Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1347785pxf; Fri, 19 Mar 2021 05:23:40 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy0t4+53iFYOeu7eDx/ejEXdrHAB0u7L5MYHgYbYElL7gphEmkFrAxxQ+Za2ERaa3bKjUJk X-Received: by 2002:a17:906:1a44:: with SMTP id j4mr4042362ejf.401.1616156620746; Fri, 19 Mar 2021 05:23:40 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616156620; cv=none; d=google.com; s=arc-20160816; b=BFBw/S6Vs2/NlqPEpoML7a/0TSX81va1tghag8prYK/kVebvGlAI6J/zbySUw1Nk7g GGjo1koG2S4XSpdrE1pHq43rezQ/A04vRP4pzmKgoE5Fzs8NooNYBw7CFIjBmRnh2Ft0 wdynJKBua3U2Sd3lwojCo8jjGevuXxlICx8yiws8CNBGauZ8kTpApRFWlY12h3nQlDhg MdyqrOwzzfacudEhslzDNqJ08qistM7ZNop15TvZKYeOvb37DmmOqgUZlp9Clk8214YZ rmcKXZjYwpJxpBBp/BepIpXWJ4A2w80D7HN+jXsaqjlyKj0UswXvoUQOFKaY99PFpbMC ZEqA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=jhzt0KjkpbIlTrU5kiUJ5M+45sOns56fcMCwKQcZqBE=; b=Jawfp6VttsgJrCQ+B7Jtu+2Jo8BAcLiBBMjCk6sK25adyV2kJoD2dC0Gj5RVSKWcrl buDaUBS2nF7yZOeT7OiYzWDT3aAy9Dyt6kFKWYuBfAA3/BRmtddG6xYtiztO2RweuzGp vhLFdTT1SECbOOLR0qJJdjCczWn9F4OFBOyxCswD9Hypq7BYjfgRuW2d05PjMhwGMlkD HKAb/koNcrzTpt2oOljKYqYInX5TXyToCvfZBs3ZlBgJnJ7yphXYdiPYWUYi2O4NmajY N/8PoVLY+oY9r8nOxR0v/rRG631R5A1q+HeyVPAoynrv3yL9uIeX3hNLEgQbxBUzKY/q W+Yg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Nl1TziAa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v2si3870068ejg.251.2021.03.19.05.23.17; Fri, 19 Mar 2021 05:23:40 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=Nl1TziAa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231721AbhCSMWO (ORCPT + 99 others); Fri, 19 Mar 2021 08:22:14 -0400 Received: from mail.kernel.org ([198.145.29.99]:60496 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231534AbhCSMVh (ORCPT ); Fri, 19 Mar 2021 08:21:37 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 7B47264F6E; Fri, 19 Mar 2021 12:21:36 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616156497; bh=huZ3Yi2a9b5V2IBg1o3AHhmXKG15MzGGIRKN+6QmSWU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Nl1TziAaSgvl/Zn5NsvcRE4E7K6pqkxBBof9UESF0u0PqWqZLK8/kdN3+Fo5+MgEQ 6XrI2s49S6Pa1ETaeNvIKjHCUhZ7tbzaIIob1TzCyG3VrASPpLgjwHezkf9cg797Tk R4cZ/wj5ulhibZkovP6EH40RQHn7OQeJ8OkCjH9Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Krysiuk , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.11 22/31] bpf: Simplify alu_limit masking for pointer arithmetic Date: Fri, 19 Mar 2021 13:19:16 +0100 Message-Id: <20210319121747.917749865@linuxfoundation.org> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210319121747.203523570@linuxfoundation.org> References: <20210319121747.203523570@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Piotr Krysiuk commit b5871dca250cd391885218b99cc015aca1a51aea upstream. Instead of having the mov32 with aux->alu_limit - 1 immediate, move this operation to retrieve_ptr_limit() instead to simplify the logic and to allow for subsequent sanity boundary checks inside retrieve_ptr_limit(). This avoids in future that at the time of the verifier masking rewrite we'd run into an underflow which would not sign extend due to the nature of mov32 instruction. Signed-off-by: Piotr Krysiuk Co-developed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5398,16 +5398,16 @@ static int retrieve_ptr_limit(const stru */ off = ptr_reg->off + ptr_reg->var_off.value; if (mask_to_left) - *ptr_limit = MAX_BPF_STACK + off + 1; + *ptr_limit = MAX_BPF_STACK + off; else - *ptr_limit = -off; + *ptr_limit = -off - 1; return 0; case PTR_TO_MAP_VALUE: if (mask_to_left) { - *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; + *ptr_limit = ptr_reg->umax_value + ptr_reg->off; } else { off = ptr_reg->smin_value + ptr_reg->off; - *ptr_limit = ptr_reg->map_ptr->value_size - off; + *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; } return 0; default: @@ -11083,7 +11083,7 @@ static int fixup_bpf_calls(struct bpf_ve off_reg = issrc ? insn->src_reg : insn->dst_reg; if (isneg) *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); - *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); + *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);