Received: by 2002:a17:90a:2044:0:0:0:0 with SMTP id n62csp1134106pjc; Thu, 9 May 2019 14:33:03 -0700 (PDT) X-Google-Smtp-Source: APXvYqxbfrlCr1KB3MhsIwUbczYaqr9rYENKyh7AbUE0KgUFJ9x6f63qQU/Yg9zDd1Qa1891sUuH X-Received: by 2002:a63:6f8e:: with SMTP id k136mr8896866pgc.104.1557437583637; Thu, 09 May 2019 14:33:03 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557437583; cv=none; d=google.com; s=arc-20160816; b=mGrp70pvoO+MWo4NRbSE6+vz5Znk21IyKV3M+zu/s/wZcMiDGG8twLq05oQ1epWZbX xjXQvRPs6xHR7ACiqMTUK7oaworP7Z4OoXi6wUHO3SzpAoyDfIfAvPF4aT+SgWXVE3hw 4OkyJYxTFRgOUSKb3t3XXPIHVJWmbCQp2Bhak1vLGsw062POSZ8XYTzprVMPh0BsI1PK F0x3OgjboytzRH95XTXbKJL5yUVoyc8YovMzoGODg64CvP3TgwTxbySGetfHj32um8/A 8aZVVzSROvyuh7QymlBXQ75Qsubyx7u5TZxXQNzluXyPyPWqv86UYNs3cykoeFDlaV4b DO7w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=f3m4QlFht/7CZRXj5b7LMqrD9ierYg07Lf/+gUHh3i8=; b=qjApnTijnrRKKzz5NgYXa+FH+ud1bBLLyat3xafhb6zgU2GSNMIjeXBH/y46Cb6XtN AjjB/VzSunL+h8HHo/2yEP/oeUs5n7QrabUA3PBzFA5vkFLjz7G6egDFwcIoeG/Oqr98 yj4T4ftuHMornDmg+OM/7uKAYsYG7kZTYB0JWuB/nRasEHq8XXgupp0Wmk/6Mn2avrmR iVW/61DVADBGi1VdjWI/psBZ0RazvGnquS0BQeO5lmyC8y/le9Zi3hwvFnoK8u6p6a6M /mgQ03ZsLvz+CVfi02Z3skQYWnU1Xx/f5c6mGWSlCbIUYniGx+sz6YGvpx3rVq95eraV g+7Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 64si4353188pgc.483.2019.05.09.14.32.46; Thu, 09 May 2019 14:33:03 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727030AbfEIVaf (ORCPT + 99 others); Thu, 9 May 2019 17:30:35 -0400 Received: from www62.your-server.de ([213.133.104.62]:59618 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726219AbfEIVaf (ORCPT ); Thu, 9 May 2019 17:30:35 -0400 Received: from [78.46.172.2] (helo=sslproxy05.your-server.de) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1hOqca-0007ay-Nx; Thu, 09 May 2019 23:30:32 +0200 Received: from [178.199.41.31] (helo=linux.home) by sslproxy05.your-server.de with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89) (envelope-from ) id 1hOqca-000J7d-Hy; Thu, 09 May 2019 23:30:32 +0200 Subject: Re: [PATCH bpf v1] bpf: Fix undefined behavior in narrow load handling To: Krzesimir Nowak , bpf@vger.kernel.org Cc: Alban Crequy , =?UTF-8?Q?Iago_L=c3=b3pez_Galeiras?= , Yonghong Song , Alexei Starovoitov , Martin KaFai Lau , Song Liu , netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20190508160859.4380-1-krzesimir@kinvolk.io> From: Daniel Borkmann Message-ID: <46056c60-f106-e539-b614-498cb1e9e3d0@iogearbox.net> Date: Thu, 9 May 2019 23:30:31 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0 MIME-Version: 1.0 In-Reply-To: <20190508160859.4380-1-krzesimir@kinvolk.io> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 8bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.100.3/25444/Thu May 9 09:57:18 2019) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 05/08/2019 06:08 PM, Krzesimir Nowak wrote: > Commit 31fd85816dbe ("bpf: permits narrower load from bpf program > context fields") made the verifier add AND instructions to clear the > unwanted bits with a mask when doing a narrow load. The mask is > computed with > > (1 << size * 8) - 1 > > where "size" is the size of the narrow load. When doing a 4 byte load > of a an 8 byte field the verifier shifts the literal 1 by 32 places to > the left. This results in an overflow of a signed integer, which is an > undefined behavior. Typically the computed mask was zero, so the > result of the narrow load ended up being zero too. > > Cast the literal to long long to avoid overflows. Note that narrow > load of the 4 byte fields does not have the undefined behavior, > because the load size can only be either 1 or 2 bytes, so shifting 1 > by 8 or 16 places will not overflow it. And reading 4 bytes would not > be a narrow load of a 4 bytes field. > > Reviewed-by: Alban Crequy > Reviewed-by: Iago López Galeiras > Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields") > Cc: Yonghong Song > Signed-off-by: Krzesimir Nowak > --- > kernel/bpf/verifier.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 09d5d972c9ff..950fac024fbb 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -7296,7 +7296,7 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env) > insn->dst_reg, > shift); > insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg, > - (1 << size * 8) - 1); > + (1ULL << size * 8) - 1); > } Makes sense, good catch & thanks for the fix! Could you also add a test case to test_verifier.c so we keep track of this? Thanks, Daniel