Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3484432imu; Sun, 11 Nov 2018 16:09:08 -0800 (PST) X-Google-Smtp-Source: AJdET5eVke0ld3bzCtoSwY8HSW17spNROndyhTqU+3IwQX8cguVC8Q5fBvnAQKR7ZSv/aA0aWVO7 X-Received: by 2002:a63:920a:: with SMTP id o10mr15102317pgd.141.1541981348258; Sun, 11 Nov 2018 16:09:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541981348; cv=none; d=google.com; s=arc-20160816; b=SY1qVROR3sW34HxndZJ19S1ngtCnDj9wpe4l7FMd5vCaTPK37kiqJRObm1Qq2k900q rlt/KtXedZ9aORjLqNqr/MpT2/vZ1RcXIEGlygCyUAycUpNAaQ/5OknvCUwaxU3oHbTp UOBZ+lA368htUmtHQqKxLr07jHaudBkV9YM/i0ZPCGmICKqM0JuHBxroVG+2Ep1S2dgL eb3YkQsqi6m6c8pUDJW7oggvcqY4HJ+QT7M5AaKrHnfTIllrizdsWSRJHCIklmZ5uioj h/vubsC57ARiUoDgUAPGPyPk/1jVO0icmrmP9opxgIKiptfJszmyX5ERLHRE0f+keRZJ UEUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=J7mq3IgcDUgMzkEvfprHj0Dp6E/S7dIk+4c/CKODsXA=; b=U8IFc3mv7bkVr6+/Gn7cSeI/96CqTnucyAAtHK2JQIbymsePRXhgQV8T0ymo41vmrM Gtfn1S+DFbjvL+GGD4Qkpnb28NJPfKgQJ/NM8FhG5jzewTEUsrXu/pPsQukQdkbj7Rdp Ym+0Dv3maptC8tqOX5CEIXKNUsldsoJ6uJw1f0s4fDy3u2OsnxhIDAtu9evxTGeUd1hH CJ/jvfTT6rOyAt4DUpn039zL4TGkj1X+DUy29G+CJInRfzvQUmPLuCrj7CQMVnQPdoIF Aolq/s+8dyOP9fbqB1nYTzpuNWu71ZtMdV1HV8l8ZqXY6jPHbCkbpSFU87rhSi2fe4NT uB/A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jX98FMCE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g67-v6si7511379plb.163.2018.11.11.16.08.53; Sun, 11 Nov 2018 16:09:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=jX98FMCE; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732181AbeKLJ5s (ORCPT + 99 others); Mon, 12 Nov 2018 04:57:48 -0500 Received: from mail.kernel.org ([198.145.29.99]:33814 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731665AbeKLIRg (ORCPT ); Mon, 12 Nov 2018 03:17:36 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 842A12175B; Sun, 11 Nov 2018 22:27:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975260; bh=eLlZ4WROeozm16NMhAdWZkMEJxIu6O+oQzLb95wZP4A=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=jX98FMCEOo2GK+Gxrm5mfzWC25HxzD4YE4+P7BiRhtCbXkHS3v3p20zlIRhbdqpdd 8Szn47/UoiYqI4ApOmXvYJvFIxN3i0SXaItaMh1wMOrF7uoUST1QXonSBNAsBV1GTb xItRahFNJDqIDcto9d+NADey4piGrtcLHLQIVD4I= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Edward Cree , Alexei Starovoitov , Sasha Levin Subject: [PATCH 4.19 109/361] bpf/verifier: fix verifier instability Date: Sun, 11 Nov 2018 14:17:36 -0800 Message-Id: <20181111221634.933690728@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221619.915519183@linuxfoundation.org> References: <20181111221619.915519183@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexei Starovoitov [ Upstream commit a9c676bc8fc58d00eea9836fb14ee43c0346416a ] Edward Cree says: In check_mem_access(), for the PTR_TO_CTX case, after check_ctx_access() has supplied a reg_type, the other members of the register state are set appropriately. Previously reg.range was set to 0, but as it is in a union with reg.map_ptr, which is larger, upper bytes of the latter were left in place. This then caused the memcmp() in regsafe() to fail, preventing some branches from being pruned (and occasionally causing the same program to take a varying number of processed insns on repeated verifier runs). Fix the instability by clearing bpf_reg_state in __mark_reg_[un]known() Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Debugged-by: Edward Cree Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -553,7 +553,9 @@ static void __mark_reg_not_init(struct b */ static void __mark_reg_known(struct bpf_reg_state *reg, u64 imm) { - reg->id = 0; + /* Clear id, off, and union(map_ptr, range) */ + memset(((u8 *)reg) + sizeof(reg->type), 0, + offsetof(struct bpf_reg_state, var_off) - sizeof(reg->type)); reg->var_off = tnum_const(imm); reg->smin_value = (s64)imm; reg->smax_value = (s64)imm; @@ -572,7 +574,6 @@ static void __mark_reg_known_zero(struct static void __mark_reg_const_zero(struct bpf_reg_state *reg) { __mark_reg_known(reg, 0); - reg->off = 0; reg->type = SCALAR_VALUE; } @@ -683,9 +684,12 @@ static void __mark_reg_unbounded(struct /* Mark a register as having a completely unknown (scalar) value. */ static void __mark_reg_unknown(struct bpf_reg_state *reg) { + /* + * Clear type, id, off, and union(map_ptr, range) and + * padding between 'type' and union + */ + memset(reg, 0, offsetof(struct bpf_reg_state, var_off)); reg->type = SCALAR_VALUE; - reg->id = 0; - reg->off = 0; reg->var_off = tnum_unknown; reg->frameno = 0; __mark_reg_unbounded(reg); @@ -1727,9 +1731,6 @@ static int check_mem_access(struct bpf_v else mark_reg_known_zero(env, regs, value_regno); - regs[value_regno].id = 0; - regs[value_regno].off = 0; - regs[value_regno].range = 0; regs[value_regno].type = reg_type; } @@ -2580,7 +2581,6 @@ static int check_helper_call(struct bpf_ regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; /* There is no offset yet applied, variable or fixed */ mark_reg_known_zero(env, regs, BPF_REG_0); - regs[BPF_REG_0].off = 0; /* remember map_ptr, so that check_map_access() * can check 'value_size' boundary of memory access * to map element returned from bpf_map_lookup_elem()