Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp1847561lql; Wed, 13 Mar 2024 09:42:41 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUNv+mbx7s+0S5KenXw25p1c/kIy8fSZwpv1FflFd4GQvyUXEz7DyOR+BytZ3n/wfCrZ+UAc0WfJtuhz2kkQ/JCCjuzzlBzswevRWqpuQ== X-Google-Smtp-Source: AGHT+IFMoCQzrm6UT1nibw8u7sL2wk0McJi9SJfZzleQSIlx1AwRsYrMamN9zhSj0ZtVY8ydjQFj X-Received: by 2002:a17:902:eb87:b0:1dd:a3f7:3d4 with SMTP id q7-20020a170902eb8700b001dda3f703d4mr8391686plg.54.1710348161219; Wed, 13 Mar 2024 09:42:41 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710348161; cv=pass; d=google.com; s=arc-20160816; b=qUeegX4mQS9e0/+XL75Hd0dmKwaNbZ4dBpJyX22pFgneradZJX21K07y7Xkvkcnp37 vdSfOA5q/RxQ4m23bEuk5WWGLO+jf23n+1vht77+xG02jn1Ha5G8vOD8eQ33BSJNLT3o DTIfaSXjeWPdYONhJ+Y4bi1XLz3eU0IIGemeeO4F/g2eHvIXCU6E2ta90lZhI1Mg2oPO V40s3LCvQDlJpzSxv+63IA44kb2PZMrqFjaWTFlorM4xno1iy01nIHjdfeInTFgh7w0a hpCoMOoJdNicxEiJWcHDfs1Oq8jcKxP1J/8xcNdKn9MJU42gNWpG3t6hy9UuC6J2qI53 S/tA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=fE8X33LSjgZj6zBzgvxEDhaIXDj/2YcJ3b/hfJQbH30=; fh=pbzT28kLP0IuKqwksx8IQxNZBv7AcuQC2JmQ9xfMoLA=; b=slhSzlMKsbqX0pIv+Ev0nLEzPTkRtnDVs3xohuufSOulIscBOI+Vsm6NzMTjK66odv LS1inyZ3dtnMCyGrH+7LTcu1cNUlCt4PMXh/gKaYPp8msi0kjuqZm7uN4uYdZVFhCmQe wRS51JdVSHXSDqqXAf8hl548DJEz6XjfpD0+i2WbURIHUIOb0kxZxzUpQqbXxV6XvyvG ZhOHyBOnQfAblKtjU4VDJ181/jhd9Svgmr3xkTFRsGRVT8ZTsV1w/XRzbui9eCcSyXKa X2HktJ/9i2lZWJCOJrLAo7td9/wUVQJFYvINm5iYcVa5MCoMa7dz9Gv1UUrwGqHvrm/T QOLA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Q6i6V50l; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-101773-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-101773-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id s14-20020a170902ea0e00b001dba6b5ee99si9813065plg.215.2024.03.13.09.42.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Mar 2024 09:42:41 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-101773-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Q6i6V50l; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-101773-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-101773-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 8A53CB225B5 for ; Wed, 13 Mar 2024 16:40:28 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 8CCB3612EF; Wed, 13 Mar 2024 16:33:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Q6i6V50l" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 97B7B612DC; Wed, 13 Mar 2024 16:33:20 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710347600; cv=none; b=KC3EnDsqTweaB7UgVI0caI2vOGT7ez9M+YFpEotFBOC87mdowHDedhmBCXEgQdS6hnHKtu/Vpvb5XfFVJBwaLYv6aGePFxty/qB5KPKNZBP6uptbfIZx0gPBsGuKUwrMshoI+fUQlV+JfaQsrfrfospnsohgcGKwl72LDywXLbc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710347600; c=relaxed/simple; bh=Y3R9TgfQ/YASdXyJojOFlA+drVy8NHntvqEWXFLlPU0=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=uBB1tHDhinyA9W4mO7gwmo2af8xbCITxhz+Y7PI3cUAZwkGtQZO4hwbLQ9jW4cjJmTQTX1p2q1H6wKIGTUpuvIC0kxLnoTlnXviul+GPCI7T3lko9Tqz/y1ftZmKVpHvwf444VqOuJuEDCTj8CA5c1i3CVo04eT+KiNcGfWpS9I= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Q6i6V50l; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 96F09C43394; Wed, 13 Mar 2024 16:33:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710347600; bh=Y3R9TgfQ/YASdXyJojOFlA+drVy8NHntvqEWXFLlPU0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q6i6V50l8eiHYTru40srZ/ZSUmJVwAxNY0OCRe+1iybxAPZMhyd1vw6x5w+Y+e8iC N5lC5tiWqV31iNBm5W7beYJlYlyx2OPuZeJhKO52DQTVTEXuC8T+WzybLFDTUbpoJa VOPZcjnvTixQuZvpQApS89gFlbsmN0tG2Dbfuw9Z+ueo851kok31IdWvL16ToW9ocB ZgP6WX3K0urqEjjoaJTdvqbjt6S8TTkdojpexEBKBYI8y/n4CKaLdtXYTedsQVia+u Bup/HMyJ4Xb5WCOotLhpM0FEczK0k4PsKtCnY8ot6sgy2uLXCUOp9DFhFowe4KYZVQ 8E11UP8/GcXYA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Eduard Zingerman , Yonghong Song , Alexei Starovoitov , Sasha Levin Subject: [PATCH 6.7 34/61] bpf: check bpf_func_state->callback_depth when pruning states Date: Wed, 13 Mar 2024 12:32:09 -0400 Message-ID: <20240313163236.613880-35-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240313163236.613880-1-sashal@kernel.org> References: <20240313163236.613880-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.7.10-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-6.7.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 6.7.10-rc1 X-KernelTest-Deadline: 2024-03-15T16:32+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Eduard Zingerman [ Upstream commit e9a8e5a587ca55fec6c58e4881742705d45bee54 ] When comparing current and cached states verifier should consider bpf_func_state->callback_depth. Current state cannot be pruned against cached state, when current states has more iterations left compared to cached state. Current state has more iterations left when it's callback_depth is smaller. Below is an example illustrating this bug, minimized from mailing list discussion [0] (assume that BPF_F_TEST_STATE_FREQ is set). The example is not a safe program: if loop_cb point (1) is followed by loop_cb point (2), then division by zero is possible at point (4). struct ctx { __u64 a; __u64 b; __u64 c; }; static void loop_cb(int i, struct ctx *ctx) { /* assume that generated code is "fallthrough-first": * if ... == 1 goto * if ... == 2 goto * */ switch (bpf_get_prandom_u32()) { case 1: /* 1 */ ctx->a = 42; return 0; break; case 2: /* 2 */ ctx->b = 42; return 0; break; default: /* 3 */ ctx->c = 42; return 0; break; } } SEC("tc") __failure __flag(BPF_F_TEST_STATE_FREQ) int test(struct __sk_buff *skb) { struct ctx ctx = { 7, 7, 7 }; bpf_loop(2, loop_cb, &ctx, 0); /* 0 */ /* assume generated checks are in-order: .a first */ if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7) asm volatile("r0 /= 0;":::"r0"); /* 4 */ return 0; } Prior to this commit verifier built the following checkpoint tree for this example: .------------------------------------- Checkpoint / State name | .-------------------------------- Code point number | | .---------------------------- Stack state {ctx.a,ctx.b,ctx.c} | | | .------------------- Callback depth in frame #0 v v v v - (0) {7P,7P,7},depth=0 - (3) {7P,7P,7},depth=1 - (0) {7P,7P,42},depth=1 - (3) {7P,7,42},depth=2 - (0) {7P,7,42},depth=2 loop terminates because of depth limit - (4) {7P,7,42},depth=0 predicted false, ctx.a marked precise - (6) exit (a) - (2) {7P,7,42},depth=2 - (0) {7P,42,42},depth=2 loop terminates because of depth limit - (4) {7P,42,42},depth=0 predicted false, ctx.a marked precise - (6) exit (b) - (1) {7P,7P,42},depth=2 - (0) {42P,7P,42},depth=2 loop terminates because of depth limit - (4) {42P,7P,42},depth=0 predicted false, ctx.{a,b} marked precise - (6) exit - (2) {7P,7,7},depth=1 considered safe, pruned using checkpoint (a) (c) - (1) {7P,7P,7},depth=1 considered safe, pruned using checkpoint (b) Here checkpoint (b) has callback_depth of 2, meaning that it would never reach state {42,42,7}. While checkpoint (c) has callback_depth of 1, and thus could yet explore the state {42,42,7} if not pruned prematurely. This commit makes forbids such premature pruning, allowing verifier to explore states sub-tree starting at (c): (c) - (1) {7,7,7P},depth=1 - (0) {42P,7,7P},depth=1 ... - (2) {42,7,7},depth=2 - (0) {42,42,7},depth=2 loop terminates because of depth limit - (4) {42,42,7},depth=0 predicted true, ctx.{a,b,c} marked precise - (5) division by zero [0] https://lore.kernel.org/bpf/9b251840-7cb8-4d17-bd23-1fc8071d8eef@linux.dev/ Fixes: bb124da69c47 ("bpf: keep track of max number of bpf_loop callback iterations") Suggested-by: Yonghong Song Signed-off-by: Eduard Zingerman Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20240222154121.6991-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index e215413c79a52..9698e93d48c6e 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16686,6 +16686,9 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat { int i; + if (old->callback_depth > cur->callback_depth) + return false; + for (i = 0; i < MAX_BPF_REG; i++) if (!regsafe(env, &old->regs[i], &cur->regs[i], &env->idmap_scratch, exact)) -- 2.43.0