Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4820308pxj;
        Wed, 9 Jun 2021 02:39:28 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJygMYqpSog/6WguGcYpfOvNkEi1Q49tDB0kv/0vOrzQZrE3VegwyzPl8Ee7rgLPdzponcSM
X-Received: by 2002:a5d:89c5:: with SMTP id a5mr22794217iot.172.1623231568242;
        Wed, 09 Jun 2021 02:39:28 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623231568; cv=none;
        d=google.com; s=arc-20160816;
        b=JGZM8nOweOwDvj90mjESOylMk9bUugpUWQxD5hPNS8bd753LJ2bwW0NDbieJ680WmN
         J8kzdRyWCCfbXB6zheen3n3FrnIQFPnF7lFZlWavjOlp/nGTxQDW5wcHvCbm3vXcGEUC
         OWZ0LvGfxMqxImhiPRV2lx9G9AbW7DdniaWj5YZXolY6sjaoCK7B4lqk/1eUd0sZ9uIc
         HHfFu/gZKGuS/mv5AIsw1RYFUCrfeQXLrv19B+6qvYtmD9ALCi98EIF/u2Sh4wHGt15A
         z6sJwsNebSuFVNB7/09eZGxVF5pmj0Dg5XlvkG2c5wnM6ArQ34BpQQ9Z6vGl1kIJNtSv
         BmsQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=4fzx/ZAg16Jzi2a5KJ5SZooEioFRdJFQozxvO5oDX3Q=;
        b=Vyyq/zm0r/h3mir+fnxaHMnkv1ET76x/iwnEDJgjNXdOLnnSSCrz2Zr+4mcWNABAhp
         rIXchO3hJV64cC/ZWv4vm33gagKlApafhQK734pIhTUybfw00arV8HZZ1FoPAQMz7On8
         Zbmoi73+U6k94nxv1tGDj2DUUCgb3rRDcUe4y+CeFfGtTD6eKlIwWMLTPNezIzzR+yk9
         99obwB9mX5WgBvnvVjGGZMKSuICesR8wK7Z91fGrV8Tak6cs5Wb2p5f4PCb0587BjNqQ
         1rSjGcNhjRwkse19nmgM0KF+xB38QDFCJ+KelbX3pgwGBRE0JxWZTlC52V1NKjfsiLQ8
         nR6g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tgGRrzZy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id w28si2537864jaq.42.2021.06.09.02.39.14;
        Wed, 09 Jun 2021 02:39:28 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=tgGRrzZy;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234720AbhFHShY (ORCPT <rfc822;luxiaolong211@gmail.com>
        + 99 others); Tue, 8 Jun 2021 14:37:24 -0400
Received: from mail.kernel.org ([198.145.29.99]:57666 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234839AbhFHSfU (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 8 Jun 2021 14:35:20 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id D5ADE613D6;
        Tue,  8 Jun 2021 18:32:10 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1623177131;
        bh=So/1Lc16sLR+aqvXq8zoVNXzmbtnzhAD9WM0zRoZ7YQ=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=tgGRrzZyeNCK3h91N+12LGLVQdj5LkIZ06+obUQpTVBx9tsb48+M5518IMEp2tF4D
         fsstBiryQC9Lx+gccQ3HSZ6uZzXg9434lZofglDo6dhsyLl0mF3EguNX9Wp1ZfFuQY
         LnG4x0DNHImrGBUcS7sk3ifOuzmua4hbdo3LMswE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Piotr Krysiuk <piotras@gmail.com>,
        Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 4.14 43/47] bpf: No need to simulate speculative domain for immediates
Date:   Tue,  8 Jun 2021 20:27:26 +0200
Message-Id: <20210608175931.905528105@linuxfoundation.org>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20210608175930.477274100@linuxfoundation.org>
References: <20210608175930.477274100@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Daniel Borkmann <daniel@iogearbox.net>

commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream.

In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under
speculation") we replaced masking logic with direct loads of immediates
if the register is a known constant. Given in this case we do not apply
any masking, there is also no reason for the operation to be truncated
under the speculative domain.

Therefore, there is also zero reason for the verifier to branch-off and
simulate this case, it only needs to do it for unknown but bounded scalars.
As a side-effect, this also enables few test cases that were previously
rejected due to simulation under zero truncation.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |    6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2169,8 +2169,12 @@ do_sim:
 	/* If we're in commit phase, we're done here given we already
 	 * pushed the truncated dst_reg into the speculative verification
 	 * stack.
+	 *
+	 * Also, when register is a known constant, we rewrite register-based
+	 * operation to immediate-based, and thus do not need masking (and as
+	 * a consequence, do not need to simulate the zero-truncation either).
 	 */
-	if (commit_window)
+	if (commit_window || off_is_imm)
 		return 0;
 
 	/* Simulate and find potential out-of-bounds access under