Received: by 2002:a05:7412:251c:b0:e2:908c:2ebd with SMTP id w28csp2425847rda; Wed, 25 Oct 2023 02:16:54 -0700 (PDT) X-Google-Smtp-Source: AGHT+IFtKO0Fzrd74nwmzXaCadiKOY3f5DiG7kXT8EqTP8/+/kORBHqUpA1It4WJ9+YTrewI5Ei1 X-Received: by 2002:a05:6902:188f:b0:d9a:c946:4187 with SMTP id cj15-20020a056902188f00b00d9ac9464187mr16857591ybb.22.1698225414226; Wed, 25 Oct 2023 02:16:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698225414; cv=none; d=google.com; s=arc-20160816; b=PCHLEKnwuKzwTRTLz1F6AtozsMRqxdZtyOidSgZba5xnqBP80tPk8Id4K1Iq7Lh1Vc iqTlJboeVvGg7DTgXbjEwEKGtJRhsaPCUxfAbjhurnPmK4yUWurWxB1f/nfXgsW0oucA kiESgy9DbLATxV32MmHL6P+sp9NvnUCdxgBH/BoL9Y8yXWtq107H0NGvwzRa/BFePgzY gMuisQBvCB340+UYnn8BOBkFxfPgCIsmitRQXsV9QmEe9CtzNpJ+62jNv70PamNNBC6q 3RhK+8gcyKCXrCqTKz95OygQezpDHDeK1A+SfGB4EwsKCcpA5n8Wd1F9nJudKCOHm6Nr QPyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:mime-version :dkim-signature; bh=EXDj7UmqGpf4o1RnvyXyvt/9oEx9PkyWj6Qbo9+PLek=; fh=9ccdba4B9pCzwT/XaETgFVLiNKqLOxOLCg39JfCsUCE=; b=uYpwyKCMt66J4G3L1jlkq+wJtiQ7D6syFOWo6lqxqihTdQiw9iHOOLgR+P7m2p+cWo QDugPZ0Fhqs4TFj1qwupHMxNd+K7pWeso/J4naUOMuFKoCYOr1c+SISUPBhtvaDvQmZw SEkGYwy7yJh3oiCLsUmI0emSV0XMtiFMDfHxvwOBOS8VgdR/e/bFVbGvqHHKh3QeOixw 27Uhmvy/PZbpKGPPNiNupIhWQpFxdE+6I/f3ixGvQQtfFhwl8QJQ9bf7OzV8E11g5g0H oR35ehz6b/wrpWiFyKwVseVPi6FMixMnLND1ZQ0h6rDgGweitExY49+XJota4LlBnL3t Fqgg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RLo5AZ+V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [2620:137:e000::3:7]) by mx.google.com with ESMTPS id i10-20020a256d0a000000b00d9ca7577fcbsi9155716ybc.717.2023.10.25.02.16.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 25 Oct 2023 02:16:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) client-ip=2620:137:e000::3:7; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=RLo5AZ+V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:7 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id EF41C80D44E9; Wed, 25 Oct 2023 02:16:52 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233306AbjJYJQv (ORCPT + 99 others); Wed, 25 Oct 2023 05:16:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33854 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234066AbjJYJQt (ORCPT ); Wed, 25 Oct 2023 05:16:49 -0400 Received: from mail-vs1-xe32.google.com (mail-vs1-xe32.google.com [IPv6:2607:f8b0:4864:20::e32]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 220D7187; Wed, 25 Oct 2023 02:16:47 -0700 (PDT) Received: by mail-vs1-xe32.google.com with SMTP id ada2fe7eead31-457c441555cso1968473137.3; Wed, 25 Oct 2023 02:16:47 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698225406; x=1698830206; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=EXDj7UmqGpf4o1RnvyXyvt/9oEx9PkyWj6Qbo9+PLek=; b=RLo5AZ+V65WxDT1DmOVZG0MHFkYlot8a8byJmMHaCM5H98JnaF2bEbJahnx/jX/cBx eUTUenIL9eQOos7KpAisivxsckM+nD4EC5Zhq8PTx0+MS3AkGxFo00qURcM+dGX3x6PJ mqZ5VRAsrrxuJ+Tai0/x5R6bn5Oq1VRMVcBrquXR8GJ3iuPa79X4Qv/Nq+lKqfMZFBrD Ra9JRD9OjkVQwKu1S2NUxxhIC2xk+BSo1xNw7AVK8aCi+RmrvTPtdxtmis+fCsAhHrCG 0IM93DuC+worI4zqoj046A7neNqtyJ0YWVuO73ah8mTs5wfHwip6A20cLV4le1einc1f QVPw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698225406; x=1698830206; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=EXDj7UmqGpf4o1RnvyXyvt/9oEx9PkyWj6Qbo9+PLek=; b=vhvsbhI0BAwCpuy6+CZPJsoLkCF0BHey+10Hjlm4j57PrDUpP9OJ3ri0uBm2LcJ8Bx Pour2U37PokpW1JWbCxDMlHuWvI2x3XxD1P4vZfEuDLQIiLqOzbIbzax+lhSgQKw+61W jMF43Z67MM0Dcm7wFWYW7GYtkyhYfCU8xLGN1g7j8Dt31frhpZnSE1q/fPdIl9DxBlvr LEDdjFdqu6FFEUA9mYvcdDJkVQDcz37tIuoOHUStkTVdKZ1Tii/XcNZQsj199iPfjzKL lu5c/5A26fCCVzQm6qIvFlsUpIG/uxI64sMvlQbrIr7DWMZ2/Ljxqp0hSf/ks4sY/NB7 +2cg== X-Gm-Message-State: AOJu0YwCGkeYESyRZyq+UMCAtjIhGqJEO8YLbRPYgwz5F3Y+lpzwjE8H 961P9307KhcnDG8Srrj3b7pMjxRQUXou270zpmeqUdcgcQ== X-Received: by 2002:a05:6102:475c:b0:45a:d57c:36f9 with SMTP id ej28-20020a056102475c00b0045ad57c36f9mr807656vsb.22.1698225406013; Wed, 25 Oct 2023 02:16:46 -0700 (PDT) MIME-Version: 1.0 From: Hao Sun Date: Wed, 25 Oct 2023 11:16:34 +0200 Message-ID: Subject: bpf: incorrect value spill in check_stack_write_fixed_off() To: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa Cc: bpf , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Wed, 25 Oct 2023 02:16:53 -0700 (PDT) Hi, In check_stack_write_fixed_off(), the verifier creates a fake reg to store the imm in a BPF_ST_MEM: ... else if (!reg && !(off % BPF_REG_SIZE) && is_bpf_st_mem(insn) && insn->imm != 0 && env->bpf_capable) { struct bpf_reg_state fake_reg = {}; __mark_reg_known(&fake_reg, (u32)insn->imm); fake_reg.type = SCALAR_VALUE; save_register_state(state, spi, &fake_reg, size); Here, insn->imm is cast to u32, and used to mark fake_reg, which is incorrect and may lose sign information. Consider the following program: r2 = r10 *(u64*)(r2 -40) = -44 r0 = *(u64*)(r2 - 40) if r0 s<= 0xa goto +2 r0 = 0 exit r0 = 1 exit The verifier gives the following log: -------- Verifier Log -------- func#0 @0 0: R1=ctx(off=0,imm=0) R10=fp0 0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 1: (7a) *(u64 *)(r2 -40) = -44 ; R2_w=fp0 fp-40_w=4294967252 2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0 fp-40_w=4294967252 3: (c5) if r0 s< 0xa goto pc+2 mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40) 3: R0_w=4294967252 4: (b7) r0 = 1 ; R0_w=1 5: (95) exit verification time 7971 usec stack depth 40 processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 Here, the verifier incorrectly thinks R0 is 0xffffffd4, which should be 0xffffffffffffffd4, due to the u32 cast in check_stack_write_fixed_off(). This makes the verifier collect incorrect reg scalar range. Since insn->imm is i32, we should cast it to the signed integer with correct size according to BPF_MEM, then promoting the imm to u64 to mark fake reg as known, right? Best Hao