4v5fD96pxGubvQiqUPq6OhQcTS55I/dTEi8KMlr6+vrWH8V7goXLuObJDeqV/ot1KMLVhJE7llvFUI9t7K9nsOZ+FqqzakD7SQqx/kkYBVb3/1pWQexxpzaAUkoMk3zSvZsyJAr/6oCEFSUMiY9+istFKg7CIdjAR0CX3q9hUR127YCKe2bcz6anduvnY6HMITydVwOYa4/d2OhOrFOStDpePQB84cpFg271pLiECpq05jWy+L3TKgC95+s5MVLgo++02u7W6ftIJ2d1CaXzm0SKOFZp5zfjpGYy7GWdBy4VP6fIKTdMj/gHiIB34fsk6dq8iHY9NZq6vxdCk3i0ch+n7VqOYHBgxeG6lGIRTaKglgoPgU44HanZOa8bsGAus+CNsL5VBvi/PDiYkLdzc0jk4ZC70lXeRzgd5OZSPf3mx/hoipmW5cmpJjoO5VkesJbecqETC/x5dgmcFALFnpnlTXIFw X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 6e7590e5-ddd5-4301-afd7-08d921c4c7b0 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:49.8827 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AhqamnHG02gJsQkTb3jn8UBWLxwtABfLXSzXgjhAzFOeDAAhMrZWlqBLJIbjKFwUURDVlakO3FXBOEJxu9z3i+r6ELDLS3oDHbNZ7gD91kI= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: 9ybN2gC79kj_2ZF3Y2HWAo6WcBdmbgoZ X-Proofpoint-GUID: 9ybN2gC79kj_2ZF3Y2HWAo6WcBdmbgoZ X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 upstream. Move the bounds check in adjust_ptr_min_max_vals() into a small helper named sanitize_check_bounds() in order to simplify the former a bit. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov [fllinden@amazon.com: backport to 5.4] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 54 +++++++++++++++++++++++++++++-------------- 1 file changed, 37 insertions(+), 17 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 473b59126f61..faa2a4c3467d 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2911,6 +2911,41 @@ static int sanitize_err(struct bpf_verifier_env *env, return -EACCES; } +static int sanitize_check_bounds(struct bpf_verifier_env *env, + const struct bpf_insn *insn, + const struct bpf_reg_state *dst_reg) +{ + u32 dst = insn->dst_reg; + + /* For unprivileged we require that resulting offset must be in bounds + * in order to be able to sanitize access later on. + */ + if (env->allow_ptr_leaks) + return 0; + + switch (dst_reg->type) { + case PTR_TO_STACK: + if (check_stack_access(env, dst_reg, dst_reg->off + + dst_reg->var_off.value, 1)) { + verbose(env, "R%d stack pointer arithmetic goes out of range, " + "prohibited for !root\n", dst); + return -EACCES; + } + break; + case PTR_TO_MAP_VALUE: + if (check_map_access(env, dst, dst_reg->off, 1, false)) { + verbose(env, "R%d pointer arithmetic of map value goes out of range, " + "prohibited for !root\n", dst); + return -EACCES; + } + break; + default: + break; + } + + return 0; +} + /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. * Caller should also handle BPF_MOV case separately. * If we return -EACCES, caller may want to try again treating pointer as a @@ -3118,23 +3153,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, __reg_deduce_bounds(dst_reg); __reg_bound_offset(dst_reg); - /* For unprivileged we require that resulting offset must be in bounds - * in order to be able to sanitize access later on. - */ - if (!env->allow_ptr_leaks) { - if (dst_reg->type == PTR_TO_MAP_VALUE && - check_map_access(env, dst, dst_reg->off, 1, false)) { - verbose(env, "R%d pointer arithmetic of map value goes out of range, " - "prohibited for !root\n", dst); - return -EACCES; - } else if (dst_reg->type == PTR_TO_STACK && - check_stack_access(env, dst_reg, dst_reg->off + - dst_reg->var_off.value, 1)) { - verbose(env, "R%d stack pointer arithmetic goes out of range, " - "prohibited for !root\n", dst); - return -EACCES; - } - } + if (sanitize_check_bounds(env, insn, dst_reg) < 0) + return -EACCES; return 0; } From patchwork Fri May 28 10:38:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286625 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 51EF3C4708D for ; Fri, 28 May 2021 10:39:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 1E85E613B6 for ; Fri, 28 May 2021 10:39:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236611AbhE1KlA (ORCPT ); Fri, 28 May 2021 06:41:00 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:4030 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236625AbhE1Kkp (ORCPT ); Fri, 28 May 2021 06:40:45 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SActBH010271; Fri, 28 May 2021 03:38:56 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra29-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:55 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XLYAnAPG6ybuP6Mg5LpdtI0PzM1w1cbYRKK8BHUnJK3b3E9U7eZSjx7i5/ToW6IhC5/Uavn9IgVS0mkV3RUjsLUwlOh5GP3wxARK8ly+xDn1GEgwITS2RKVdv8y34BsqIVHF2O/MrQJ2HGlX/3niFjLX9yq4DpcNDRUaJD6SgEVAExnA/+4S6F56yElm/f3DY7uas95KWtTdk8fkpc4oavoNyfrU6OkvZGoefso6HFo7Kluqtg55I65ZjVE3q/T+/Vle5pZE3N/YQfcZb12TESzPDuK533UkP7Begud73qXsqfhMEdY3cjb8RKllGrphu/Carz8xkCwrXoDLr68YUA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4t3L7+COS90C5bzZHkokHmPZxSIy8StCAviB1yIOFys=; b=gTHpbmv+Yw6A2RYGc+d8S6VkK4oa3EckYORCjicb0wfpMDxr3liLOKPuYP7XAoiwI+3DNPru9hPaw53GI31h5vwj6xdOXmDEePe/JlXdz1jkgV4RZuzspIFnnQ11nIZE4R2hwmeu7XJXHuarCg/4YjuhKtmHvmHWRIFBJBd+SG3laW7LOktcZJXEkzJcgzGo5zyVrogggmOYrL9V6fCGM7xvYxnnB6hOnukKP9Cx4e2aAaC8Xr7hDJL6rJH2/KA3FLS+0jJ1GZstMXpgCgs0MCAQxzM4C9m9o65RiTQ3KjkSQCQh0OgSmR/pZsIJUpDKsn+Pa8iZwMQ3dw7U1z9ceA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4t3L7+COS90C5bzZHkokHmPZxSIy8StCAviB1yIOFys=; b=YXnyChdKI8jyBa10Wif3fCIOXJS+u51TpbFQ/m9kLImaJMM+yIn67lxSb/YpKheqUGeJnShZs55lQgnvbvCM5HLMkBIjFFR9GVtZb7Xv58HkkHdwddB21X5N7Ryl3iAnlpkqse4zcFw7VSAIXX5ZK4r0wfieTNmjtjUSMGycETM= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:51 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:51 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 13/19] bpf: Move sanitize_val_alu out of op switch Date: Fri, 28 May 2021 13:38:04 +0300 Message-Id: <20210528103810.22025-14-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:50 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: ffa6d92d-cce2-4cf8-1f01-08d921c4c8c6 X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:241; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: ZJqAeCWZ98CS9wpjgrX0u4oNFewmHGPdRHket4Fy3TRzW1z3jJF1QDaDyjiJ80/+mSJRWMO1Pwa4/8kicOCEHSHZIkfCzbpbbX0VIp2wNXDkSK2Sc+ZpHXxvsRDlcEn55j9HdisSIMFgUNAzXQPsuy5kP8Z6GRVYSriZNmZ4dFjFNwxYhSWC2FBpi6QP5taYn/5UIIU93y5q61nmQ12D19onsjv6+3Lsw5fomJh1KPPFeXBPXMWPKWEdnmdgxdWdjjRsWE5reHBUyzMLklGAgrJ7yPP+3bV8oegLgDAhmqy3wmb07FbiA2GC9BmMupIKravFXmGQwtgRlAZFXwMq7FLYwHvU8Y1ejqUlp4BebBffm0rIsrxNlurGK1iOtdpLNjDE1xsgz1WDyK5w+m5a8WUeLhfgVp1VRC2IDL7V79ZOlnUSn3BhbpTdcNtrDKc/mU+G4+M4VS61J0CN7F76AHwruTg+DNQ76V1ojoKAFH/Y8PgATP7Ju49FYGdqAt+Pbz+BJYD1kte3cRkAEa/t4ajM8JSzuw0nG0S2BMxq9WEZBbcOSa3xcnvRvBxT84baD+8OLhECM/nsScUrR7Eh/8aPUUsdaYnPIHBr2Q6gWLTvQa3vjLhZcF/KvxDLhfLJnOwotdElOMTzmVRRmS9ydw== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: I0O5NKBaLe/hhON6Mog3Ggk7Qt4KV5uiZkdbsHocm1n2oltkHsp4fsxVYUwxlYMrshbw6cyiT2LNCmx6p43AaeJIQGjldx0CiPiDd7Se2NV+6Okh7PIY70EjxKBnyDO4wgXf4McDGaB8MxFwt/LHVJ5p9iZjgMiJ7wYa7rwTk+lp6Q8vT1B5cfzwkTLSQbZ/s+pVOl9V0NwlXlRTtRiqIfDJrj51lK1G6J99aX9L5GNrLAGq5804q0Onl2qcUJcMKynzy2fjj1YjShGOq5xsKi47U8MSWke8LIrT+rRC1gtM7LaPzgSG8efmBYXg2PamSK67j7bBS1YcVz/vq1HhAlxrf4zIVtT2u4/QeQ76TZKu2uf/z6DRoZ9b1H5hOuKml8QewrjDWBz2CbQgCyWwIu6ynQ1IcwfTPMQekEQa8SzFORDOtwmHGbT2dTdDCbI9toK1XthDgLb20hW/RqNEbqmVbuleb8Y6pTGE2gLv7H0lQwQCzoubt3qK0zpZKh50rUQFI/xaGltj4pu90fIIrovN2Kt0Ovp7kaineSHj4CSHnBD156OiNKlsNMOSG2rIeHAMpUC9Uewh/KDFmUdgpUX5UTI8omrouadHUWSZ2s4zo4xygQ0eX4Q4JtGwg7nO/3ABh64nNBfeeiJz5ErbJ6SYYhwg+Z58aoRa53Mr41fFnuC6wBNqcvuaMPVvZ1t5oxshUoWXOiGgnTmf4bVxGBp/ZaY72darmyjKAts++ZkL5MSWoZuSI9WMalfITkBTgcfFll8/H/j4saNgVH1ExRd0rsHaZp8kpmQ/6zqFz9lHnNh/vp4skGe4cXGRbHxEzHQzHTWnyf1U2GcqaLjdpIqh8HBsKNI7O9M0NQIlmvag0ciwz2grv6Of91rN0Kdwy4ryoUqBPwonWTMVrfc+5XvQsyz+mA8NxQbEyMLzr24+mPizfgy/4CCKYeaZANHev9NfDadXQ7CNsrhlVKMOLszSzCzY+7hOQGPaq5uPLgc18TBr51o5qUjS/QQEBDWh/DenohOqN9Llf/C9K5zM/XOXfVXKNTr+sJ9M4oO2KjB2t9QoAjTNvW5sGHinl4AAQhP2znZci0vCBj+SgY2zIqVG4bT0P5qOLGt9jpQ2Ic4OT0BKMPBwD8jtUu06uDjBYJXZDMHGXNblub7FFb7CK5JrBCf9akwXj3g4euG9/qfu52jy3LoWb191RNzGMBKseXSs38ubmxjJy66bo/vjKv+gsiI1fzFUpSRVazhgML1azkwMI6vQSoQE4Yy/8uaiTjrrx6l9nMlvKMzpERu21wOW5mqGSAnsgzl/RcGAa/M8civGKwrNoiA3UyU9Vs5v X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: ffa6d92d-cce2-4cf8-1f01-08d921c4c8c6 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:51.6789 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 3kjG+OGA64J8IIlAA4/i+cFYwyvX9wOf73pHGbwqoUe8DV1AShy4HOwyss1NJhoCazKkywHS+zZTSSgYmRpYAyApKR+WJSTpKSJYCie2cWA= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: ukePhuw2GCzLtcEANXhYYb7_quBCPROM X-Proofpoint-GUID: ukePhuw2GCzLtcEANXhYYb7_quBCPROM X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=991 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream. Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov [fllinden@amazon.com: backported to 5.4] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index faa2a4c3467d..094f70876923 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2815,6 +2815,11 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); } +static bool sanitize_needed(u8 opcode) +{ + return opcode == BPF_ADD || opcode == BPF_SUB; +} + static int sanitize_ptr_alu(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, @@ -3207,11 +3212,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, return 0; } - switch (opcode) { - case BPF_ADD: + if (sanitize_needed(opcode)) { ret = sanitize_val_alu(env, insn); if (ret < 0) return sanitize_err(env, insn, ret, NULL, NULL); + } + + switch (opcode) { + case BPF_ADD: if (signed_add_overflows(dst_reg->smin_value, smin_val) || signed_add_overflows(dst_reg->smax_value, smax_val)) { dst_reg->smin_value = S64_MIN; @@ -3231,9 +3239,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); break; case BPF_SUB: - ret = sanitize_val_alu(env, insn); - if (ret < 0) - return sanitize_err(env, insn, ret, NULL, NULL); if (signed_sub_overflows(dst_reg->smin_value, smax_val) || signed_sub_overflows(dst_reg->smax_value, smin_val)) { /* Overflow possible, we know nothing */ From patchwork Fri May 28 10:38:05 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286623 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id DFBD2C47087 for ; Fri, 28 May 2021 10:39:27 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CE82A61157 for ; Fri, 28 May 2021 10:39:25 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236486AbhE1Kk7 (ORCPT ); Fri, 28 May 2021 06:40:59 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:3462 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236551AbhE1Kko (ORCPT ); Fri, 28 May 2021 06:40:44 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SActBI010271; Fri, 28 May 2021 03:38:56 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra29-3 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:56 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZwzJlY4Gy/EjqqLgcyMJ1yBFiO6ovOmeZVYy7G+rniEglv/IA0KutzP3ooLLBKFA3a8d0OAgIYa3Arv4ezTHqfZs5j2Q0gUoxk84uA3GYQrK8v/wMgoPS8LNAnAlbs/E1e0wIa/ElmxkDgK8iNIF2CNLZ+oGy/xheUknIsgjx6+HxxYcGJBKUPnDiH4jbfnOOpVjU38m9zPI+PbgB6LeKFwBtjVAkpVK3RCZzQwSSruXe2qoCSXqnNFyzOfMlDmskGd0oHQ5/dGBD/rtg1nqJ4eoR0MWsgr7VxaZjQA5QXceeYDY4JWcSLcUdPNtaO6lbL/doCMZgRNb0G7ZBFQFkQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VGOXbo9ypi/CUkoapeVLOvl3pYb+a8M4KiPKlcsrmqM=; b=hcagkNkSvqSCjxTsn7jHFnel2iVD4ShaWdGlGb82QoQt9vgZYCfoF4wCdP69JUdb60LmYgcC5f1fEVqJiM+rg+tfMuZ4rlrQMDv5KVVDP32U+IR9TQ/NBa+hepa8YAYgSLSoZ/RH5oFeZkdIwPtKprQTsY5gzZO7fC58tB6bSfrPO+scNHEktxnThmJxkUxbjXL27h9SUWQtX/9vD5eS6wtGOoPzQIgBkN7FqPVJBLA1MYPRzGYYcCfSqGGRxWS7GGwo7wlrVZkCwBqTXbxnKnueXn6oaquf5d4mYUkQhPapPOVEBaa2kOQiv4yYF7dFfEdy4ymTIuR+dZQLQrJ3oQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=VGOXbo9ypi/CUkoapeVLOvl3pYb+a8M4KiPKlcsrmqM=; b=JOpBwLh2FTJaZe83es164rOZZOTcPj3BQ0p9WSR3YuG1CSwjvey0Ez0jLDzHLQ+o72/phuTpM8GNd8g7FIEpQIMsEC7x4Wp+d+iFqV95ZGb1w6IXbCebKW2EsNAi77UG5yfG4i0/E47ItQ6blh8d5VGQ6gNGUAcu6D92Xg3zceY= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:53 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:53 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 14/19] bpf: Tighten speculative pointer arithmetic mask Date: Fri, 28 May 2021 13:38:05 +0300 Message-Id: <20210528103810.22025-15-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:52 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: f55e1dab-0dae-43dc-e0a4-08d921c4c9d9 X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:10000; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: VNlW87t+mTAEeaMQ9geiWBWeBVHXDfa9GlSt6FZ3NcHJbMfyHjQDNNOMzmM2AHCxFt+QwnyZggOEG9BCJxpVRvhT5FM8ii3B0k4i4K//STl6G9h2pgp83bhwpVWSi4Avy2ysx9hA87ZA43/3/j/O2My1NaBUzxUAULyhObhKPit1MSkjPTpb81kfqMiP/7nadt7pmYyedoiVX9saO6hVRY//c6814jdaK0UXTjW6wOgScsZUdtMP05C1pBB3bwldoy3qRLFT6yfkNpyTH9tEy/P2186j9xidNTgCZ+vw5dxJmUYQ8AcePN6CYnLfMFiGjctLyCUTfdqTXt/ikwq2NlEhXQPma2MgKoJYdkZlB7rTZQXZWwEfI9lOg1INqSvgIPi7F43xr3ETbgvyFkbQhB5X3XmswttLNPf5StHaIPa84RAObfECjc5Op59x3LkdgkY8nzXkQEvW8v2VXA0p2y6gM+sbyPm19rJJ4LHc5OXSxiSltFJJKytfe32enQCuH5PedM2vMpWdNl9hxT6s92RYRHU3dnsizmTiJW4a6qgSh0/2lJu1KeZfs19c61P1cyMsGK/T23UhRwDat0bXRzwnM1sGaUN6E1KPOlWakOZm509xngZm/9Ej9eJWQ3qzCBeP09JWO+cmrHTfAaafafb3ba+bQd7jX4sbLSccj3M= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: +C6MfKDmgZ09NN05kddfWVmzUi2dRgaug3r9UVzEjgozatNuicr7qIIH6HV8I4kiIUyH8UZ+tSSAatDi3KVNnt6WZLl4gJfFRrUGNurJ/iJoOLrvS9tkjAyMNaO8QBdKNU4ixBq6W9qNvfbgrEUlDEtZXP4oK9fPi6mDfdZxWMxq6GekLkJd3MbJoDWGGZayrqigDs0gMvi8LIegNZskU64SVM8MPx7hjq2C40BnsSLcE78UkGRt6RpfjkxF+tKF+k/zz3qcGG4FiHQWju295oYvpuI4ree006rki0rrdzOUE6mKyIJCbBhxpnYp3LyOvg0Mt2EvNlQdD20+hTvnxXufvALBcthjQyxaWCSrgivXwScs/iJweyj5vIxoFNUo4I1wedSPLVVrKT1RqcpbtcB4c0pxh0lsqpgWdbFBApkp0/oF6oPwaF/Wb+JwzsQskCZoRjTLiwU/XwycdnbXk8gRj08wPxcUEMjuDe4FVfztCvT4RMpX28J2s2UbBf30tgSvBXmzSCEBh1Hwjfxd3jwWtzyJnPo+4o1toCqo2/i4F+7Ah122lO9DtaWhalFxLBx9jrNi69KEkyp0vOtTtf4Z04y/qdKx7cZWdjkSw7fFcqmnTNEgTccnwaIncAsnX0nmpHnkPGp/aoXLRD/IaidLAGzr7L267JVeIGEisKlZc69Iw2fiv+UOmSfK8oggd7PIjMN4Job6N0PUBk3yybOXs8AXcNcAG/Orv9/Aoaafkgal2Z0pjakqaY2zHULccSsUU8PaG9lkGEfElMnqmzm2kJ44teti21cxa/dc2IbFVWMNtoQC5xq/6J93sZAYHFNCOwdiuc2OZWX2SMklsyF5Jhqda96vHTKAlZhlXBUuZab2M1BhuDt4mAYKnAqXQoNqqeu4GFUBRkONZdvyc4dSBwzE3TSFgK49aDJl7kiG4HmLVtdbb5Znf5bdcup7v7oFm4pmx+pyZuo6FbkxiFz6nMSm1Rk4h6aGjEXWHyN3bx/LRaSc6195XtiIfwDMuusZh26ghFoQC0SIiI0DMEXxBOFydCQ0HxbHjhGrXt8H40hdqTK1NnADHmOz7MBD7JAXtAz430sAMlukxhlBTDrt7ZPjLRhoeDb/KYVGQOit1DLfsnYAQTuKkKneSqpccAt17nLNVmlOXuwUqidFpAccucTdQ3Y/30fC8KekUfc0QM5IRSB+MLd9O0A0W5Hp8YWQPI3JUcSwHfdt/H1HoFyUCcniD7EQOfYVK2nZb94EhvOfS5IWw/FBl3S0599qjLcfrXOc4OrhkaK5OLDcphMrS7r4YgmE+5lTg/C85g1cirPyfGfhbZT4IwlbvV7e X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: f55e1dab-0dae-43dc-e0a4-08d921c4c9d9 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:53.5001 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: Nq2xSy3ABnvVjXgYj9T7ULSzcXX8ra3PCTrfo2HUoG+7KJq70U+P6UF+lGAHL9om0ck+CnAz9A/Ocm5diDZJuKn0bCZczCz5Hwbh9yCufPw= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: UumA6ynEO8s0Seg2-Z-_wsgFhoeEBkT7 X-Proofpoint-GUID: UumA6ynEO8s0Seg2-Z-_wsgFhoeEBkT7 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 upstream. This work tightens the offset mask we use for unprivileged pointer arithmetic in order to mitigate a corner case reported by Piotr and Benedict where in the speculative domain it is possible to advance, for example, the map value pointer by up to value_size-1 out-of-bounds in order to leak kernel memory via side-channel to user space. Before this change, the computed ptr_limit for retrieve_ptr_limit() helper represents largest valid distance when moving pointer to the right or left which is then fed as aux->alu_limit to generate masking instructions against the offset register. After the change, the derived aux->alu_limit represents the largest potential value of the offset register which we mask against which is just a narrower subset of the former limit. For minimal complexity, we call sanitize_ptr_alu() from 2 observation points in adjust_ptr_min_max_vals(), that is, before and after the simulated alu operation. In the first step, we retieve the alu_state and alu_limit before the operation as well as we branch-off a verifier path and push it to the verification stack as we did before which checks the dst_reg under truncation, in other words, when the speculative domain would attempt to move the pointer out-of-bounds. In the second step, we retrieve the new alu_limit and calculate the absolute distance between both. Moreover, we commit the alu_state and final alu_limit via update_alu_sanitation_state() to the env's instruction aux data, and bail out from there if there is a mismatch due to coming from different verification paths with different states. Reported-by: Piotr Krysiuk Reported-by: Benedict Schlueter Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Tested-by: Benedict Schlueter [fllinden@amazon.com: backported to 5.4] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman [OP: backport to 4.19] Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 70 +++++++++++++++++++++++++++---------------- 1 file changed, 44 insertions(+), 26 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 094f70876923..908251977bef 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2744,7 +2744,7 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, bool off_is_neg = off_reg->smin_value < 0; bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || (opcode == BPF_SUB && !off_is_neg); - u32 off, max = 0, ptr_limit = 0; + u32 max = 0, ptr_limit = 0; if (!tnum_is_const(off_reg->var_off) && (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) @@ -2753,23 +2753,18 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, switch (ptr_reg->type) { case PTR_TO_STACK: /* Offset 0 is out-of-bounds, but acceptable start for the - * left direction, see BPF_REG_FP. + * left direction, see BPF_REG_FP. Also, unknown scalar + * offset where we would need to deal with min/max bounds is + * currently prohibited for unprivileged. */ max = MAX_BPF_STACK + mask_to_left; - off = ptr_reg->off + ptr_reg->var_off.value; - if (mask_to_left) - ptr_limit = MAX_BPF_STACK + off; - else - ptr_limit = -off - 1; + ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off); break; case PTR_TO_MAP_VALUE: max = ptr_reg->map_ptr->value_size; - if (mask_to_left) { - ptr_limit = ptr_reg->umax_value + ptr_reg->off; - } else { - off = ptr_reg->smin_value + ptr_reg->off; - ptr_limit = ptr_reg->map_ptr->value_size - off - 1; - } + ptr_limit = (mask_to_left ? + ptr_reg->smin_value : + ptr_reg->umax_value) + ptr_reg->off; break; default: return REASON_TYPE; @@ -2824,10 +2819,12 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *off_reg, - struct bpf_reg_state *dst_reg) + struct bpf_reg_state *dst_reg, + struct bpf_insn_aux_data *tmp_aux, + const bool commit_window) { + struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; struct bpf_verifier_state *vstate = env->cur_state; - struct bpf_insn_aux_data *aux = cur_aux(env); bool off_is_neg = off_reg->smin_value < 0; bool ptr_is_dst_reg = ptr_reg == dst_reg; u8 opcode = BPF_OP(insn->code); @@ -2846,18 +2843,33 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, if (vstate->speculative) goto do_sim; - alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; - alu_state |= ptr_is_dst_reg ? - BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; - err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); if (err < 0) return err; + if (commit_window) { + /* In commit phase we narrow the masking window based on + * the observed pointer move after the simulated operation. + */ + alu_state = tmp_aux->alu_state; + alu_limit = abs(tmp_aux->alu_limit - alu_limit); + } else { + alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; + alu_state |= ptr_is_dst_reg ? + BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; + } + err = update_alu_sanitation_state(aux, alu_state, alu_limit); if (err < 0) return err; do_sim: + /* If we're in commit phase, we're done here given we already + * pushed the truncated dst_reg into the speculative verification + * stack. + */ + if (commit_window) + return 0; + /* Simulate and find potential out-of-bounds access under * speculative execution from truncation as a result of * masking when off was not within expected range. If off @@ -2969,6 +2981,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; + struct bpf_insn_aux_data tmp_aux = {}; u8 opcode = BPF_OP(insn->code); u32 dst = insn->dst_reg; int ret; @@ -3018,12 +3031,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) return -EINVAL; - switch (opcode) { - case BPF_ADD: - ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg); + if (sanitize_needed(opcode)) { + ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, + &tmp_aux, false); if (ret < 0) return sanitize_err(env, insn, ret, off_reg, dst_reg); + } + switch (opcode) { + case BPF_ADD: /* We can take a fixed offset as long as it doesn't overflow * the s32 'off' field */ @@ -3074,10 +3090,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, } break; case BPF_SUB: - ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg); - if (ret < 0) - return sanitize_err(env, insn, ret, off_reg, dst_reg); - if (dst_reg == off_reg) { /* scalar -= pointer. Creates an unknown scalar */ verbose(env, "R%d tried to subtract pointer from scalar\n", @@ -3160,6 +3172,12 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, if (sanitize_check_bounds(env, insn, dst_reg) < 0) return -EACCES; + if (sanitize_needed(opcode)) { + ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, + &tmp_aux, true); + if (ret < 0) + return sanitize_err(env, insn, ret, off_reg, dst_reg); + } return 0; } From patchwork Fri May 28 10:38:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286629 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80DC1C47091 for ; Fri, 28 May 2021 10:39:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6CBBC613B5 for ; Fri, 28 May 2021 10:39:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236664AbhE1KlB (ORCPT ); Fri, 28 May 2021 06:41:01 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:4550 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236629AbhE1Kkp (ORCPT ); Fri, 28 May 2021 06:40:45 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SActBJ010271; Fri, 28 May 2021 03:38:57 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra29-4 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:57 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OeUXT5ekS3EKKZVYbk1I1S68X/0F9kNiP2HVXh+LwUbiCHRLBelzUcrq7n8iAoo5SnuIDybE7D4oO4V3T4VZhceXSZ43oLxA9WFqm1yLU9XLwSIwqWM+vvNif7CKcDStK0QnATusEhdskcHqq4+iD7Gpees9sHp+fk3RdJe3uSGGZ8VajxNDWylWVyuMSLr8LNHVNZI4+1Bcjst+0JTFT5Lf9x/wumOE+UJUV4ZtLvxgtynKNXC6p5DoCP+VK3wdqvrXPMv6o/QDk9fQCjczo7jVBgWx2ulRU+VeDMeYEVi4fBwzPbjxJe5uS85HIKb0nQ6jvRlDMJ+/kErJjsCI1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UuJheAUwd+FS9wsLTF2TSxmH+z2RB5twAnc+wG0ilTI=; b=kjR2DwqQPAxmWJr47EvOMGEYs0yFzGITdTuwVGbrhBP8qLWiGr4AUlw1slCrFsq7B9IVlliyhIoawP142911LUdF1OUt7EUUInqawszRLVfbbXb5lHMfsAuiRoo3H9jnR1pBJP/1AYaPGOx4CjdEMAcL9FPGyPihON2ZQJk2GtdzKeK0zee87UD3pY9eG7gYEShynGgwf2imN9OXOgesdrP3FWNxPxB6HSlEJOZxHiMg6S/5BfDMChbOGa0ndjpVmEOjYmHyR9bdMHhqaU5tt6JrZMtFZr4fJ6aVXQnUXXHr+WqZLpr1oo4ZG9/cOzMYom4XRfYO/+saGQcfxqO4Xw== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=UuJheAUwd+FS9wsLTF2TSxmH+z2RB5twAnc+wG0ilTI=; b=Rp1fUYesL2I10ndYfSWA3RAIpH+48exIOVv6XjbWmoJv268OBhkEjM+x8pZO+AwrecB2WWVg5iFI/FqdR7wM8OOVRQE4jdz4vKhtABTx18h25GLoyhFue2Vq8uPVXDx+cokLfX9QwcTRmdfAs9CuC3M1V2Bhih0hLEiTS1U2XC4= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:55 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:55 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 15/19] bpf: Update selftests to reflect new error states Date: Fri, 28 May 2021 13:38:06 +0300 Message-Id: <20210528103810.22025-16-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:53 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: a2cfd8da-c865-4bff-01b8-08d921c4caef X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:785; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: yT1xfVF1S+Ok3dPcFyDUVbrk89JoEgZc0ugc9hIT0g4irMWY/wKlqE65W1CU1PL2qn6CxSe523OAyfwKF6U6jC0u8+9Hn7r6uivkjoUUpmtp3dYll1cqjBI3Pakijf68glmC4LZ0kmW6vsfjez0djzxv9wfSaKqI9D6xlRkjz4b2NCLLHA6kFDEw/aYfhGJxs7kTrLZKtePabLr8nyXpUEO/0TJ+swYZFoSu+8hIwqbZiL01mRz5HxZkroRalXme1gx9O3v5tne6FtVtCuv3P7Ywtcpw1PmeVSBBWj/C6/fG2jEnqc/pktLw0LphGwVzSVkY/Jiw13uYfrrNMzyEVt5GN6HPUXwjRCow0FCV4eUqYhJqWvenvfmYg2lieJn0NUDjEIVcIO05vOc4L9idQhhf6Y4Q0LJRoAH7/xKwBtgsuKoQr80Oe9gfbxuSNj+XdUXmdyycWdl1Lo7lelmFu12EX6ix0q4bIAt0FPAiewadh0xcNmmd7qskvVny9nQURg+9/D7kHyFxBsTS3uqdwV4tsz9i5X8U6IfIpat7p/KISEOl0jYaiDiXfkDp8LkdnXKGNVTeal8OVjdK/dOyMxQCGFtMUZncorfaMpXpMxID8KwlNbt4Uv2jlFRbO32ubdQwU7cveCgqIefWBe3cqUAo9CyDhfcL8oEqRCo1dHc= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(15650500001)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: er1WSK0/+SQZ4abVA3mrHH76OXeD0nwbQNj2m92Gd7l71yH7hbuzLyGOW5LnRrQe8P9HBzTzkEtT6aoxgf3Z8ciiD4skGF3DQb+DoX+WBo/GlFZrGOocHqnCu4JiJJ+su1P+uIcHZqS7qMzKmJidsDkdCdgaeTR/G6GMyxONdD67skYFhtbMpQmLL0OoX/8UMRyJENph/FpGOQUM1wOAACjs4WBPjU3zG38Gq4Z8X2NErkaLyv0Aal3UHdii6rO8rZInyJzyEsz+lTldXmtgJhUFICW8PmDJ/vzRiTXDsrSv8c1Fx1IAekmURFKuyGedvpo2nvK1HnvJB/rjaxerPso+WkrzlEOGT6x93ftB46mTEpAr2lSrQm9IewmMpIP0HRa2HYDnF4wQy3MN7CDtldbROSbim7u1yN/cukHFHlUfjqhAK1bdYcZlOA0g7GFldbsqQJJ8WTtAQf/98xayYos1RGEp1Hm71ar5RRF36TMR2hNUUWxV3q3Mh7mZsVRQXtQjaOLlz7257FSJKskKxepG6qW3vxeMTZYd4ycCUxVeCMyYqfFG33LqlvuV5Y2Y4bLPOJpa+k0nq0nEruxwqtaAWwnSE4Jzu1tYOQ2nsH6rQP3fpQp3yT/WcBHWrireVw602mMhEKJxCoT+ropb4BCRbUKch2dOi6+BVAZAKHd3CfExl2knI9MvhGiDvbpdsmrbUBtCH82Jje55D8Ns7yN3MMZ/rKe40EXSISxHsFLJTb9vtnoXfMGKvWog3vVkqmIfXawMDWT/GnQDXIwvatn/tNx3PrH23fyGQeccXsti+DtvwUju599xF17aEGHR3+VXOAmlvFwXqgWNC+PfIb5aSAKHizXyul7PmBb1SOVosyx6pSzPbSMiUpe/6V+8fapJfcVs0d/KVDvGcG6wzNfNQR44a0DJ7h1c1ot1Nu2xGxBKbG5CAPSct3m9FomClQlLlKA+GFcWJBYzGzXPAesXncC7At5zX13WxOBIuHAQQkmTEewfKEMnErYBObTSmg4EWYj08jcEXjupZr2a1UKmqs01bFBO2cJ0HWF/ai7Mv513iQIR/mnsuKaiCkggJN/1gck0CQvDmgjodbvLrikvNQWb/fkVnrKANfHTjRhGlWa3vzk7r1iTYz/tZ5+WxdyuJ53uKbDvnoHzJZsZcTl/C1oW9n5jgisP+/peakSDMop+beM35mqk8FZCAnuebrrcYvdCMCoiPaxvmbAhZmoswbl6QTaMDsvXM0Ra044YjQ7mgZKqtFtNj0e65awM9040zsoSnAzyQnhr939EQIxElrppetPKrnEXH6hbW9bWvOo+E0KrBztcreCeZh12 X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: a2cfd8da-c865-4bff-01b8-08d921c4caef X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:55.3142 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: uymsFRwGtO/1kLFsDoEq77y8+48tu/r+47tMuQjLeCpWYD0KBI/o4cWKt+1Rt9AemPGFYcDknH29xzDWV2WgV/m1Tp69XmbUrl0e+42li2E= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: Q9IvUh9chfdnZvh0E3hFOwlANOXiQwOh X-Proofpoint-GUID: Q9IvUh9chfdnZvh0E3hFOwlANOXiQwOh X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit d7a5091351756d0ae8e63134313c455624e36a13 upstream Update various selftest error messages: * The 'Rx tried to sub from different maps, paths, or prohibited types' is reworked into more specific/differentiated error messages for better guidance. * The change into 'value -4294967168 makes map_value pointer be out of bounds' is due to moving the mixed bounds check into the speculation handling and thus occuring slightly later than above mentioned sanity check. * The change into 'math between map_value pointer and register with unbounded min value' is similarly due to register sanity check coming before the mixed bounds check. * The case of 'map access: known scalar += value_ptr from different maps' now loads fine given masks are the same from the different paths (despite max map value size being different). Signed-off-by: Daniel Borkmann Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov [OP: 4.19 backport, account for split test_verifier and different / missing tests] Signed-off-by: Ovidiu Panait --- tools/testing/selftests/bpf/test_verifier.c | 35 +++++++-------------- 1 file changed, 12 insertions(+), 23 deletions(-) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 662d6acaaab0..e1e4b6ab83f7 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -2873,7 +2873,7 @@ static struct bpf_test tests[] = { BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", .result_unpriv = REJECT, .result = ACCEPT, }, @@ -7501,7 +7501,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7526,7 +7525,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7553,7 +7551,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7579,7 +7576,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7628,7 +7624,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7700,7 +7695,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7752,7 +7746,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7780,7 +7773,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7807,7 +7799,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7837,7 +7828,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7868,7 +7858,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 4 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -7897,7 +7886,6 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, .result_unpriv = REJECT, }, @@ -9799,7 +9787,7 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "R0 tried to subtract pointer from scalar", .result = REJECT, }, @@ -9814,7 +9802,7 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .result_unpriv = REJECT, .result = ACCEPT, .retval = 1, @@ -9827,22 +9815,23 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "R0 tried to subtract pointer from scalar", .result = REJECT, }, { "check deducing bounds from const, 4", .insns = { + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), BPF_MOV64_IMM(BPF_REG_0, 0), BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), BPF_EXIT_INSN(), - BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), + BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R6 has pointer with unsupported alu operation", .result_unpriv = REJECT, .result = ACCEPT, }, @@ -9854,7 +9843,7 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "R0 tried to subtract pointer from scalar", .result = REJECT, }, @@ -9867,7 +9856,7 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "R0 tried to subtract pointer from scalar", .result = REJECT, }, @@ -9881,7 +9870,7 @@ static struct bpf_test tests[] = { offsetof(struct __sk_buff, mark)), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "dereference of modified ctx ptr", .result = REJECT, }, @@ -9895,7 +9884,7 @@ static struct bpf_test tests[] = { offsetof(struct __sk_buff, mark)), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "dereference of modified ctx ptr", .result = REJECT, }, @@ -9907,7 +9896,7 @@ static struct bpf_test tests[] = { BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), BPF_EXIT_INSN(), }, - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", + .errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr = "R0 tried to subtract pointer from scalar", .result = REJECT, }, From patchwork Fri May 28 10:38:07 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286631 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id EC5C2C4708C for ; Fri, 28 May 2021 10:39:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id D1DAF613EC for ; Fri, 28 May 2021 10:39:27 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236514AbhE1KlB (ORCPT ); Fri, 28 May 2021 06:41:01 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:5792 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236637AbhE1Kkq (ORCPT ); Fri, 28 May 2021 06:40:46 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAcxOE010290; Fri, 28 May 2021 03:38:59 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra2b-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:38:58 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=icEKcumjfCf1csgKFhUdNjHujZ4FH1T+RJNaRBVsCLh+FV3txMpORr3zffCJU1dET62PIdLUeIPbRUxicr09eWrk0EF7m8vFxg9PrkBJMMrgzZkTCqprxixPOUR+aupgL86PBPE8XB1bpgMOKOMrgVIVtlHKWz4no7fAJTQEnvFr05ZQp66/Tm47ge9rQoAUWxjZQVJL4XHD887GhMR5BCYZNMjBL1ejunJMcXd42Rs0KvUAGQoaHYNAfOlPlLIzAxJA8/UILuRFkzn31n01L9nhpmyyv7wjWWFKhQNKFu3AOmlshjAv0tyX2Vt3bpqotFrph7fh6cpYnrZu+kxhVg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xj1cjDvUrZa/thEZhLUbBuFV19Ok4kqY40AoXsE+k0s=; b=nqFRfqDpHpDOP0MEQi+kzo3GpQeqzgfu4kNd0BpmPCyjY6zQ0mPlPbqcJJJd3hsXz3EGl+1JaXyuJC80R+7aWM1fLTTRdAufKIi/K3MfuJhnltoxYMd7VJxxgITVKDFoe8Jd5U6dCiL3FFHikYQ9yDOy8graXET9LOcmWro/K3h+7qmtPJJfmhADaA6EkH3Hy44cWeIX7zUWooauIvwJH5zIpZMbySJUNPZc4+QrNB5RrXrfEccfaaYpfF4Yeh14kSWSrJF03yUclL+R4ir5ivim2kgGs0if4ki8xSd+VK6YGcmTn1GpJMHHgtI4UhWLcbSveM3zjceF7nAjwRsr5Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Xj1cjDvUrZa/thEZhLUbBuFV19Ok4kqY40AoXsE+k0s=; b=TB9ra72AaJqW1D9J3b68w+O0KL/c6zJl0fjw6k3j8jV5uOppBncfVIwrYrwcJw1Kske8Y2x+aazheBK6pkz4OWG0W7UxiEU+OORsHEH6u/U+KwoxKbjnt2Jv1HXy6L2TJLajdvL/sT7QdTRyU+upfquhy9pe8amuz0OitFOnJO8= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:57 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:57 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 16/19] bpf: Fix leakage of uninitialized bpf stack under speculation Date: Fri, 28 May 2021 13:38:07 +0300 Message-Id: <20210528103810.22025-17-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:55 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: c3482585-1184-4f32-fbb9-08d921c4cc03 X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4125; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: DvXVpHzSRtqIJ4ZVidMjn+BJ9L9my+rLT+DIdS9WTtEzAzmZhSVtT0IFSDZuxdTXbsnfpiB2BqsM4Ws76TJ7zxcx9pYrX9hx+qpuRpAJIUZJ7HLrI3j3GRZdM63W72525PuFuohKngQpMWGhgEaKsonP9KqGKSuJMEQIozdlhreIcpMkzOeT9tLR8ndDbO0qea7byXoPBNoewzKLoQlKULw0sAK60FF6Uy50jn9W1+9zoHtjLnNFgwpCrC3P9h5RmXzF072sfMTozkWqaQ+5QoUpg94gAXV4ALrIML3kTL+aLjL4Njl96XBY8jyXpD/pUF21KBENYY2KFBbiRzLFNoYrtjFQzytU1u94QxeRzY+SxLUjm0IkrCgTJP0Nux4hypjXXpm1fqRxLeqF9QnjapOgqhmuHnPqvehk167eqRg5ndaYBqELdoeUXiD9uujewq+Y0mU1VlStCvC3am5Xa83IDS9V4KzlXjE+7mdiXl0spO/0nbkbzNPlyMUo0VHc4fSWuj0IMeIV71J3RYOXhk/uYAeOZS2lQ/wGaK6OMVnsL6NM8hQn3sLD3YX1K4h7sc+vz+/xntytgzP2iAGgxcOyCstCLN2p+CKebN0WW7GGIfUXjnCJgZAIDQRE+8uS/l5J3ZMjjlkr4HnTQO+H/Q== X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: vfD4yMIkO2VbT334RZ77OR5Wjq/i7/fPFlRb8FhULOOJsa0YdWs+HyCrolyYqtgjzR/OGS3i8ZFRth6pVj33+U4anmST0qOVjcUoHxEzZWlG3svVreXWKT/lg77dg3CgV8B4NzrYGCeIjwE9N3j7GMb0dVWUtdFPcPrgquWM9DLlm6vDk91MgCs/z+YgbU4bBvHhdc5kt5wlYXK2icMjqNSCmRWXH55NBp6eCq5wAjxO4kTP4gFEYezujDI7PlWlNAh1uPQGkdtcmGekoO2Kb5KAkngpxUlOYzUmqfqGW3dQhUmXB+wfGXaLhn0CjwVt93za9gfNZFaP2NIAs+ple7el0C467b5Bph1iequMvXGW6vJHEsfBmG6gEnE404+gjr5LwBTD2SRpWNqma/8TkAGgIf7cj0tZKAmOb1t7olhBZohCMUuCtHF7VXEDOC1D4dd00Im1SgljeTVtwyfMutzBzswQKY9E0tl6OMxOCZHzl37Mfg8GwwYPxhG+ktnwSn03Fk23xYvxyEEdDQbL2NdZ0u94Mei/YVRJVAgUn+4y6iUu/LSDVHlxNbAf8kWzE0ZR9cL6rWSIveJsbK7KniBeEgVVoULnpbcHBlS8+pdB8gvTTJ/65F6sa13HdUYWj9VpW5hZUKaxOExLJMoD9us5ZyPVO2Ggdnf9te6FXaS8lCLO/SUz5KlHZRv8lPMv6RDhy0wWpwUUhdym5P81c0KA9O0tyMoPYoTxP3GqDnECaFYEyq0poGoWcwsduwbGcptPkKAcJNpGoN5/xFi3NbaugCHSW50oYt7pL4yOjw+ceR78QKejdH00Iwqx1zKZwCs0F0O5c0TKUfKrjkkefW46ffVx9qkoWE6QdpsdZkuKAccZ0TceOJGeb42gVx/CDdQFI8S5PmP743N+NlnTo2dPz7zGI/BH5Roo+hdyMlIhUvGjTOPyEsjr8dZPKDzIT0mf92zdaJ7p7nOtD9xdQq274MWmVXUJTyn9550bKcoZgUZZPA7CH4NKcVLE4tzHP+rQW+yEWFm5M0WB00AO0Sw8BtOCwoc0x8pXUXvw5KTAyvCT1zGRscLs38A00FfRBjo/v5CzdoLFDKsOmdbi8yKAE2HTAagnUb5G55ff/VdchhROfoRxkhyB8WNxsu4lNEYR+ZQaZTfVWH3FOJW+jKgv2QzLeCjc5HYk2cc6oXroZ3eIJHBwLqlNj2NPhF3rwjeJ5fV36+Yd8Pif9PrfAXSi5pJvgCVbY4jaBK0U4Rnitl5PWWxmXWWHmCJrkSTUQtg9ItjiqpmfuTyC2acV2hQzH7QaQV6cIE8lHgbs2v2uNe1g9leZw+NOXvOANV0D X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: c3482585-1184-4f32-fbb9-08d921c4cc03 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:57.1314 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: LBdmzHcSrBCY+ferdpUyln+wmT9aovNzEbKTDzCisY0acAESTlUxKvgO9uM8fHhesD6+xFPv3cIDn7ugxRUds9eFjX9PcMtzAgdupzGAs3w= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: u1WdlvF8UQWKKX_00NOAdGTEt_Z6x457 X-Proofpoint-GUID: u1WdlvF8UQWKKX_00NOAdGTEt_Z6x457 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit 801c6058d14a82179a7ee17a4b532cac6fad067f upstream. The current implemented mechanisms to mitigate data disclosure under speculation mainly address stack and map value oob access from the speculative domain. However, Piotr discovered that uninitialized BPF stack is not protected yet, and thus old data from the kernel stack, potentially including addresses of kernel structures, could still be extracted from that 512 bytes large window. The BPF stack is special compared to map values since it's not zero initialized for every program invocation, whereas map values /are/ zero initialized upon their initial allocation and thus cannot leak any prior data in either domain. In the non-speculative domain, the verifier ensures that every stack slot read must have a prior stack slot write by the BPF program to avoid such data leaking issue. However, this is not enough: for example, when the pointer arithmetic operation moves the stack pointer from the last valid stack offset to the first valid offset, the sanitation logic allows for any intermediate offsets during speculative execution, which could then be used to extract any restricted stack content via side-channel. Given for unprivileged stack pointer arithmetic the use of unknown but bounded scalars is generally forbidden, we can simply turn the register-based arithmetic operation into an immediate-based arithmetic operation without the need for masking. This also gives the benefit of reducing the needed instructions for the operation. Given after the work in 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask"), the aux->alu_limit already holds the final immediate value for the offset register with the known scalar. Thus, a simple mov of the immediate to AX register with using AX as the source for the original instruction is sufficient and possible now in this case. Reported-by: Piotr Krysiuk Signed-off-by: Daniel Borkmann Tested-by: Piotr Krysiuk Reviewed-by: Piotr Krysiuk Reviewed-by: John Fastabend Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman Signed-off-by: Ovidiu Panait --- include/linux/bpf_verifier.h | 5 +++-- kernel/bpf/verifier.c | 27 +++++++++++++++++---------- 2 files changed, 20 insertions(+), 12 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 91393724e933..1c8517320ea6 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -144,10 +144,11 @@ struct bpf_verifier_state_list { }; /* Possible states for alu_state member. */ -#define BPF_ALU_SANITIZE_SRC 1U -#define BPF_ALU_SANITIZE_DST 2U +#define BPF_ALU_SANITIZE_SRC (1U << 0) +#define BPF_ALU_SANITIZE_DST (1U << 1) #define BPF_ALU_NEG_VALUE (1U << 2) #define BPF_ALU_NON_POINTER (1U << 3) +#define BPF_ALU_IMMEDIATE (1U << 4) #define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \ BPF_ALU_SANITIZE_DST) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 908251977bef..faae834aac49 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2825,6 +2825,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, { struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; struct bpf_verifier_state *vstate = env->cur_state; + bool off_is_imm = tnum_is_const(off_reg->var_off); bool off_is_neg = off_reg->smin_value < 0; bool ptr_is_dst_reg = ptr_reg == dst_reg; u8 opcode = BPF_OP(insn->code); @@ -2855,6 +2856,7 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, alu_limit = abs(tmp_aux->alu_limit - alu_limit); } else { alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; + alu_state |= off_is_imm ? BPF_ALU_IMMEDIATE : 0; alu_state |= ptr_is_dst_reg ? BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; } @@ -6172,7 +6174,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X; struct bpf_insn insn_buf[16]; struct bpf_insn *patch = &insn_buf[0]; - bool issrc, isneg; + bool issrc, isneg, isimm; u32 off_reg; aux = &env->insn_aux_data[i + delta]; @@ -6183,16 +6185,21 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) isneg = aux->alu_state & BPF_ALU_NEG_VALUE; issrc = (aux->alu_state & BPF_ALU_SANITIZE) == BPF_ALU_SANITIZE_SRC; + isimm = aux->alu_state & BPF_ALU_IMMEDIATE; off_reg = issrc ? insn->src_reg : insn->dst_reg; - if (isneg) - *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); - *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); - *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); - *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); - *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); - *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); - *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); + if (isimm) { + *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); + } else { + if (isneg) + *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); + *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); + *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); + *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); + *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); + *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); + *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); + } if (!issrc) *patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg); insn->src_reg = BPF_REG_AX; @@ -6200,7 +6207,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) insn->code = insn->code == code_add ? code_sub : code_add; *patch++ = *insn; - if (issrc && isneg) + if (issrc && isneg && !isimm) *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); cnt = patch - insn_buf; From patchwork Fri May 28 10:38:08 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286637 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.9 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, UNWANTED_LANGUAGE_BODY,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 874FBC47087 for ; Fri, 28 May 2021 10:39:46 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 6160C613B5 for ; Fri, 28 May 2021 10:39:46 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236604AbhE1KlR (ORCPT ); Fri, 28 May 2021 06:41:17 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:32612 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236651AbhE1KlM (ORCPT ); Fri, 28 May 2021 06:41:12 -0400 Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SATXsJ032286; Fri, 28 May 2021 03:39:02 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by mx0a-0064b401.pphosted.com with ESMTP id 38thst8j2t-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:39:02 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OX2/rExbN/QumdJ3G15lcy6HQ0wisxA7cZdTMKYh0GmYLtiT5cCOYn5qdj0c4Fcwbc9JXQy5ASV2mWgsX8ObT8MKJtCeCNhotCE7eF62b/vv0OSrjD5KI4Ao73BUQYs/o5SPsOSaIqRajqIBHs2vBSokL/t69IhDWeJ5aTQid3GTTDHZ5yULfLkqkZA4j09+lHxKSjZoToqPuE2fSbaKemYIQo5vZAUz6jZLxY5SXdqJlmBUJgbzfSLAPHQ7ga08Xd8totfIfACKkM7XeHdHUAWp1OR0tYaYk93NkOuNQxziPX73d9uQDDEe2V24xT5vXttBN/bzmK0Sx7OUoTMDhQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DiuFRIUj6RJW70Y2WGcacIcv6oPV9a1e/QtGGwcPjbQ=; b=Vm/vBKVNy3ATIMq2/61rXm2uhmCtwX8+9k+UG5t+5Y4tWpD6cEdt25Rg22GgbWwpKoL8C2wD8JkNQ2sfOFLMNGJSvO2YP7f8FtUUZfU5QDruTDj9oXWDYCnFsI+RdVXwnP7HEI7DSFl7dEu5c0j7UG5QAMTu3EQY+RTFuTday7dy/aoz9j5daidwJ7xhDVnflZBjS6/5w5wFuzJXpeMDzBZBQvbZIcPOti6CPnjnUfwEi5Hdc+nb1DlT93V5ZvhZp7XjmnZV2qSn8mIoFs43wCJ1WmQhXxyHdAy4zHkR7b16tmxcMuge1D319VASRpe0434CiBtuBa8c4xzVK9WUXQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=DiuFRIUj6RJW70Y2WGcacIcv6oPV9a1e/QtGGwcPjbQ=; b=G7kJid7ed+lx57BWgM77Lerw/P9RSllZZto6bSXeXe1j3rRP0r/zdOVcdc7ij0I6/DeiKjkXtykHGlCJLi0wrPmiB83KcHzxJcabhrJ7xoqwONHw+v54TC6GODFCsWOGQh+cb+dKk6Pg5mMkwW78OtI0+RcYXAZaD0Kw7m22JSk= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:38:59 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:38:59 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 17/19] bpf: Wrap aux data inside bpf_sanitize_info container Date: Fri, 28 May 2021 13:38:08 +0300 Message-Id: <20210528103810.22025-18-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:57 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 52b4494f-590e-4dac-6ae7-08d921c4cd19 X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:785; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: 3e2NHoOGrn+Tt4pCjjrkWQhn7SCRl+HAucdHhhtLFEZX0+XCYKBe7Pt9dTjzY5CMGzw05sbe2N4BD6sFlOnMBS94ID/IijTSoP6NfqlTyCaGTazCMsXdVbcg3AwQp+KeUYMnBHkLw9SFwLTCmU4MOYnxp06p08iJtL4TylMbPlEeh4K9+N0KFfGDnO7kccsugxafvQEZL9M8HZ+NnH7sgKCHCYttEEND3od9r8Cqi2EKxZF1lFmJkWytGI1o8dr3ybX6ZwYfGrkALX8J1aTqB4d9Xni6hQpaxTnQ3F1U8aQucO/TJ0WyYU14vqxqjdKsHvf0HqvEeU2nKY1EKpG9aLi2L53brHtumFEue9+kme7bvTVujkEEPnW9kWiThKk9YQ4hlYEYY4Al5B0E2Jn7n4KJFFBimxZ4SKD8zhDzLU5LmnKQpJpXfYJN9svshqdkv4/GdUjuSY7BblFxDvXFYMa3GAR+oSpCGmjdrgLKlH5QCijQkNsnp5ZUmxetwG8HqbqfnLykJB1zzr+Y8RytafTdIAQO0dA2nr3AKYkK0hDBr7vbwz+E9D7FjBTaLvoAxtc8NsdRC26KUmFtcAwhaZdsjwVMEV6UYwN8oiBXwNL1t9SvTAdoPmaPKIFe1uTIaRe5x/r/8+tHfeUwSE9uhFRd8kNFZBaPVzzuVH2im/k= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: HhB3RE2TRAg6JGFiu9qn53xj1kvWQCKJ7OVzaGeWn+b+ULKfaCQMweRkxPh4vcTVrewDbdn4MvqVgpFI7YJYG9fEb/F/R2lYAyiZwM+hooUrR4i4weTTosRXXJd3Aosw5GphrYVILX40NggkbZAq1L+zUjBB6JgfCB4muvr25Ny+RLXygdm7cIqOTdK6/K87DgtBC6cAMztNKkMuAIhjlim+rjPp/tm5CU9R2QxV8OT8P7AnMRxAy2omWR0cr760HhaIwy0RA0rAmrasktQhr3OGw/bxXHOR1/IWkY70wJD6m4eSGe+NGquPE9tKc0/B9NNRCUBYKB1CBSxNtbLfi6XdvVS6Ls6FAJ07OrJcpqieCHXALd5yXQG2TOAdokrWRTRBByy0HZojzOz1lvwFFbJ3tJVAaZT5snYmSmxPG0VdhPL3a7uaDa96BxpRmgWTK2zddXVKWFngt73z/nLIr2halUKa2i03/fUcSsaQILAE738v4NHfu+rP4SQ5Q2kyojnXJ0v/wCeF8Z58KeUITkOa/P8Ld2NL3d4A6qeYycxh+QVLGZPAjTg3ip3BKcJeOyc+sAtsFIsYBdShyj9w6aHg1duShVAeZYS9UEum1Wig4qKjIo46SAD91Qso2yjUPVIJ7Ncc+udth5lpNOwsYQDQwTz4tHIO/dk2suDELOsB1J9DRLfGcrqFbOaa3ZkUF9JStjgxPbeFYIiMlyUbZ5p6WY944QHA+iipwVIpyPJy4m+urijOK4PubRQTskb9mvwnzPY2YCAzW+0c8xIRE5HfxsscFYXSjxLRc9JA/gVcU5iZMl1jzjmIvf4ICUP2Ja0DiCKKsWmJLfjBJNGY3t06DmvVGrhM66fXfvDyhazo8h2fM+1PTzBi1xiVl4AntZ+bOVdm6M7XWDt0okmWUlMcOgmtJ7EOhOd2qT5eAA5E9R+z2u1T/Ha/yr7JUAx3fYMBtAOgIBuWpn37jwQX17fr5+L2+suaupKAbYADpvGYRP/40sbxcIZUE/0/6m75wpg1DBPDS6fCdGuj+HTU5AyaWZfAPTM6WoDHVZ9kMhKyrp5t0bZwZ6kEtlf/Zaot/X7VftTjGaWBG9f7zYqym+Y0GT+qlAlj61Jw7vouJERmCtYAJnDpmeN60pE/XnPdRTyZ8pqVAaBhrVjFlpNWCsBOSPyhvZ5plXg6B4V+KdgIZbjfoXAT/wH5IqOFo5wDRVzwzsg06cRlzzRwKgFwJZWNQg3YYuOJ6Vj0iR9E80h0nELUlI2v/BvX4tCL0642A0+MyKO8tIDUzG47UB4dWKTmEhXfOfvpO5IH2LwQmyYsghotuevr4qFvNaw22QWB X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 52b4494f-590e-4dac-6ae7-08d921c4cd19 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:38:58.9546 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: rPIsHEdRtVYoHY4LGNiX7kBw/8Iq5df/FZCjtyXo53KInrj8LCLYKsflLzSU/SxK2k7M3mbdouuJJnZLQL7i2bkq1EmkR7WF/AnraLZS50M= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: SygMTX4Y6oIvlwvKAp8HyMsSUGVxSotJ X-Proofpoint-GUID: SygMTX4Y6oIvlwvKAp8HyMsSUGVxSotJ X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 priorityscore=1501 adultscore=0 suspectscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280069 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit 3d0220f6861d713213b015b582e9f21e5b28d2e0 upstream Add a container structure struct bpf_sanitize_info which holds the current aux info, and update call-sites to sanitize_ptr_alu() to pass it in. This is needed for passing in additional state later on. Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index faae834aac49..0066ea8ecdaa 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2815,15 +2815,19 @@ static bool sanitize_needed(u8 opcode) return opcode == BPF_ADD || opcode == BPF_SUB; } +struct bpf_sanitize_info { + struct bpf_insn_aux_data aux; +}; + static int sanitize_ptr_alu(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *off_reg, struct bpf_reg_state *dst_reg, - struct bpf_insn_aux_data *tmp_aux, + struct bpf_sanitize_info *info, const bool commit_window) { - struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; + struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : &info->aux; struct bpf_verifier_state *vstate = env->cur_state; bool off_is_imm = tnum_is_const(off_reg->var_off); bool off_is_neg = off_reg->smin_value < 0; @@ -2852,8 +2856,8 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, /* In commit phase we narrow the masking window based on * the observed pointer move after the simulated operation. */ - alu_state = tmp_aux->alu_state; - alu_limit = abs(tmp_aux->alu_limit - alu_limit); + alu_state = info->aux.alu_state; + alu_limit = abs(info->aux.alu_limit - alu_limit); } else { alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; alu_state |= off_is_imm ? BPF_ALU_IMMEDIATE : 0; @@ -2983,7 +2987,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; - struct bpf_insn_aux_data tmp_aux = {}; + struct bpf_sanitize_info info = {}; u8 opcode = BPF_OP(insn->code); u32 dst = insn->dst_reg; int ret; @@ -3035,7 +3039,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, if (sanitize_needed(opcode)) { ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, - &tmp_aux, false); + &info, false); if (ret < 0) return sanitize_err(env, insn, ret, off_reg, dst_reg); } @@ -3176,7 +3180,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, return -EACCES; if (sanitize_needed(opcode)) { ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, - &tmp_aux, true); + &info, true); if (ret < 0) return sanitize_err(env, insn, ret, off_reg, dst_reg); } From patchwork Fri May 28 10:38:09 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286627 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 882BDC4708F for ; Fri, 28 May 2021 10:39:29 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7C7A061157 for ; Fri, 28 May 2021 10:39:29 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236586AbhE1KlC (ORCPT ); Fri, 28 May 2021 06:41:02 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:9986 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236568AbhE1Kkv (ORCPT ); Fri, 28 May 2021 06:40:51 -0400 Received: from pps.filterd (m0250810.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SATXsK032286; Fri, 28 May 2021 03:39:02 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2102.outbound.protection.outlook.com [104.47.70.102]) by mx0a-0064b401.pphosted.com with ESMTP id 38thst8j2t-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:39:02 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=OxnKhFvASJ7zlG5lmaO+ThaJpkVz+9XixTrEPprScfePXFSgY/ziZ3al0tkmkWSdRWteP7SF2ZzLAhQYJBXx9JnQcarOboxhR8oJnm6COerAqI4mXpHMhba29pYgiH86178d/9TgMIr0K4ieIvKAQkf2qSIOveeQ86oP7/y3nu8KIXN5xC46BV2P570B8CPXjpfTkWZHUG/BtUgNbGL8WQs3iWYAprz7SeOUvKfvnyqQztEIqaJPGojRewpfy/Rosq6F33zyOKh+73eq/wbANQ/UdiobHaeU1jyb8gG6CMFWd3cwXnf2UqJjjZG8s0n7b0jb9YXd+IV8HzyApMsFfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WHcFPuAMMDV/ZnIAKCylstHCQbbL55ePJfz0bj2KIqI=; b=Yf/bySR4KjetwRS1JNTm+J3Flx7Ps1A3vhYrFBE3Nb6v4oEnPNcwE3iBsN1q7Nfc7RwsH09hA/wo6WvPsikedVi0SE9MvvcxbEDNHhoMa58MjWw2keY6ntW8SwUEfqBv/8Mw2BTToR14JsqGsr2Zmg6oKmJV09yLeIs+TNOFqe66WFnNiCd0SZUnm6rpPJRAYUqCV6o2Q2v4HYQ3ksvPopOKPzD+AU9upcl4u2v2Jv+ICkQk3GRprFI5GSYXe45fHEofcvDsli5/iyG/jikAC+7moi+KCHJcVAnRdM7eQrtPiHvUgL7BGq3Y/puGu3cJsDeJDSIteva8ToiasznTEQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WHcFPuAMMDV/ZnIAKCylstHCQbbL55ePJfz0bj2KIqI=; b=ibOiMl52a/YWmFBqKu5C7iUblbZXreHkD6C7cnXEzquFt8yfphvwGCFNQr7cJ2I16L5x+m1OEU2+ROgoUEtHQYyh+C8o9DCAfp+uU4Tl64dnPCOIi80ap6s3B2DVtQrsKH2Wx+2svxGkdZLgYZY7sBCnSKMaHu/TGAi1W+WKmMg= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:39:01 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:39:00 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 18/19] bpf: Fix mask direction swap upon off reg sign change Date: Fri, 28 May 2021 13:38:09 +0300 Message-Id: <20210528103810.22025-19-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:38:59 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 38defe8e-fac4-4fbd-16d4-08d921c4ce2e X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:1303; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: C/W6HKkSNDynMkdtDuumF0RPZJQp4GblGZLaAUbtYn57Efr25iyUKAC0hrbGmm+usYIeIfyrWH61Qro0VV7GW+YijeCwoFjuIygNnQJbc/AEldiwv04+DWZDJfomQ/8oLqO3qRN544SdcX6ZdeYsrff0RetNjLmDTp/kpGQq3Vgb4vxBLsenFmjSpxAATwpetXZUxHKZKbD/VToO+lqA2rWj2WT44GO2rkzj3B/QrvBMM6ZrgBbqtT6M53beDjSLtJ+4N1T6h54A/AyVeZzaKiK36YTHbEslm0UPgukO3UIwaNatP3IVG1uuZ1hlqIpn0DWVJ8ELzsiIlFSXkPOHM3buOl5FMpK4amc7qelnMIaadbl5I8PgJYhGrZ81bm17+uGjlenVCFb4SnFVvZP6sb8MlV0fKLBxF/iedpqsdhXDtzw2plimRCRrs3hXog0qH2zmaqnCSjmnGYaYUgnrkbeymREiioEVfg40o440g36I30zZMNUPSY4PZluJ3m2dUurkHHN+LI1O0/u8jqkkKZhY2s+eQETQM3ph6Yq/KCIuS7KVzh2DuiZ/ni+CC2d/TC2fk4irpdKrWp1xO6703EtERom/56ZKAOrpBlbIeYdMVOw7TXaGTQWiuMhQVhXjJVc2E9Bd3IXo2fV1dX6epUcK9HJl7hDnBm9xwthR4ig= X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: +JSI8+q828x166Z8uSASK0cTw88EPwelutNeAvdg2v8wxlazldB5Jz3Ta/XI3B3asaTmOaYTCo6hq6wYstcJCTEQaMRgeZR6YZKeZNQPPLPNiL6bfUYJajoqFuFTwPYXFciuGAVvASQcMZ8Yc5XU7R4ma1QyLW0t6JXjjtxKJ1daf1dm37PiGADmiYh9ynabxo3T1SSe8O0QoLA2xpwRnF905ka3O3hl1msVNUTCMHlWXNNa57BCw5vruMroo1dG1dCekKPHo3sSBiify9mZRUTFBxi2tmO7zoRX356rUptDh6JPvq2DrxhNtVe2qFTU6NFvKTnBmEzFeur9JTG6wjnTOm3zwtEW6jaUzShgBO7rEIQAc/PDYrj8iS4GrvvcEptjsuzv9mAgkKF+lDWWHREpkgWdOOrDmGtrVx0m+ST/VNWvDnr1ZlaFByGfrj6yunNynicT94U9dHOhr4d6312TlQalL1avV33ks0fjMz2Cn5NGba3jYVRYRTKc2uOcPfdX/xTGlEZ00iePR5SYyuxWjO2SA+OvBFjOmiFbsU6rTPGNjdQmEB08PN5Z/GYxSxsbIkXm6qklgm8YT3WcjAgzCnmXQRhx8hzFRGYcr3KN8O/uiqIlG6OWA1AjjQnnAkkg1NrSZmVsM0Jp+qXMvuvLhOXwtnzWQE94EEYfTATia2bfkSn8vTQCAlP8nIVoox64Y3uBDm86n2Get3Q3ZXiIJ87OQFDVgJWyTAT7KWtPuonL4/Tge3CNsHsflRwYPPTAPdHArlUELuoxGSuo2tUO+Xepb2lzTM7NiI/iJL5tqCLpNu18sNZmntrFbORdfc6U6NGwTNqCn+QtBZdbgGXglM7wGbMdOaeB5AUxAasoRty3i21cdz7OJhdjC4V3KUVFOJ34xunu4J8KAemaXsOhlBsCk3zO6qrJpIdX/A+Cl1U9YOPrjdWcxKIU0h6fWsSGxys1JcwHm15Kd/wnHzjlUhR6iheUgEY6ZyoMhCXklclsAQyCrTfYemp2ZtZuzTbEWEuQ3pzheEdqQux5sTEgPuDxwCYEaoFabGNkMJkqMGTCeePPBjY7UPC/8z/XrpdMuRKBAZ1gPbGf/ogoC5/V5BzT9fdLllDHIBoKb9j2+tkiqR/9Xe46b1yv60MP+o2FoltLN4zj6ezbvpNwhvWQUV4Dzz2UeXk0BzvMMuUSviF5+8dg66wDKKOz10ol7XFDQjTX6XyvtMRNWsytOXN6VggRYyw1YfWqabIwbDgOVCct18+hqG+36VnluTLADjtPMnJ611iTYjFkZSL2CsnUZvq4a2KNP0r8nz+VBB1bch9tGVD6OfNl7vWnAd1D X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 38defe8e-fac4-4fbd-16d4-08d921c4ce2e X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:39:00.7668 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: 5QKEVgF+njCiwzAxLPR/5+zvsBQn5HFxofIbl7/xWrBI7IWIic9APpvuYGBQdDWakGyxiNFx4zQIuRt+G38kYNrsLODi/PadzTYDbQEVTjs= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: vXTqp03tjmmWQsR1MEaUnRNJqyZaTDNo X-Proofpoint-GUID: vXTqp03tjmmWQsR1MEaUnRNJqyZaTDNo X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxlogscore=999 priorityscore=1501 adultscore=0 suspectscore=0 phishscore=0 bulkscore=0 lowpriorityscore=0 clxscore=1015 malwarescore=0 impostorscore=0 spamscore=0 mlxscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280069 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream Masking direction as indicated via mask_to_left is considered to be calculated once and then used to derive pointer limits. Thus, this needs to be placed into bpf_sanitize_info instead so we can pass it to sanitize_ptr_alu() call after the pointer move. Piotr noticed a corner case where the off reg causes masking direction change which then results in an incorrect final aux->alu_limit. Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") Reported-by: Piotr Krysiuk Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 0066ea8ecdaa..a235342507a8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2738,18 +2738,10 @@ enum { }; static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, - const struct bpf_reg_state *off_reg, - u32 *alu_limit, u8 opcode) + u32 *alu_limit, bool mask_to_left) { - bool off_is_neg = off_reg->smin_value < 0; - bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || - (opcode == BPF_SUB && !off_is_neg); u32 max = 0, ptr_limit = 0; - if (!tnum_is_const(off_reg->var_off) && - (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) - return REASON_BOUNDS; - switch (ptr_reg->type) { case PTR_TO_STACK: /* Offset 0 is out-of-bounds, but acceptable start for the @@ -2817,6 +2809,7 @@ static bool sanitize_needed(u8 opcode) struct bpf_sanitize_info { struct bpf_insn_aux_data aux; + bool mask_to_left; }; static int sanitize_ptr_alu(struct bpf_verifier_env *env, @@ -2848,7 +2841,16 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, if (vstate->speculative) goto do_sim; - err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); + if (!commit_window) { + if (!tnum_is_const(off_reg->var_off) && + (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) + return REASON_BOUNDS; + + info->mask_to_left = (opcode == BPF_ADD && off_is_neg) || + (opcode == BPF_SUB && !off_is_neg); + } + + err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left); if (err < 0) return err; From patchwork Fri May 28 10:38:10 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ovidiu Panait X-Patchwork-Id: 12286633 X-Patchwork-Delegate: bpf@iogearbox.net Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-16.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,MSGID_FROM_MTA_HEADER,SPF_HELO_NONE,SPF_PASS, USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2B41BC4708E for ; Fri, 28 May 2021 10:39:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 14368613C9 for ; Fri, 28 May 2021 10:39:31 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236568AbhE1KlE (ORCPT ); Fri, 28 May 2021 06:41:04 -0400 Received: from mx0a-0064b401.pphosted.com ([205.220.166.238]:12114 "EHLO mx0a-0064b401.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236450AbhE1Kkx (ORCPT ); Fri, 28 May 2021 06:40:53 -0400 Received: from pps.filterd (m0250809.ppops.net [127.0.0.1]) by mx0a-0064b401.pphosted.com (8.16.0.43/8.16.0.43) with SMTP id 14SAd1uW010300; Fri, 28 May 2021 03:39:04 -0700 Received: from nam10-bn7-obe.outbound.protection.outlook.com (mail-bn7nam10lp2103.outbound.protection.outlook.com [104.47.70.103]) by mx0a-0064b401.pphosted.com with ESMTP id 38tqu5ra2g-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Fri, 28 May 2021 03:39:04 -0700 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=ZZpxWxW8S72PPNzoz9Vr3tC83TcVCQOqb/PiNAX3f+qcfmh9xHHkezaC0w1LUz41ZNgC56o1KSfzybYbh71A2hv18/DyoPHmAt2CN2uOl7iHx/M3hsuJcskyN2YFb2El2O4IlcT16jQ7PdIcYD7BplGrORbUAC2jBTXfTxAVmEYds3uJdvaiWLyFA6LaEGyrvxKKHqYD8YT/4qp+HQ7M9RWTMcg/9nUNjJzLQqbQNirXGbW7t57Ctk72+eoHJB312YdBQ8H/DzJaDIsGrjlZSif5eG1ACbcu4VkXNsSgzWGDYAo6JHYIaPFA4/490wjHlNQ1WWjlbh1C6m5BGMLbPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uOl+lHLy98Br7UV7Ug+ZZ99sQZJwF4suLij5peopURo=; b=lrORWlgmt0P/XfcnLkb+ufVdMj8wm3D8icEw4qK6JrgL+WOEhiRdZZJFFQ55ahNaDUNo2PCXthS/l6gJAQrTtd9yKpmLXkUL0fmLPNBtK0lemyTvCmhVamEaSMydc5vbwz+TeBs676oKWVnExHgfEYPfE34ZP6bwh9ZgQ43MhhU+MClj0CxoWHfWXplomdfjyIbLboQOb9GzTQoYRA0j8IkYpKxcUWj+yN499JpgYDuCErLpfAvTZIldnr0w+9Il3AafKpqo2vlkq6Of4zdv03jCP6YNonZj0I1bsmN0ItnKlhLrDU5JSFLCQMlsipph2lDMvyEACRP74lLUSX64IQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=windriver.com; dmarc=pass action=none header.from=windriver.com; dkim=pass header.d=windriver.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=windriversystems.onmicrosoft.com; s=selector2-windriversystems-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=uOl+lHLy98Br7UV7Ug+ZZ99sQZJwF4suLij5peopURo=; b=hru7Yf06xB+r0WXVdAVZT4kljO+0h5ELUj4MYb1Rl1DSuy0Ix7aY02GwNeah3SCcx5Gk+s1aeRmGPfj0yeonDQ8iX1TBZtTZpJvUlamTqJnzSzHuiW3jhf4yeVc6ugQddVbqKdWZjjtaZq/VBvJedhwiiXtpfCGZkHQWtJGrxw8= Authentication-Results: vger.kernel.org; dkim=none (message not signed) header.d=none;vger.kernel.org; dmarc=none action=none header.from=windriver.com; Received: from BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) by BN8PR11MB3780.namprd11.prod.outlook.com (2603:10b6:408:90::23) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.24; Fri, 28 May 2021 10:39:02 +0000 Received: from BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33]) by BN6PR11MB1956.namprd11.prod.outlook.com ([fe80::f100:256b:e0af:7d33%3]) with mapi id 15.20.4173.024; Fri, 28 May 2021 10:39:02 +0000 From: Ovidiu Panait To: stable@vger.kernel.org Cc: fllinden@amazon.com, bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net, yhs@fb.com, john.fastabend@gmail.com, samjonas@amazon.com Subject: [PATCH v2 4.19 19/19] bpf: No need to simulate speculative domain for immediates Date: Fri, 28 May 2021 13:38:10 +0300 Message-Id: <20210528103810.22025-20-ovidiu.panait@windriver.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20210528103810.22025-1-ovidiu.panait@windriver.com> References: <20210528103810.22025-1-ovidiu.panait@windriver.com> X-Originating-IP: [46.97.150.20] X-ClientProxiedBy: VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) To BN6PR11MB1956.namprd11.prod.outlook.com (2603:10b6:404:104::19) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from otp-linux01.wrs.com (46.97.150.20) by VI1PR0102CA0083.eurprd01.prod.exchangelabs.com (2603:10a6:803:15::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.20 via Frontend Transport; Fri, 28 May 2021 10:39:01 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 20ded05a-cd7b-4f3f-6352-08d921c4cf41 X-MS-TrafficTypeDiagnostic: BN8PR11MB3780: X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:4303; X-MS-Exchange-SenderADCheck: 1 X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: /rCC0/JQKDjPwapJwAzPpprt0W62rkhFJiy0sbQbwbW7KwZheduMGkjE9RmqbosLhYl+zIMEcYHaPebXGCGtLtY2PqzNL4SETjYjvTAq51+yXJezmy32aRBtS5sJzBSb4F9k0iYN0kaslFs/7VDlgjIJPaWdiSvtP6KBgRLSIa96/os2rknWFo8NtrK9xZkYgozfFNyiK5yw06UKbOiUthW/Bo9jF+lWO93fdkii6dxGQ/thf3pIh0hZMzf4Pa6IVW5ZC1aqB1TrOtXm+jO/ngFN/lX+mycYHakH1D3t2ifGXXMGfXvIsAq9Uc1xnmSV5yTVJ0BzoiT+us2iXvuAw7hAzi3nNoT1JMaYobRB/ciXGHLBMGtbJD3Szadt/B3LwpMjjKqCwAY8bx4F2dsA7BxI4MtDIYtDjDZCIEQSZfSHRyefeZ3D0MuLGAZ4OzWlni9CqE1JuRGeKGxY62CBnhV5PKjBWVCLybuoMz27mTiFvARPUcaa43leyM2CU1igK34HvkuRVrn7I2SqSGE5hW1cEY9yHQGLic1d6WfiJFZgGQJelwk9aQz+XvZUq9MbVnViLTTOQ7RrO4iKUTCJokTZ+ki3xTeIKu8B1B2YhNrVl+hYo2bgSGst3Wf+8qgpU4/0/gCCDMaMIrVtq2FDgbSJl8GrFXpzMxnME5hhM6WWj+iZUCrepH08iUnHd0N5 X-Forefront-Antispam-Report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BN6PR11MB1956.namprd11.prod.outlook.com;PTR:;CAT:NONE;SFS:(4636009)(136003)(366004)(39840400004)(346002)(396003)(376002)(8676002)(6506007)(26005)(6666004)(316002)(52116002)(8936002)(5660300002)(66946007)(66556008)(66476007)(2906002)(83380400001)(38350700002)(6916009)(38100700002)(4326008)(86362001)(6512007)(186003)(16526019)(956004)(478600001)(44832011)(6486002)(36756003)(2616005)(1076003)(14773001);DIR:OUT;SFP:1101; X-MS-Exchange-AntiSpam-MessageData: nlw2s0jGLQ7tq+Z4MLyRj5UeAHKQ0yn962eUkSOwuXAWWqaV3eQYgxgap++QFu5djZJnhIMNYwX/ZUMBu5AlVnTa3BRCLhqbPNwQIULLQkvM1xh5sL2khEsSfrGO2OhFozDkCQp2r+l/Y2st/GgOfcx4vj7r+RvAZNDlCNnaGCbgj1p5maQpmBlXkYU5nVqRQ2CKh3axr8H2k7omhZOEKkaWrx1ynnj3cd0UX0vwT/hzE+p9ne2bAGb3AQUAKelNDOM8EGlV3YEjk9XH+0tLBeyrAnKjuODj82LIXgaX6zhd2OhTzAu/TWBL1/Qu9aSmBfowquaDX+VLcB87uQcemxGv2TYsT6uNEw8EBywfsEhDJ7+A9LLsmBtt4GffR3AJ6wmXxctkebyNoK83ZtO4xWdNdW6ACE6a89rqHZIHhd2hEgfgfqwpBI8cXBy7lYj6KvraOyz/qXgzssOl9pVh5kC57exhiscnBH8u/L+emOzs0MAEAIzq0CWWGmgFGoF/NrUvrB6uZwrK1mHjdr6J1JsyiudxR81XOkGLqTnicSw0AxC1n4j1MYnGVzSRQHjs0SoxlhQ3g4gh92jtkOi1tss8JR4DIo2KgXvnl4OEGGbO6sF7EWCgS4DeFO8Uno3KYer8crXXAa0ZTtKIhGoAgH/YsNgQ+KBs6tiqm2cn9fJjFHAMooHT/SW1kFZnEKEW+elhREBBzmGF1V6wTRge5ZbmqPTSZOEWMoE55BFTMMc9AlbmZVvbu6HkRXstxjwYh+POVng42vgLoX0nWa2tY2NRl6rEwSJoqCIBRLIUjZ7WaObAQJS8Z7mE5X/PGI9W6Td74ulx/93ehBUg/Nym6AVpsT8Kw+oIGgsiYXMpRKIEmUJciR+Ic1Z+FU9O3g1m8oua1idF8JkmpcFCMV7aB1CfeCI7TPcF8oMoqKK4hfQdL4rZojR6dNtqBTbVFL810cpB8l6cFfOD85r2wdnqrkJkTvaHHzP4GiycgTQKgXundwL5yMpkDBgjs+ZBrmAN8HW3hCBUAo7hdzk5uvU++ZvZQwQrVJXYCdAnZn89bZOLdnUGxT+37k41lwN8DMbCr7DlsewDCUx+aYZTS8uKHiVwA9ZnaiaQvv/YMj56mV3C+Swt1aI587MPEJXMGP6zfWFUjA7Kz+qXvp3LsJaED5rOEh0Xv7q/LYda6vqC+YrIVx87KkTtcQzpiSxU/Xl1c6FeIGDSFQjkM3F/LmYmemflGvxg848p+V3/9rCXhtt74LUKVmi6w2638R1QStRpZPAUfAgDRvGMnADToIZ63A35aKWB95Q/HiMrP1yBxEKg/mAxGUVh6lCV3Zjd6gaA X-OriginatorOrg: windriver.com X-MS-Exchange-CrossTenant-Network-Message-Id: 20ded05a-cd7b-4f3f-6352-08d921c4cf41 X-MS-Exchange-CrossTenant-AuthSource: BN6PR11MB1956.namprd11.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 28 May 2021 10:39:02.5790 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: AIILU6r8LO9fZ1+xCW3Oa9hjtCkyko4QynKlA99QCSy7j+kop6Spl6+FntUNLzbzgmBZOxUmYX3fGRLjdGmD/BTeDLgOt4c/LJDwzy1tP38= X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN8PR11MB3780 X-Proofpoint-ORIG-GUID: fvr5HchqpR_HIgr3TXWiJ1inHUiUlSc4 X-Proofpoint-GUID: fvr5HchqpR_HIgr3TXWiJ1inHUiUlSc4 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:6.0.391,18.0.761 definitions=2021-05-28_04:2021-05-27,2021-05-28 signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 lowpriorityscore=0 spamscore=0 adultscore=0 mlxlogscore=999 clxscore=1015 phishscore=0 impostorscore=0 mlxscore=0 priorityscore=1501 bulkscore=0 suspectscore=0 malwarescore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2104190000 definitions=main-2105280070 Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org X-Patchwork-Delegate: bpf@iogearbox.net From: Daniel Borkmann commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under speculation") we replaced masking logic with direct loads of immediates if the register is a known constant. Given in this case we do not apply any masking, there is also no reason for the operation to be truncated under the speculative domain. Therefore, there is also zero reason for the verifier to branch-off and simulate this case, it only needs to do it for unknown but bounded scalars. As a side-effect, this also enables few test cases that were previously rejected due to simulation under zero truncation. Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Ovidiu Panait --- kernel/bpf/verifier.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a235342507a8..1f4c88ce58de 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2874,8 +2874,12 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, /* If we're in commit phase, we're done here given we already * pushed the truncated dst_reg into the speculative verification * stack. + * + * Also, when register is a known constant, we rewrite register-based + * operation to immediate-based, and thus do not need masking (and as + * a consequence, do not need to simulate the zero-truncation either). */ - if (commit_window) + if (commit_window || off_is_imm) return 0; /* Simulate and find potential out-of-bounds access under