Received: by 2002:a05:6520:2586:b029:fa:41f3:c225 with SMTP id u6csp869117lky; Thu, 10 Jun 2021 13:03:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwINsCzklG08l3FeClBBHiMR2f79W2pFvjUM1xfmb/+KrGoR4xunKrA8dE0VOtByHMMuvue X-Received: by 2002:a17:906:dc43:: with SMTP id yz3mr268389ejb.323.1623355418676; Thu, 10 Jun 2021 13:03:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623355418; cv=none; d=google.com; s=arc-20160816; b=sLaE4zvRGKEBRiQKqvfmKE4wMgLa9u0YBlQonqJK2yBMddCi1668UL6r4wzivVD1hR YUvIpke16QXIJO/BLN4C1vWgMmoqLUGTYK5QwDfbAjNI9weveXfN+WOTfCP+gUAAONzd lB47jyGRzkzg8c03aDTBw5ZpLd8txXZoUoQlPObSBOqkDwQm02KGfib0/mIexePrCJ4n Xb7y/1I13KsochBTO0TJqWH3vdoM9E1JuQ939N7eNojGBeKNdhr78Bpg1n0ofn2EYZwU K7kH4mwQBiYKfgpQOWew6DrBVGHgmz8PHMbj21jIMjSZWxYqL6YtDqLcmky+ilApSl0Q Dr7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=VcQcVK1muxZfeixLAT70inWCF+rrO79FtgsqXLLTmhw=; b=IVdGEKIWBarFS9rz1SUODZ/6B72A22fXjqwnjiNjBNiqxyIJvJ51In9NDsYHPk6Qll 0o4ImzqLPgq1SlPSKyZ/Ox5ucaHBGS63W2Xba5f3DjKfbXby8aKJlR7Qz/hgCsoZo/5w lau+6c5Wk3F9n1pIiWcEE/pYb654M8uQWkzZyfVRoGQbUS+u5/qrEG2Vv6qXwJ5uKoyD 2lF7Njc2nbhPvbWE8y7c03tPbaqx8Oxwtup62XMvmp1q1thylAHICmTItH0SWarzCJAU Oco1j2H+V00MhSH7bF6a/itZ0WO1WMFXOjlfml5WZ2s05qqqFOWEGFF9FIhX2bhuHNBq PVlQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=it1PG+R5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z13si3018066edb.205.2021.06.10.13.03.14; Thu, 10 Jun 2021 13:03:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=it1PG+R5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230255AbhFJUCo (ORCPT + 99 others); Thu, 10 Jun 2021 16:02:44 -0400 Received: from mail.kernel.org ([198.145.29.99]:36206 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230188AbhFJUCn (ORCPT ); Thu, 10 Jun 2021 16:02:43 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2DAEC613F1; Thu, 10 Jun 2021 20:00:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1623355247; bh=ZbRvzCT7wna4OsitGKZ+uEppwjq/LPjh5F/SwhxsvIw=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=it1PG+R5MO443wIpHpOu52Wp7/yNhdoVxG8Ar5iSyJLybhL0qRCWf+X1Js86t3GNz 9X2d4POr6Z8djOs42/VuoWMyLaM3oTyaagYIzVmMRiM7EiynqhPxtfyTZqbFMR1rvo fxTtwWzLdXGGd+h9Rw06HuGpDATp4XLAcGwL6Je4gcJi8HU7Kpfs3Fm6l+jXisE8il I5SEZkaU3f/ZVbStLDvmwkO9oufSpN5FVnVmz4VCS5oEhuC4mJyGn3NidjN3qS32Zv DafKhl5qLVDFD/Ly7Wl6shQjosw6s8FsamH/AE+KynX1+5FNSagLp0VOQNAsTO+ceQ UCtSRuWwEEtsA== Date: Thu, 10 Jun 2021 13:00:44 -0700 From: Eric Biggers To: Alexei Starovoitov Cc: Kees Cook , Yonghong Song , Dmitry Vyukov , Kurt Manucredo , syzbot+bed360704c521841c85d@syzkaller.appspotmail.com, Andrii Nakryiko , Alexei Starovoitov , bpf , Daniel Borkmann , "David S. Miller" , Jesper Dangaard Brouer , John Fastabend , Martin KaFai Lau , KP Singh , Jakub Kicinski , LKML , Network Development , Song Liu , syzkaller-bugs , nathan@kernel.org, Nick Desaulniers , Clang-Built-Linux ML , linux-kernel-mentees@lists.linuxfoundation.org, Shuah Khan , Greg Kroah-Hartman , Kernel Hardening , kasan-dev Subject: Re: [PATCH v4] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run Message-ID: References: <87609-531187-curtm@phaethon> <6a392b66-6f26-4532-d25f-6b09770ce366@fb.com> <202106091119.84A88B6FE7@keescook> <752cb1ad-a0b1-92b7-4c49-bbb42fdecdbe@fb.com> <1aaa2408-94b9-a1e6-beff-7523b66fe73d@fb.com> <202106101002.DF8C7EF@keescook> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 10, 2021 at 10:52:37AM -0700, Alexei Starovoitov wrote: > On Thu, Jun 10, 2021 at 10:06 AM Kees Cook wrote: > > > > > > I guess the main question: what should happen if a bpf program writer > > > > does _not_ use compiler nor check_shl_overflow()? > > > > I think the BPF runtime needs to make such actions defined, instead of > > doing a blind shift. It needs to check the size of the shift explicitly > > when handling the shift instruction. > > Such ideas were brought up in the past and rejected. > We're not going to sacrifice performance to make behavior a bit more > 'defined'. CPUs are doing it deterministically. What CPUs do is not the whole story. The compiler can assume that the shift amount is less than the width and use that assumption in other places, resulting in other things being miscompiled. Couldn't you just AND the shift amounts with the width minus 1? That would make the shifts defined, and the compiler would optimize out the AND on any CPU that interprets the shift amounts modulo the width anyway (e.g., x86). - Eric