Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4402152rdh; Tue, 28 Nov 2023 23:44:33 -0800 (PST) X-Google-Smtp-Source: AGHT+IEkrhAJVZIH4R/HE1xrojR9fGmxq+f9E0uJHjh06mkC+5vsYgwDjlm4VwQrYc5XlDoMThW0 X-Received: by 2002:a05:6a20:d48e:b0:18a:db41:bd0a with SMTP id im14-20020a056a20d48e00b0018adb41bd0amr23698232pzb.39.1701243873339; Tue, 28 Nov 2023 23:44:33 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1701243873; cv=none; d=google.com; s=arc-20160816; b=If4sTOvDcnovVK4HhUSKxD/6XzgqzOgFp+WP165bcpnhk9J7yCwjvvBAgL2wGzqFUZ aS8hOmm+rLu2sO15ubYlXYJZepQzCp9ieOj/dfbrSQIPxRR0IIBqqe/HAaMFUuvBl3Hh PBafMvu80r4PLSmaK+A6YDxDvPLlNYbnHOPXhwV/yAyeyrpn5CVLAOuIu5KCw7s3D7cU +egY76XDW94kkqGnmG93FpAwkZVP2gUy53S69sBqmQVbUNxUCgeeeHkO3UgKHuDZ3qvC b6jSyUCJSJxCFkMNMWbRTTWQ2MZbKN2ulbajFAo0+ej6Xso039SULsSzl9grRNw0jAD4 Ch9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=P6jmJHglGtU9cahHc2lD5bEKUuDPk2ce4UOMIxy6Cx0=; fh=/H6pccx/jSJ6XFYKc65BdRl9xsiFTUrtMK4uY5kKXE8=; b=kkjklnjzO2V/ceJ42Es3I5rEe53wglpWLXoNkrECpbXzSSWbsqwZx2xTnHv2Zed6ck V1BUVFNAYOf3PBnVI3VWnUREzCq4Jh4VZjwuLfRpQw0UfUki/K5Wk69PCkne37hmZxXL hX6GyG3UsLolXrODl5yOlN681SF2l0HWTvubnM7yHj4kMEH0inqtEsdVY7obUzBdsFT9 BLgd+VhjmxfToIEFvepKzhrN64yI5cXiT4W+EUHwqBreehqQAyAe3C0IDLjwBWdarKHu WVQKAOLiDly6vKF8muth5+oGLhToqo/bFFI+b0F2SsKmqsRR/3zFp3KAyt+SaadCs0r7 2piw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NVK9rdio; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id h24-20020a17090aa89800b00285b3f6bb57si785943pjq.60.2023.11.28.23.44.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 28 Nov 2023 23:44:33 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=NVK9rdio; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id 28A6A80BBC68; Tue, 28 Nov 2023 23:44:32 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229513AbjK2HoW (ORCPT + 99 others); Wed, 29 Nov 2023 02:44:22 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229464AbjK2HoV (ORCPT ); Wed, 29 Nov 2023 02:44:21 -0500 Received: from mail-yb1-xb33.google.com (mail-yb1-xb33.google.com [IPv6:2607:f8b0:4864:20::b33]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3B15A10D4; Tue, 28 Nov 2023 23:44:27 -0800 (PST) Received: by mail-yb1-xb33.google.com with SMTP id 3f1490d57ef6-db4050e68f3so6119111276.0; Tue, 28 Nov 2023 23:44:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1701243866; x=1701848666; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=P6jmJHglGtU9cahHc2lD5bEKUuDPk2ce4UOMIxy6Cx0=; b=NVK9rdiodBEppSPEzQo4PNHQRKdCxf0p0S6Wwu5S0vTTv2Paf3TnsEPtf4yuRYZN4+ rdcqee7oHBGHkc1+55oAiezdVN6ALswXn2QPFgfHks+L0RNJd6AkXiu8bcwA724WyeaF RPVwwUMIuF+S3YkAiC1dEqRz7PD66oCZO4jucwbQzIoOOsbOuIYSdx0Sq/KCbjo06qq9 vJr1thiYvg3Cze0kcmSp5/KRwpALNhxYyBO7rdJYgVoZfvr2eVbN0EB5fikcHj9wTxCy vvqAPUhEJSI07ZsTgAchHksgeZ3VYYs5iRhQjY7je9fBvTlhv6gEw4HQ8yXuzdg9SClp xuAQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1701243866; x=1701848666; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=P6jmJHglGtU9cahHc2lD5bEKUuDPk2ce4UOMIxy6Cx0=; b=PDfo3oznqpqdVSlVKcZC8v14FQqrHiSVRkej/LXKB2KwRNT/ORCxXbDhmLkyHtQsPU gh4rnsToqBYCrj/gO8WtpBW9vq7Z4pPWXtMNQoe5zNh/ZeLEgvusRSHZcpfylgdCQ90+ TwGUJfF5johv+N8uuLQE2kXraxsUwaNV+bjFHLraKe/vXbAE7tCl3aGFqXyXf8r1hnAo vv2ZkHRByO2UHv/2yjlLuJ/lVzUiNVmht0U4CzGzuAzr3E2ZxBneNgcbyTClMr2U7Yua LWBSNHub7/ofHK9gjesoaSDE8hruJA0nhkZbsElFJWKOSe9i9HSHcHxCE1AUrDH/6tNv U6Ag== X-Gm-Message-State: AOJu0YzVs8akxdZTR9rJzfnJ/yUAKWy7nHotlf5wQrQpDbrh+UOS8hFa eGi7dAqr6ASE53BpYU/Db1/Tds8LIhsaPWaelw== X-Received: by 2002:a25:f90a:0:b0:da3:b603:8314 with SMTP id q10-20020a25f90a000000b00da3b6038314mr15032890ybe.0.1701243866047; Tue, 28 Nov 2023 23:44:26 -0800 (PST) MIME-Version: 1.0 References: In-Reply-To: From: Hao Sun Date: Wed, 29 Nov 2023 08:44:14 +0100 Message-ID: Subject: Re: [Bug Report] bpf: reg invariant voilation after JSLE To: Andrii Nakryiko Cc: Andrii Nakryiko , Alexei Starovoitov , Daniel Borkmann , John Fastabend , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Jiri Olsa , bpf , Linux Kernel Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Tue, 28 Nov 2023 23:44:32 -0800 (PST) On Wed, Nov 29, 2023 at 6:43=E2=80=AFAM Andrii Nakryiko wrote: > > On Tue, Nov 21, 2023 at 7:08=E2=80=AFAM Hao Sun wro= te: > > > > Hi, > > > > The following program (reduced) breaks reg invariant: > > > > C Repro: https://pastebin.com/raw/SRQJYx91 > > > > -------- Verifier Log -------- > > func#0 @0 > > 0: R1=3Dctx() R10=3Dfp0 > > 0: (b7) r0 =3D -2 ; R0_w=3D-2 > > 1: (37) r0 /=3D 1 ; R0_w=3Dscalar() > > 2: (bf) r8 =3D r0 ; R0_w=3Dscalar(id=3D1) R8_w=3D= scalar(id=3D1) > > 3: (56) if w8 !=3D 0xfffffffe goto pc+4 ; > > R8_w=3Dscalar(id=3D1,smin=3D0x80000000fffffffe,smax=3D0x7ffffffffffffff= e,umin=3Dumin32=3D0xfffffffe,umax=3D0xfffffffffffffffe,smin32=3D-2,smax32= =3D-2,umax32=3D0xfffffffe,var_off=3D(0xfffffffe; > > 0xffffffff00000000)) > > this part looks suspicious, I'll take a look a bit later > > > 4: (65) if r8 s> 0xd goto pc+3 ; > > R8_w=3Dscalar(id=3D1,smin=3D0x80000000fffffffe,smax=3D13,umin=3Dumin32= =3D0xfffffffe,umax=3D0xfffffffffffffffe,smin32=3D-2,smax32=3D-2,umax32=3D0x= fffffffe,var_off=3D(0xfffffffe; > > 0xffffffff00000000)) > > 5: (b7) r4 =3D 2 ; R4_w=3D2 > > 6: (dd) if r8 s<=3D r4 goto pc+1 > > REG INVARIANTS VIOLATION (false_reg1): range bounds violation > > u64=3D[0xfffffffe, 0xd] s64=3D[0xfffffffe, 0xd] u32=3D[0xfffffffe, 0xd] > > s32=3D[0x3, 0xfffffffe] var_off=3D(0xfffffffe, 0x0) > > 6: R4_w=3D2 R8_w=3D0xfffffffe > > 7: (cc) w8 s>>=3D w0 ; R0=3D0xfffffffe R8=3Dscalar() > > 8: (77) r0 >>=3D 32 ; R0_w=3D0 > > 9: (57) r0 &=3D 1 ; R0_w=3D0 > > 10: (95) exit > > > > from 6 to 8: safe > > > > from 4 to 8: safe > > > > from 3 to 8: safe > > processed 14 insns (limit 1000000) max_states_per_insn 0 total_states > > 1 peak_states 1 mark_read 1 > > > > > > Besides, the verifier enforces the return value of some prog types to > > be zero, the bug may lead to programs with arbitrary values loaded. > > Generally speaking, if the verifier reports "REG INVARIANTS VIOLATION" > warning above, it doesn't necessarily mean that verifier has some bug. > We do know that in some conditions verifier doesn't detect conditions > that *will not* be taken, and in such cases we might get reg > invariants violation. But in such case verifier will revert to > conservative unknown scalar state, which is correct, even if > potentially unnecessarily pessimistic. > Yes, I'm aware of that, which is why I only selected two suspicious cases to report. Also, this is true after the check (5f99f312bd3be: bpf: add register bounds sanity checks and sanitization), but these cases may cause some issues in the previous releases. Your recent improvement in return value check also helps. I will see what I can do, maybe add more checks by using both tnum and ranges information in is_scalar_branch_taken(). Thanks!