Received: by 2002:a05:6520:2586:b029:fa:41f3:c225 with SMTP id u6csp869117lky;
        Thu, 10 Jun 2021 13:03:38 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwINsCzklG08l3FeClBBHiMR2f79W2pFvjUM1xfmb/+KrGoR4xunKrA8dE0VOtByHMMuvue
X-Received: by 2002:a17:906:dc43:: with SMTP id yz3mr268389ejb.323.1623355418676;
        Thu, 10 Jun 2021 13:03:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1623355418; cv=none;
        d=google.com; s=arc-20160816;
        b=sLaE4zvRGKEBRiQKqvfmKE4wMgLa9u0YBlQonqJK2yBMddCi1668UL6r4wzivVD1hR
         YUvIpke16QXIJO/BLN4C1vWgMmoqLUGTYK5QwDfbAjNI9weveXfN+WOTfCP+gUAAONzd
         lB47jyGRzkzg8c03aDTBw5ZpLd8txXZoUoQlPObSBOqkDwQm02KGfib0/mIexePrCJ4n
         Xb7y/1I13KsochBTO0TJqWH3vdoM9E1JuQ939N7eNojGBeKNdhr78Bpg1n0ofn2EYZwU
         K7kH4mwQBiYKfgpQOWew6DrBVGHgmz8PHMbj21jIMjSZWxYqL6YtDqLcmky+ilApSl0Q
         Dr7A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=VcQcVK1muxZfeixLAT70inWCF+rrO79FtgsqXLLTmhw=;
        b=IVdGEKIWBarFS9rz1SUODZ/6B72A22fXjqwnjiNjBNiqxyIJvJ51In9NDsYHPk6Qll
         0o4ImzqLPgq1SlPSKyZ/Ox5ucaHBGS63W2Xba5f3DjKfbXby8aKJlR7Qz/hgCsoZo/5w
         lau+6c5Wk3F9n1pIiWcEE/pYb654M8uQWkzZyfVRoGQbUS+u5/qrEG2Vv6qXwJ5uKoyD
         2lF7Njc2nbhPvbWE8y7c03tPbaqx8Oxwtup62XMvmp1q1thylAHICmTItH0SWarzCJAU
         Oco1j2H+V00MhSH7bF6a/itZ0WO1WMFXOjlfml5WZ2s05qqqFOWEGFF9FIhX2bhuHNBq
         PVlQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=it1PG+R5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id z13si3018066edb.205.2021.06.10.13.03.14;
        Thu, 10 Jun 2021 13:03:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=it1PG+R5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230255AbhFJUCo (ORCPT <rfc822;lyj496332184@gmail.com>
        + 99 others); Thu, 10 Jun 2021 16:02:44 -0400
Received: from mail.kernel.org ([198.145.29.99]:36206 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S230188AbhFJUCn (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 10 Jun 2021 16:02:43 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 2DAEC613F1;
        Thu, 10 Jun 2021 20:00:46 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1623355247;
        bh=ZbRvzCT7wna4OsitGKZ+uEppwjq/LPjh5F/SwhxsvIw=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=it1PG+R5MO443wIpHpOu52Wp7/yNhdoVxG8Ar5iSyJLybhL0qRCWf+X1Js86t3GNz
         9X2d4POr6Z8djOs42/VuoWMyLaM3oTyaagYIzVmMRiM7EiynqhPxtfyTZqbFMR1rvo
         fxTtwWzLdXGGd+h9Rw06HuGpDATp4XLAcGwL6Je4gcJi8HU7Kpfs3Fm6l+jXisE8il
         I5SEZkaU3f/ZVbStLDvmwkO9oufSpN5FVnVmz4VCS5oEhuC4mJyGn3NidjN3qS32Zv
         DafKhl5qLVDFD/Ly7Wl6shQjosw6s8FsamH/AE+KynX1+5FNSagLp0VOQNAsTO+ceQ
         UCtSRuWwEEtsA==
Date:   Thu, 10 Jun 2021 13:00:44 -0700
From:   Eric Biggers <ebiggers@kernel.org>
To:     Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc:     Kees Cook <keescook@chromium.org>, Yonghong Song <yhs@fb.com>,
        Dmitry Vyukov <dvyukov@google.com>,
        Kurt Manucredo <fuzzybritches0@gmail.com>,
        syzbot+bed360704c521841c85d@syzkaller.appspotmail.com,
        Andrii Nakryiko <andrii@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        "David S. Miller" <davem@davemloft.net>,
        Jesper Dangaard Brouer <hawk@kernel.org>,
        John Fastabend <john.fastabend@gmail.com>,
        Martin KaFai Lau <kafai@fb.com>,
        KP Singh <kpsingh@kernel.org>,
        Jakub Kicinski <kuba@kernel.org>,
        LKML <linux-kernel@vger.kernel.org>,
        Network Development <netdev@vger.kernel.org>,
        Song Liu <songliubraving@fb.com>,
        syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
        nathan@kernel.org, Nick Desaulniers <ndesaulniers@google.com>,
        Clang-Built-Linux ML <clang-built-linux@googlegroups.com>,
        linux-kernel-mentees@lists.linuxfoundation.org,
        Shuah Khan <skhan@linuxfoundation.org>,
        Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        Kernel Hardening <kernel-hardening@lists.openwall.com>,
        kasan-dev <kasan-dev@googlegroups.com>
Subject: Re: [PATCH v4] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run
Message-ID: <YMJvbGEz0xu9JU9D@gmail.com>
References: <87609-531187-curtm@phaethon>
 <6a392b66-6f26-4532-d25f-6b09770ce366@fb.com>
 <CAADnVQKexxZQw0yK_7rmFOdaYabaFpi2EmF6RGs5bXvFHtUQaA@mail.gmail.com>
 <CACT4Y+b=si6NCx=nRHKm_pziXnVMmLo-eSuRajsxmx5+Hy_ycg@mail.gmail.com>
 <202106091119.84A88B6FE7@keescook>
 <752cb1ad-a0b1-92b7-4c49-bbb42fdecdbe@fb.com>
 <CACT4Y+a592rxFmNgJgk2zwqBE8EqW1ey9SjF_-U3z6gt3Yc=oA@mail.gmail.com>
 <1aaa2408-94b9-a1e6-beff-7523b66fe73d@fb.com>
 <202106101002.DF8C7EF@keescook>
 <CAADnVQKMwKYgthoQV4RmGpZm9Hm-=wH3DoaNqs=UZRmJKefwGw@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CAADnVQKMwKYgthoQV4RmGpZm9Hm-=wH3DoaNqs=UZRmJKefwGw@mail.gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Jun 10, 2021 at 10:52:37AM -0700, Alexei Starovoitov wrote:
> On Thu, Jun 10, 2021 at 10:06 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > > > I guess the main question: what should happen if a bpf program writer
> > > > does _not_ use compiler nor check_shl_overflow()?
> >
> > I think the BPF runtime needs to make such actions defined, instead of
> > doing a blind shift. It needs to check the size of the shift explicitly
> > when handling the shift instruction.
> 
> Such ideas were brought up in the past and rejected.
> We're not going to sacrifice performance to make behavior a bit more
> 'defined'. CPUs are doing it deterministically.

What CPUs do is not the whole story.  The compiler can assume that the shift
amount is less than the width and use that assumption in other places, resulting
in other things being miscompiled.

Couldn't you just AND the shift amounts with the width minus 1?  That would make
the shifts defined, and the compiler would optimize out the AND on any CPU that
interprets the shift amounts modulo the width anyway (e.g., x86).

- Eric