Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1346616pxf; Fri, 19 Mar 2021 05:22:01 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwRTmJZ5HNUZHpVieX3Ey0Ke5981ipj1A38Wh477dnnsnvbBoWNWTXq7XXliEl2oeBZqPop X-Received: by 2002:aa7:c654:: with SMTP id z20mr9043881edr.377.1616156521244; Fri, 19 Mar 2021 05:22:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616156521; cv=none; d=google.com; s=arc-20160816; b=eCOPXS07OYXGwRdOt05bKrvl5tS59G710wjV5uXII70PL6nPEhA0cPwaOlZodywDbi xQVbCUVpkN4rDVLp6gJap+dqViKNo4kZ7yjtCJMNdf/INOI0JGQObmEVQpQQR/M8Yy1r nMpbBzLOA/TVODycud9M9TJyx2CbRA//ahh3VibPg8CTuzSlUzk20wkoXd58q4aTZT1h QVIMjeqhs3fyC2xHPhCVyNeBQtC1tYqGxnWEj0n3AzzkxZuLRaU2hYhx1WlCufwgNFds cS2ua6c0rCvv4+xfwyiDFA/mxY66cAgV91OsJcHYYGioiYaDFw63aJkoHe6Stb3grf2y HO0g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=3p5CHpTjzrOCqMZjNQsiKHgRjUVM+Rk4P+mXF/4KniI=; b=BCTj7nqr/Sy/TmKWzIEtT/ylXT29DuoC5Abb3mLx8DE1cI5DKJHbs9KYhZCw3Pewg0 1iumaUPryTgCBzXq0VTthekFRWbeZaTO7cWSaoYhERLyBgggHQ7Awnavp5ZRwIe7BNQw Zccc3BJp3oHLzaSDt1S4ycqHXMTdf6SPLXWNUQv84yf2qBE4IdOrMKuK1M53JyBS1liP GVHefit3uGw3PmE34KN9HrvO8GoW1UH2Fzo6D1ZvYz8Up8idJt+cGqQUQf0IqUWLczHz 2x/ioIlHxkFHDCtIywDF1EKD3ZAsnIQt6D2Xdf51pqdtBrvM10f8xqafZ0xFA4Olm+V1 GTNw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hlKu8Wic; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id m19si3980732edc.561.2021.03.19.05.21.38; Fri, 19 Mar 2021 05:22:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=hlKu8Wic; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230230AbhCSMTn (ORCPT + 99 others); Fri, 19 Mar 2021 08:19:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:56910 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230113AbhCSMTM (ORCPT ); Fri, 19 Mar 2021 08:19:12 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0D7E064F6A; Fri, 19 Mar 2021 12:19:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616156352; bh=G/gmAbyYrQIMV8vgdqik79euEX33GWriLIGeQvjLnNc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hlKu8WicUp1JBS3d7Yc+aAMNB6ROevCUs07c0Z+3Q/8PR7IvfpsublPuDY7ywlsUm lsiTnOALzaGvy4Dix/EIbrT+1/Vk+x6ipP7SYNbagJ5A5vky+YMRBMKcrdrLJls9sY rI0NM8DjDNjm9EW2eoX2ZRicN6oFmDJ5moq1bFLo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Krysiuk , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.4 04/18] bpf: Simplify alu_limit masking for pointer arithmetic Date: Fri, 19 Mar 2021 13:18:42 +0100 Message-Id: <20210319121745.598741986@linuxfoundation.org> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210319121745.449875976@linuxfoundation.org> References: <20210319121745.449875976@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Piotr Krysiuk commit b5871dca250cd391885218b99cc015aca1a51aea upstream. Instead of having the mov32 with aux->alu_limit - 1 immediate, move this operation to retrieve_ptr_limit() instead to simplify the logic and to allow for subsequent sanity boundary checks inside retrieve_ptr_limit(). This avoids in future that at the time of the verifier masking rewrite we'd run into an underflow which would not sign extend due to the nature of mov32 instruction. Signed-off-by: Piotr Krysiuk Co-developed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4277,16 +4277,16 @@ static int retrieve_ptr_limit(const stru */ off = ptr_reg->off + ptr_reg->var_off.value; if (mask_to_left) - *ptr_limit = MAX_BPF_STACK + off + 1; + *ptr_limit = MAX_BPF_STACK + off; else - *ptr_limit = -off; + *ptr_limit = -off - 1; return 0; case PTR_TO_MAP_VALUE: if (mask_to_left) { - *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; + *ptr_limit = ptr_reg->umax_value + ptr_reg->off; } else { off = ptr_reg->smin_value + ptr_reg->off; - *ptr_limit = ptr_reg->map_ptr->value_size - off; + *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; } return 0; default: @@ -9081,7 +9081,7 @@ static int fixup_bpf_calls(struct bpf_ve off_reg = issrc ? insn->src_reg : insn->dst_reg; if (isneg) *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); - *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); + *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);