Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4360921rdh;
        Tue, 28 Nov 2023 21:43:21 -0800 (PST)
X-Google-Smtp-Source: AGHT+IG8smfFDxo4sVLGZ5Zdy0FCmosoTMAQmj851Nn5M6u2hE5ZgOvkA4vwsw1squbdCNkWdfLD
X-Received: by 2002:a05:6870:4c15:b0:1fa:20ee:6a17 with SMTP id pk21-20020a0568704c1500b001fa20ee6a17mr18993588oab.14.1701236600948;
        Tue, 28 Nov 2023 21:43:20 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701236600; cv=none;
        d=google.com; s=arc-20160816;
        b=ZtG8us5LxnJjlnNoJEXowtPhKHd+pImvFRbEPkT/gibSmL1GUeWrobBodh3D9xb15J
         xFvAmL9eU07fGxJ+A09Adfpe11DxFeN+vi9IrmT5zDE5Oy9hf86QRuERI1UyF57jxi6L
         VuR0Q9Nw0howe+AnHIVTu/950ws9MhglIqe36S9i4q0iEmsYMuXvF9wNGncSD5jhGDtK
         fuhJMbLUL26qrpA0fAA1zG3hHSyV87XRRVpdGB+srDGa9HUzuSyXaBOqGW1H9Pk/HCde
         990bgZ0x4oXt0bXFLzEDUnF/cJqhpS/Mm7rnMuWapO317H/m5HzWg4/9sJtgdp4rwkAv
         WKKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=0ah39K3mdJLfvpMeUTfIZFBYmO5pc4KH9lUCedS23RE=;
        fh=s7uMTih8k99JCtXQo5QU3wnDL7TxmSdJNPP9j9RZEwA=;
        b=iBNOqc6tnf41Gtd/U+nSd/30t5TdJu82gk95Bb2x9zkx4Fq4cusvEWeea3coiI/7Io
         GROk0xz8y6J83olgdF8HJoVx1u7whYiEOUNhS2jHD2zvwzIocG+Zhp6rCa/aVSNch0r1
         aKjPLv4/ejBUM396TGggM7bIceGm23QJSh9rc08cSuvlkS3q7bnvkDvfvWAtdn+o/hyi
         Vvh3KsWzN2joLAi2TNbXVOY3weT3DiiEVUQISYmvEHbbPeIbn1vyj0DJSWBhPpsPGUfs
         ldAIp1xJl01qQrepxQqsS12jR8yi3VH5PqDqQg68MUIZKePAHQV3W7hBdxkt3QAN3Po6
         GOzA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=B1Wh97wm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from fry.vger.email (fry.vger.email. [23.128.96.38])
        by mx.google.com with ESMTPS id 34-20020a630d62000000b005bddca8236dsi13789750pgn.699.2023.11.28.21.43.20
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Nov 2023 21:43:20 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=B1Wh97wm;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by fry.vger.email (Postfix) with ESMTP id 0490A80A64C7;
	Tue, 28 Nov 2023 21:43:18 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1376936AbjK2FnD (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Wed, 29 Nov 2023 00:43:03 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39966 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229563AbjK2FnC (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2023 00:43:02 -0500
Received: from mail-lf1-x133.google.com (mail-lf1-x133.google.com [IPv6:2a00:1450:4864:20::133])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6AB411AE;
        Tue, 28 Nov 2023 21:43:08 -0800 (PST)
Received: by mail-lf1-x133.google.com with SMTP id 2adb3069b0e04-50bc57d81f4so263848e87.2;
        Tue, 28 Nov 2023 21:43:08 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1701236586; x=1701841386; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=0ah39K3mdJLfvpMeUTfIZFBYmO5pc4KH9lUCedS23RE=;
        b=B1Wh97wmNPILD3CtS3iZPuvQFKGiKTg+d1RNeQFwA4wE80A10nuyYwtJjvA602X2Nw
         VSqxa6SslhQdUnYhVd2pfwHRkXxXqEfFldnEhkScGrYS0KAqfvezEUUwEetgCxoNCaop
         Z5YtP6P+PLYeXr36LfAMoo7fZnSIy/pgUxXNOp8AzDV6qf4mw8ma9ZAlol0l0UhxVCZG
         2ayK//sLKOX3OGvt8ADkA2Bt2d2kAS0LRLpUYLCQwroHvEXdUsmftcBU6xzW6d5FtEBL
         1PJG8g20CJc+rcAcYyOp3FNwdxqo7pbVkkHI0ynY9a/dw9eSpgNsmduHIpOMic9yokyy
         9Nnw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1701236586; x=1701841386;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=0ah39K3mdJLfvpMeUTfIZFBYmO5pc4KH9lUCedS23RE=;
        b=UYtAZFCCmYk52WSzZRsB6iu4/6dFZ3F6+QdUgbeXLy9Wvwy+Nyvv8DcxIitJwWAQWd
         XmS8Mm6ftLZLUkouoNYxV4iiSSmRZ5SFBgx7PnBjjiSmiq0n0yB12gnaGLlfOV0KUlK1
         0fizJyX6XmcvRmfoPsHzD0ZmHpMgjg505G9wSx22wvh300BxGjPKw2CqIYrkO3PV69I8
         dPVbR7mTaYErcZ9JPcwv4d9ZGjISM7gMv/xoWk2PhDftP60txYKAqgSOfV4ZVrl4QJkV
         +80v3tzYDsPqQI/QbmOTRojPiPl6UUytfumAHiDIcdYr4mDuEZUBBkT/4mixiPK2HjaO
         Bikg==
X-Gm-Message-State: AOJu0YwewKHW4mEa8W77ujPhpSG7aG0qzYzuNaqgCiiqDM8LRl10fiHX
        YJNZ4Su2ht91gZiCWxFaIlne2fXfjVG9344nkECcyKBp
X-Received: by 2002:a05:6512:108c:b0:507:9f4c:b72 with SMTP id
 j12-20020a056512108c00b005079f4c0b72mr13521196lfg.15.1701236586282; Tue, 28
 Nov 2023 21:43:06 -0800 (PST)
MIME-Version: 1.0
References: <CACkBjsaecr+VjmfOHzaMbiei5G3WMDjvjp4kZVE79Bn8ib1-Rg@mail.gmail.com>
In-Reply-To: <CACkBjsaecr+VjmfOHzaMbiei5G3WMDjvjp4kZVE79Bn8ib1-Rg@mail.gmail.com>
From:   Andrii Nakryiko <andrii.nakryiko@gmail.com>
Date:   Tue, 28 Nov 2023 21:42:52 -0800
Message-ID: <CAEf4BzYVRwpP6TbXdJeFwMot80FodexyOk2_Y9H2tsJC-3FBUA@mail.gmail.com>
Subject: Re: [Bug Report] bpf: reg invariant voilation after JSLE
To:     Hao Sun <sunhao.th@gmail.com>
Cc:     Andrii Nakryiko <andrii@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>,
        Yonghong Song <yonghong.song@linux.dev>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Jiri Olsa <jolsa@kernel.org>, bpf <bpf@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 28 Nov 2023 21:43:18 -0800 (PST)

On Tue, Nov 21, 2023 at 7:08=E2=80=AFAM Hao Sun <sunhao.th@gmail.com> wrote=
:
>
> Hi,
>
> The following program (reduced) breaks reg invariant:
>
> C Repro: https://pastebin.com/raw/SRQJYx91
>
> -------- Verifier Log --------
> func#0 @0
> 0: R1=3Dctx() R10=3Dfp0
> 0: (b7) r0 =3D -2                       ; R0_w=3D-2
> 1: (37) r0 /=3D 1                       ; R0_w=3Dscalar()
> 2: (bf) r8 =3D r0                       ; R0_w=3Dscalar(id=3D1) R8_w=3Dsc=
alar(id=3D1)
> 3: (56) if w8 !=3D 0xfffffffe goto pc+4         ;
> R8_w=3Dscalar(id=3D1,smin=3D0x80000000fffffffe,smax=3D0x7ffffffffffffffe,=
umin=3Dumin32=3D0xfffffffe,umax=3D0xfffffffffffffffe,smin32=3D-2,smax32=3D-=
2,umax32=3D0xfffffffe,var_off=3D(0xfffffffe;
> 0xffffffff00000000))

this part looks suspicious, I'll take a look a bit later

> 4: (65) if r8 s> 0xd goto pc+3        ;
> R8_w=3Dscalar(id=3D1,smin=3D0x80000000fffffffe,smax=3D13,umin=3Dumin32=3D=
0xfffffffe,umax=3D0xfffffffffffffffe,smin32=3D-2,smax32=3D-2,umax32=3D0xfff=
ffffe,var_off=3D(0xfffffffe;
> 0xffffffff00000000))
> 5: (b7) r4 =3D 2                        ; R4_w=3D2
> 6: (dd) if r8 s<=3D r4 goto pc+1
> REG INVARIANTS VIOLATION (false_reg1): range bounds violation
> u64=3D[0xfffffffe, 0xd] s64=3D[0xfffffffe, 0xd] u32=3D[0xfffffffe, 0xd]
> s32=3D[0x3, 0xfffffffe] var_off=3D(0xfffffffe, 0x0)
> 6: R4_w=3D2 R8_w=3D0xfffffffe
> 7: (cc) w8 s>>=3D w0                    ; R0=3D0xfffffffe R8=3Dscalar()
> 8: (77) r0 >>=3D 32                     ; R0_w=3D0
> 9: (57) r0 &=3D 1                       ; R0_w=3D0
> 10: (95) exit
>
> from 6 to 8: safe
>
> from 4 to 8: safe
>
> from 3 to 8: safe
> processed 14 insns (limit 1000000) max_states_per_insn 0 total_states
> 1 peak_states 1 mark_read 1
>
>
> Besides, the verifier enforces the return value of some prog types to
> be zero, the bug may lead to programs with arbitrary values loaded.

Generally speaking, if the verifier reports "REG INVARIANTS VIOLATION"
warning above, it doesn't necessarily mean that verifier has some bug.
We do know that in some conditions verifier doesn't detect conditions
that *will not* be taken, and in such cases we might get reg
invariants violation. But in such case verifier will revert to
conservative unknown scalar state, which is correct, even if
potentially unnecessarily pessimistic.

>
> Best
> Hao Sun