Received: by 2002:ac0:98c7:0:0:0:0:0 with SMTP id g7-v6csp176135imd; Wed, 31 Oct 2018 16:51:09 -0700 (PDT) X-Google-Smtp-Source: AJdET5ebXsKWDqLNDKJXZ7jcyzf8/I41/E+duw9v4jmID95txY58m3itczNWbWiprthIsD9CTlaD X-Received: by 2002:a62:d8c6:: with SMTP id e189-v6mr5556569pfg.23.1541029869057; Wed, 31 Oct 2018 16:51:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1541029869; cv=none; d=google.com; s=arc-20160816; b=bGdvcj2sEziPqMk6/eXFSRr0NDA3h6b067W0Crjc0y3EELOm+CEUpcmu6VoKqUqwZE /UYh8bMYdEpnNiKUv0RA9QmwO2W550FctX1tZ9gRAQ/CCEWhORHGIEm86i4WMDipTBnt pIlCeRhUNs1GsbG20Bxbu4GpkwxbN85320XjfuUdbrJaSXpf/rfkaYkhbT/2htb8GRQF zzggJN9/wqgBtcEcLH6/IV6mJhnz2lOgfrCRBz2wAab3lhBXpsSuj1v3U6XUCjXmKG9G 0I620MHiZID03F46LDkpsmII78vWpNd9fIeBWyK21UbDC3+9QifooGa+reZpmPGkkjhJ 7BCw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature; bh=Bmem1sGmPlH/wXFYypX1mPc9KpOvOdFIWKSIKacxVTU=; b=xaRfuWhg20WI+cXfPwpatHFsdoheZP2d5WfLPMAlEnD5r+QUwcm5RGPffNbo1Cclib Bc/HQgkb8UPNWIqfQZ66CThWLbSKtXeUVZVbvudHjUhpAPDmT+gr6clRqU0SwFOuzYM/ FN3DNO8yVSWN3dkApkjz6O5tcaMGAZ4+W4zi0Fn0wad/6DomQt1InRAcTKY65GwfCdBz 8sv/Y0UK70tg99//HGmeG3uvyWai+iPmAnWut44AR961rSFO8MDClssJNBw8dffwyzek WIp7iT9dY7XqPFkmJl5t8h1hJNoCIGWIbfQVLul+8CnqgYyaXduNekDtjPS7qB/zyO3N jNDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Q6YlqDsV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id o1si1460540pgq.13.2018.10.31.16.50.54; Wed, 31 Oct 2018 16:51:09 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Q6YlqDsV; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728560AbeKAItn (ORCPT + 99 others); Thu, 1 Nov 2018 04:49:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:54074 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728362AbeKAIGv (ORCPT ); Thu, 1 Nov 2018 04:06:51 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 137262082E; Wed, 31 Oct 2018 23:06:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541027200; bh=ZKqUWnddh566WruoM5HzD3dxfNovhBVLi2kbvr2yZgw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q6YlqDsVYueAK9F6i7H0RWdIfBvXmfxsuGBMDfLpOhvu4X597gzbPwvyAkFL1pDLO gvZko2N011lfp/Sj/sRTMvHeU78bBhUskHDVoRtlOfoPtMNybZNjowzGBujNCzg4Ws D6vbdbQ6RhRXlqUifmqHcFRxZb9OzByhgFXlOUrs= From: Sasha Levin To: stable@vger.kernel.org, linux-kernel@vger.kernel.org Cc: Alexei Starovoitov , Sasha Levin Subject: [PATCH AUTOSEL 4.19 064/146] bpf/verifier: fix verifier instability Date: Wed, 31 Oct 2018 19:04:19 -0400 Message-Id: <20181031230541.28822-64-sashal@kernel.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20181031230541.28822-1-sashal@kernel.org> References: <20181031230541.28822-1-sashal@kernel.org> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Alexei Starovoitov [ Upstream commit a9c676bc8fc58d00eea9836fb14ee43c0346416a ] Edward Cree says: In check_mem_access(), for the PTR_TO_CTX case, after check_ctx_access() has supplied a reg_type, the other members of the register state are set appropriately. Previously reg.range was set to 0, but as it is in a union with reg.map_ptr, which is larger, upper bytes of the latter were left in place. This then caused the memcmp() in regsafe() to fail, preventing some branches from being pruned (and occasionally causing the same program to take a varying number of processed insns on repeated verifier runs). Fix the instability by clearing bpf_reg_state in __mark_reg_[un]known() Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Debugged-by: Edward Cree Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 465952a8e465..f0a2f49ff194 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -553,7 +553,9 @@ static void __mark_reg_not_init(struct bpf_reg_state *reg); */ static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm) { - reg->id = 0; + /* Clear id, off, and union(map_ptr, range) */ + memset(((u8 *)reg) + sizeof(reg->type), 0, + offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type)); reg->var_off = tnum_const(imm); reg->smin_value = (s64)imm; reg->smax_value = (s64)imm; @@ -572,7 +574,6 @@ static void __mark_reg_known_zero(struct bpf_reg_state *reg) static void __mark_reg_const_zero(struct bpf_reg_state *reg) { __mark_reg_known(reg, 0); - reg->off = 0; reg->type = SCALAR_VALUE; } @@ -683,9 +684,12 @@ static void __mark_reg_unbounded(struct bpf_reg_state *reg) /* Mark a register as having a completely unknown (scalar) value. */ static void __mark_reg_unknown(struct bpf_reg_state *reg) { + /* + * Clear type, id, off, and union(map_ptr, range) and + * padding between 'type' and union + */ + memset(reg, 0, offsetof(struct bpf_reg_state, var_off)); reg->type = SCALAR_VALUE; - reg->id = 0; - reg->off = 0; reg->var_off = tnum_unknown; reg->frameno = 0; __mark_reg_unbounded(reg); @@ -1727,9 +1731,6 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn else mark_reg_known_zero(env, regs, value_regno); - regs[value_regno].id = 0; - regs[value_regno].off = 0; - regs[value_regno].range = 0; regs[value_regno].type = reg_type; } @@ -2580,7 +2581,6 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; /* There is no offset yet applied, variable or fixed */ mark_reg_known_zero(env, regs, BPF_REG_0); - regs[BPF_REG_0].off = 0; /* remember map_ptr, so that check_map_access() * can check 'value_size' boundary of memory access * to map element returned from bpf_map_lookup_elem() -- 2.17.1