Received: by 2002:a05:7412:f589:b0:e2:908c:2ebd with SMTP id eh9csp789922rdb; Wed, 1 Nov 2023 02:53:26 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGLTM9yYmabrH683pXY92kLRYDq1CItoz6wdmeivQSBz/Vn/BArABhR5usjtupeVGWBKvlP X-Received: by 2002:a05:6a00:cd5:b0:6b1:bf32:4fc3 with SMTP id b21-20020a056a000cd500b006b1bf324fc3mr14063332pfv.19.1698832405689; Wed, 01 Nov 2023 02:53:25 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698832405; cv=none; d=google.com; s=arc-20160816; b=SxtYfZDaFejOSx9w2IvM+4Y2cmxwz8T6mbXm0sNvdWQ7vniAZeTIy3aTkLVIuR2E4y lDmfqGbMLf8ShbXHzDDMnYob2j8UXwdewUMHt9VIVV1Na6R0vbh9YEbkQYvkpVmfX2hd 9u/AQaFHyMaCX/jbQ175fdHcvuv6vkQ3nZGZNNQfcIfhohakg6ihJ3Y+0Y7JWtO3jmQ1 EIcalWoU7qxrRpD4oXq4Mni4dM7v7PSxBdnQzRG1oBPRIXwylRYqstmsMKx7HvDjSXeD wK9aoLmfeqeOO1vm8P2kP2DY3HEAQHON8ShRdeCg8Q2e/y9UbVZYAyglhBblzjXe1Xxw wN7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=dOe6QzwqWEiP7j8OHek2K0ibaK5xiVAIwk4DUFp4ZSo=; fh=naxmMHT80EmipDyVVKL61Mq1b7eAu6E6bbSShHislMc=; b=bfrTK0rylJsbbUWwJ/mqew7tKGrvJtFOds7ZtCO9RJYsOTLkP64UR29Fa3ZJLERfzV d0xJo39FEpyTNnSxJktC871N+/gSxA8CVimYQPfmUwAZksZ5t60et1tEbD9m2ZZifJyj 7sz5FrgpWwi4+sGMav/ETaUDD4HcTmHa9FmRSCbh05BcMJwzMLV5i4HqLrV+TasywMmD 82+7eYIuE2Z1X0MChfrQEq3zs25D7cB8n6lHLArRguyok4/169P0KPeCvqOwGKuMvWst 6s5hY5vb4mi4Kljf4unMGifYPSC6hqNESdtlq29Wl1rxT3XpHqgV0OWAlY0Q8jhiPh1t nZWg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZOx3wIMn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32]) by mx.google.com with ESMTPS id q8-20020aa79828000000b0068a6eb3b548si1212398pfl.401.2023.11.01.02.53.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 02:53:25 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ZOx3wIMn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by agentk.vger.email (Postfix) with ESMTP id 83718805EAD1; Wed, 1 Nov 2023 02:53:18 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230523AbjKAJxI (ORCPT + 99 others); Wed, 1 Nov 2023 05:53:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57006 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229490AbjKAJxH (ORCPT ); Wed, 1 Nov 2023 05:53:07 -0400 Received: from mail-yb1-xb31.google.com (mail-yb1-xb31.google.com [IPv6:2607:f8b0:4864:20::b31]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8E110DA; Wed, 1 Nov 2023 02:53:04 -0700 (PDT) Received: by mail-yb1-xb31.google.com with SMTP id 3f1490d57ef6-da041ffef81so6087270276.0; Wed, 01 Nov 2023 02:53:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698832384; x=1699437184; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=dOe6QzwqWEiP7j8OHek2K0ibaK5xiVAIwk4DUFp4ZSo=; b=ZOx3wIMnmKJGD/q+xF2KRmQMtZ0sjYp+dKE+tPMiu9ywpFPc7TryyDEiE2HJ1le+1G RcFkTCiNR7+jC5m8AsG3jcxRWpI1eYzT1Ytlkb1lg/tf4+JSe2SIAu489EKxFlgwFhtk 0T1r8OfY7LsBZpjEaIgRnCLBa8e5TiZhsxn4gjVNIqjEKHOvqgSIRTUOmyDurAtv9+p4 2j9JOhq5Rp7crMIReFrci6thcaTD1eIDoN3YrswUGKusQdsA2UoNDdw41PWSHyrKIgF4 1s6HnoF9Xu2adniayW+0QikgkSbhdDdZoeTY5WVlSWkmjlXFot/b3dFVOtFKs2lHdenq lx8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698832384; x=1699437184; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=dOe6QzwqWEiP7j8OHek2K0ibaK5xiVAIwk4DUFp4ZSo=; b=kJmE5rC9ubP0iBD9rtKi76FmqtiAQrk4n+2l3g5lTL9jvsPapu507oxKV6aaJNvPW6 CTC1pSHOMCL2FptzEt2oX5U0VUiIzYfb6Ok+n+z9xDuiHl37+SAjcAuX5ajZ1NTlHVI5 PyTSuxQX2rWhwB5vvk1AL4gL1j8YdzH7FUvZnnEDWMsumi9poipIOjOAwYGbwsKR0IoW NN/kKxa9eQW/Dbqe5tinqjxeaLh/d1e/2eh+gngEim0UE0bbBSouRSVUed7aLXGyAejM BqAmiucaP3XNIqXzW2uOE+xxakovGVl694XwEfGLCEzp9J2sCyTFwyuaDv+S7Rn2Nset kLfw== X-Gm-Message-State: AOJu0Yxyk8V5LzH38wkOE4IKPijar9XxJYqD8YL65x2/8vGi2ExT/ykx ULVgMgkkxuxOfBZRerbuA49zXbscYvF+mALw1g== X-Received: by 2002:a25:3492:0:b0:d9c:f9f2:ec45 with SMTP id b140-20020a253492000000b00d9cf9f2ec45mr12045524yba.15.1698832383572; Wed, 01 Nov 2023 02:53:03 -0700 (PDT) MIME-Version: 1.0 References: <4b354d05b1bb4aa681fff5baca3455d90233951d.camel@gmail.com> In-Reply-To: From: Hao Sun Date: Wed, 1 Nov 2023 10:52:52 +0100 Message-ID: Subject: Re: bpf: shift-out-of-bounds in tnum_rshift() To: Andrii Nakryiko Cc: Eduard Zingerman , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Wed, 01 Nov 2023 02:53:18 -0700 (PDT) On Fri, Oct 27, 2023 at 7:51=E2=80=AFPM Andrii Nakryiko wrote: > > On Wed, Oct 25, 2023 at 10:34=E2=80=AFAM Eduard Zingerman wrote: > > > > On Tue, 2023-10-24 at 14:40 +0200, Hao Sun wrote: > > > Hi, > > > > > > The following program can trigger a shift-out-of-bounds in > > > tnum_rshift(), called by scalar32_min_max_rsh(): > > > > > > 0: (bc) w0 =3D w1 > > > 1: (bf) r2 =3D r0 > > > 2: (18) r3 =3D 0xd > > > 4: (bc) w4 =3D w0 > > > 5: (bf) r5 =3D r0 > > > 6: (bf) r7 =3D r3 > > > 7: (bf) r8 =3D r4 > > > 8: (2f) r8 *=3D r5 > > > 9: (cf) r5 s>>=3D r5 > > > 10: (a6) if w8 < 0xfffffffb goto pc+10 > > > 11: (1f) r7 -=3D r5 > > > 12: (71) r6 =3D *(u8 *)(r1 +17) > > > 13: (5f) r3 &=3D r8 > > > 14: (74) w2 >>=3D 30 > > > 15: (1f) r7 -=3D r5 > > > 16: (5d) if r8 !=3D r6 goto pc+4 > > > 17: (c7) r8 s>>=3D 5 > > > 18: (cf) r0 s>>=3D r0 > > > 19: (7f) r0 >>=3D r0 > > > 20: (7c) w5 >>=3D w8 # shift-out-bounds here > > > 21: exit > > > > Here is a simplified example: > > > > SEC("?tp") > > __success __retval(0) > > __naked void large_shifts(void) > > { > > asm volatile (" \ > > call %[bpf_get_prandom_u32]; \n\ > > r8 =3D r0; \n\ > > r6 =3D r0; \n\ > > r6 &=3D 0xf; \n\ > > if w8 < 0xffffffff goto +2; \n\ > > if r8 !=3D r6 goto +1; \n\ > > w0 >>=3D w8; /* shift-out-bounds here */ \n\ > > exit; \n\ > > " : > > : __imm(bpf_get_prandom_u32) > > : __clobber_all); > > } > > > > With my changes the verifier does correctly derive that r8 !=3D r6 will > always happen, and thus skips w0 >>=3D w8. But the test itself with A similar issue can be triggered after your patch for JNE/JEQ. For the following case, the verifier would shift out of bound: // 0: r0 =3D -2 BPF_MOV64_IMM(BPF_REG_0, -2), // 1: r0 /=3D 1 BPF_ALU64_IMM(BPF_DIV, BPF_REG_0, 1), // 2: r8 =3D r0 BPF_MOV64_REG(BPF_REG_8, BPF_REG_0), // 3: if w8 !=3D 0xfffffffe goto+4 BPF_JMP32_IMM(BPF_JNE, BPF_REG_8, 0xfffffffe, 4), // 4: if r8 s> 0xd goto+3 BPF_JMP_IMM(BPF_JSGT, BPF_REG_8, 0xd, 3), // 5: r4 =3D 0x2 BPF_MOV64_IMM(BPF_REG_4, 0x2), // 6: if r8 s<=3D r4 goto+1 BPF_JMP_REG(BPF_JSLE, BPF_REG_8, BPF_REG_4, 1), // 7: w8 s>>=3D w0 # shift out of bound here BPF_ALU32_REG(BPF_ARSH, BPF_REG_8, BPF_REG_0), // 8: exit BPF_EXIT_INSN(), -------- Verifier Log -------- func#0 @0 0: R1=3Dctx(off=3D0,imm=3D0) R10=3Dfp0 0: (b7) r0 =3D -2 ; R0_w=3D-2 1: (37) r0 /=3D 1 ; R0_w=3Dscalar() 2: (bf) r8 =3D r0 ; R0_w=3Dscalar(id=3D1) R8_w=3Dsca= lar(id=3D1) 3: (56) if w8 !=3D 0xfffffffe goto pc+4 ; R8_w=3Dscalar(id=3D1,smin=3D-9223372032559808514,smax=3D9223372036854775806= ,umin=3Dumin32=3D4294967294,umax=3D18446744073709551614,smin32=3D-2,smax32= =3D-2, umax32=3D4294967294,var_off=3D(0xfffffffe; 0xffffffff00000000)) 4: (65) if r8 s> 0xd goto pc+3 ; R8_w=3Dscalar(id=3D1,smin=3D-9223372032559808514,smax=3D13,umin=3Dumin32=3D= 4294967294,umax=3D18446744073709551614,smin32=3D-2,smax32=3D-2,umax32=3D429= 4967294, var_off=3D(0xfffffffe; 0xffffffff00000000)) 5: (b7) r4 =3D 2 ; R4_w=3D2 6: (dd) if r8 s<=3D r4 goto pc+1 ; R4_w=3D2 R8_w=3D4294967294 7: (cc) w8 s>>=3D w0 ; R0=3D4294967294 R8=3D4294967295 8: (95) exit Here, after #6, reg range is incorrect, seems to be an issue in JSLE case in is_branch_taken(). Is this issue fixed in your patch series? > __retval(0) is not a valid test, so it would be good to construct > something that will correctly return 0 at runtime (or use some other > check). So I won't put this test into my patch set and will live it as > a follow up for someone. But here's the log for anyone curious: > > VERIFIER LOG: > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > func#0 @0 > 0: R1=3Dctx(off=3D0,imm=3D0) R10=3Dfp0 > ; asm volatile (" \ > 0: (85) call bpf_get_prandom_u32#7 ; R0_w=3Dscalar() > 1: (bf) r8 =3D r0 ; R0_w=3Dscalar(id=3D1) R8_w=3Dsc= alar(id=3D1) > 2: (bf) r6 =3D r0 ; R0_w=3Dscalar(id=3D1) R6_w=3Dsc= alar(id=3D1) > 3: (57) r6 &=3D 15 ; > R6_w=3Dscalar(smin=3Dsmin32=3D0,smax=3Dumax=3Dsmax32=3Dumax32=3D15,var_of= f=3D(0x0; > 0xf)) > 4: (a6) if w8 < 0xffffffff goto pc+2 ; > R8_w=3Dscalar(id=3D1,smin=3D-9223372032559808513,umin=3Dumin32=3D42949672= 95,smin32=3D-1,smax32=3D-1,var_off=3D(0xffffffff; > 0xffffffff00000000)) > 5: (5d) if r8 !=3D r6 goto pc+1 > mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 > mark_precise: frame0: regs=3Dr0,r8 stack=3D before 4: (a6) if w8 < > 0xffffffff goto pc+2 > mark_precise: frame0: regs=3Dr0,r8 stack=3D before 3: (57) r6 &=3D 15 > mark_precise: frame0: regs=3Dr0,r8 stack=3D before 2: (bf) r6 =3D r0 > mark_precise: frame0: regs=3Dr0,r8 stack=3D before 1: (bf) r8 =3D r0 > mark_precise: frame0: regs=3Dr0 stack=3D before 0: (85) call bpf_get_pran= dom_u32#7 > mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 > mark_precise: frame0: regs=3Dr6 stack=3D before 4: (a6) if w8 < 0xfffffff= f goto pc+2 > mark_precise: frame0: regs=3Dr6 stack=3D before 3: (57) r6 &=3D 15 > mark_precise: frame0: regs=3Dr6 stack=3D before 2: (bf) r6 =3D r0 > mark_precise: frame0: regs=3Dr0 stack=3D before 1: (bf) r8 =3D r0 > mark_precise: frame0: regs=3Dr0 stack=3D before 0: (85) call bpf_get_pran= dom_u32#7 > 5: R6_w=3Dscalar(smin=3Dsmin32=3D0,smax=3Dumax=3Dsmax32=3Dumax32=3D15,var= _off=3D(0x0; > 0xf)) R8_w=3Dscalar(id=3D1,smin=3D-9223372032559808513,umin=3Dumin32=3D42= 94967295,smin32=3D-1,smax32=3D-1,var_off=3D(0xffffffff; > 0xffffffff00000000)) > 7: (95) exit > > from 4 to 7: R0=3Dscalar(id=3D1,smax=3D9223372036854775806,umax=3D1844674= 4073709551614,umax32=3D4294967294) > R6=3Dscalar(smin=3Dsmin32=3D0,smax=3Dumax=3Dsmax32=3Dumax32=3D15,var_off= =3D(0x0; 0xf)) > R8=3Dscalar(id=3D1,smax=3D9223372036854775806,umax=3D18446744073709551614= ,umax32=3D4294967294) > R10=3Dfp0 > 7: R0=3Dscalar(id=3D1,smax=3D9223372036854775806,umax=3D18446744073709551= 614,umax32=3D4294967294) > R6=3Dscalar(smin=3Dsmin32=3D0,smax=3Dumax=3Dsmax32=3Dumax32=3D15,var_off= =3D(0x0; 0xf)) > R8=3Dscalar(id=3D1,smax=3D9223372036854775806,umax=3D18446744073709551614= ,umax32=3D4294967294) > R10=3Dfp0 > 7: (95) exit > processed 8 insns (limit 1000000) max_states_per_insn 0 total_states 1 > peak_states 1 mark_read 1 > =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D > > at insn #4, simulating a FALSE condition, verifier knows that r6 is > [0, 15], while w8 is exactly 0xffffffff, so at insn #5 it can tell > that 0xffffffff can never be equal to a value in [0, 15] range, and > thus skips the shift instruction. >