Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1348628pxf; Fri, 19 Mar 2021 05:24:55 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwBRFFpKBfrky7v6mI+XM/lRddnT5wqRAVuPLIsL9oT11sgdhRcWhUF5KwF6sSWLebyjCA1 X-Received: by 2002:a17:906:1fd6:: with SMTP id e22mr4090585ejt.481.1616156694891; Fri, 19 Mar 2021 05:24:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616156694; cv=none; d=google.com; s=arc-20160816; b=Pb9lyvu77mH1UVpDah6vfyKmfrY0KhmgwEpVKg5TE7pSXocAqO/xYTX/pw/cxYefeI 5wGr0G5d/6vCLODDUHJNW0ti0f28dtEqHDZV6C8l6TAMI6zfP+Hfzc+ekN2+Lz0BusqG SlogJiEGAueH2chnv3b0NcIS3z6QqAxzXWfNPT6UbJFKEO7DIy2obd4zBAHX8pGrGCMd /gtiEk6opuFomxXlePbhDOcvuXtMXJeIm4Y2MJFOQE4zqTUXQi61Z2VpxdCKkQMi66kR ys5rDm6T0BSfX1Ou/1m+rCVJgJo3brY3tIHWK5kYae4cUPy2fIC6TGmfH3tGosAIIDKf vYCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6ksuDUYOoqwC/2RBoykh8y5/wZv7RQ/5MOsjYQaP6yE=; b=PJzAfRc7q7yFNyXmP19C5cBMUzZtdMIRwgJVH4c6xxLAnf7cmKCVGNKYUkoMSWnyrA 0W23v6C7oCXZ/tix13EmFDNwXIfa4X4cYDso4I8vZmtMJbTUyiUGkusm4U2lIpFagib9 jMSDXnL84Ddb0c54qTBLeK+Y9yIR2TVlsCVbZxnjwS6AldyBMCwAyFz5BlEeoQafVLwr LOqhbRJ+1Op3oDRjG+HzB/cDXQQy6rxsjsjBV/Je6FES60kMQ991lUP0SfYfT8wl9RIe Md0Vtfz1OkxwfMj+MstRVr7T5Dglu5gY/l+OoBsmEZkMipgvPs6hgeZiDL3KH3INbgqA TWxQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=J3G3NlMo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v25si3994267eju.48.2021.03.19.05.24.32; Fri, 19 Mar 2021 05:24:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=J3G3NlMo; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229736AbhCSMUn (ORCPT + 99 others); Fri, 19 Mar 2021 08:20:43 -0400 Received: from mail.kernel.org ([198.145.29.99]:58124 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230315AbhCSMUN (ORCPT ); Fri, 19 Mar 2021 08:20:13 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2812964F9F; Fri, 19 Mar 2021 12:20:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616156412; bh=nAkPcCQLci7DFPpsNsg7UGO6WTlD2qava26B+cFw8zI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=J3G3NlMoBm9Gjii1gs4EIlAjck8piQQvRhxDvueejKlSr7kt5ffMQ7Gq07yuL4Cy0 r+0+VAMXemhcYSoy7ayv40IV3o2JDTHsncwvSjop6IH6v9dt9Z7GfSSleE8K9xi348 Sl0H2Se7e+4WfCz0fLRtkp9B3SL3XLGmR5FBLzgg= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Krysiuk , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.10 05/13] bpf: Simplify alu_limit masking for pointer arithmetic Date: Fri, 19 Mar 2021 13:19:02 +0100 Message-Id: <20210319121745.279844899@linuxfoundation.org> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210319121745.112612545@linuxfoundation.org> References: <20210319121745.112612545@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Piotr Krysiuk commit b5871dca250cd391885218b99cc015aca1a51aea upstream. Instead of having the mov32 with aux->alu_limit - 1 immediate, move this operation to retrieve_ptr_limit() instead to simplify the logic and to allow for subsequent sanity boundary checks inside retrieve_ptr_limit(). This avoids in future that at the time of the verifier masking rewrite we'd run into an underflow which would not sign extend due to the nature of mov32 instruction. Signed-off-by: Piotr Krysiuk Co-developed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5342,16 +5342,16 @@ static int retrieve_ptr_limit(const stru */ off = ptr_reg->off + ptr_reg->var_off.value; if (mask_to_left) - *ptr_limit = MAX_BPF_STACK + off + 1; + *ptr_limit = MAX_BPF_STACK + off; else - *ptr_limit = -off; + *ptr_limit = -off - 1; return 0; case PTR_TO_MAP_VALUE: if (mask_to_left) { - *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; + *ptr_limit = ptr_reg->umax_value + ptr_reg->off; } else { off = ptr_reg->smin_value + ptr_reg->off; - *ptr_limit = ptr_reg->map_ptr->value_size - off; + *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; } return 0; default: @@ -10946,7 +10946,7 @@ static int fixup_bpf_calls(struct bpf_ve off_reg = issrc ? insn->src_reg : insn->dst_reg; if (isneg) *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); - *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); + *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);