Received: by 2002:ab2:710b:0:b0:1ef:a325:1205 with SMTP id z11csp1854220lql; Wed, 13 Mar 2024 09:54:40 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCVw1GJ1ahIlTdjEC320ikyGooi2aetY5JmfQGXrleHeZybdqNmsXworODtq50LZ0ShTZs/I2gDDAzgb0/YMipUW3eMHd4dLKhB7HvZZhg== X-Google-Smtp-Source: AGHT+IGyiFxiWzCnPL1UeeJ1wG//r5P6JjPklvTvH+j205sZxOOVlS9eJKI++AZknMEZL3QW91jc X-Received: by 2002:a17:907:a60a:b0:a46:6571:84a7 with SMTP id vt10-20020a170907a60a00b00a46657184a7mr849230ejc.13.1710348879975; Wed, 13 Mar 2024 09:54:39 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1710348879; cv=pass; d=google.com; s=arc-20160816; b=HRr6FRiN2YhbqgVUSh1VTk6lePPQbZAOkEuYJFnOoMxLGWi/zAXzRmnqRdIU+tgr1v 67wnfHc5dE07N9ON7dbeHuHsBYvmmXbXV/BoD7hADKLF+zifBu+N3BYzOBMwFQkzIXRa qhPYoduFsHThzsc2QE9w4Vu08xiO754L0rJFzSx2hp/AkjjUx1C4iGEDqK59UVp0nYkS oLSPC/WAM3S8ZUDHEglo0L6QlN3lU4Z8vYGYPntUKrHVR7tNHjmAsO7dycmweMmUs0gj blILQU2GBXLxF9/Ttb8kRGMH4THj0QyTiO65zo7vnxAACAWJK36HzdDRrI4N8VXlO+Js +NpQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=wcDHNNbA3aan3JCd3Ny7dQ6ZX9R2sG+GaBuzCsr7wzo=; fh=pbzT28kLP0IuKqwksx8IQxNZBv7AcuQC2JmQ9xfMoLA=; b=UQttm//yUwdxaz5/RGTAKz1F/Shgvkn5kPUILjGCBSAc4zELyZfmNGn+L445fbIEGB iRhFQkokhVxr0hCI8uTMRSX1zcOjUWhKnWQTwGFe3Mn/dPEBUkkM3j6my5fz4DvARTnW OBg5PBlokB9yZ/s9uKhX9KRfLqeRClotgK68ZL664GhNvnpC05Dd+lPjAGIuu8HjbHyH ZTfU/8Tea9cJIUXuTBYxSCc5IyKRhcsa/3t6lj7FBvxDJ1GH8aOBRR3QHgeslDOJOXP8 WVPwoSsofV2UnDDIJ56yzdUlsl8f5aXCBcDqG5IoSzgaUPcscDHiNd6IRQvhkihqHNp0 PXuA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JnsvJboV; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-101832-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-101832-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id ds7-20020a170907724700b00a3eb8bf2d7asi4859947ejc.1036.2024.03.13.09.54.39 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 13 Mar 2024 09:54:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-101832-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=JnsvJboV; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-101832-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-101832-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id AFD0B1F211C4 for ; Wed, 13 Mar 2024 16:54:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id C4BDD6E5F4; Wed, 13 Mar 2024 16:37:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="JnsvJboV" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D29676E5E4; Wed, 13 Mar 2024 16:37:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710347866; cv=none; b=qnQvhVWQd+h7/iQMS8QymSV9ixuJlTD6xjYW9AbgL6oQNBvAo+2JkmDdc5DVKDK9C4wLGnbAzXWhL8opklmaGrD57/H7UEkapjHOTpAZHXdOGXexsBV6V1enq0mebWrcZUjTKFQ6mlxDi+pE2fyV6Dpi7/8L71WtyN1nFDbmP9w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1710347866; c=relaxed/simple; bh=0349rCBtQHX3P/19UmozTqNz1mIKgWtcOTqH+LMfkwI=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=fBF8T0xNADyp/4weTId0ASeT3TuD5gXgUG81I76ogCet6aM6C3fzVlRLEno/IxxaAXMW+hR7HdUOTUq+6vjqI7r416LOA2zK0+rOhQjoxGd1VJOg7XukxZ1MpcvzIy40JhpOo5UBYv3Lbnc1qUh3vXhiNiCX3nuxTioZ7PexCCs= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=JnsvJboV; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id DBD19C433B2; Wed, 13 Mar 2024 16:37:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1710347866; bh=0349rCBtQHX3P/19UmozTqNz1mIKgWtcOTqH+LMfkwI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=JnsvJboVfSSS46YlXFdTgsb/Ahfi97bmq0KlyW5CJOv9WQ8gOLUNWIgM1t35PttnN mslc6XUXy8FGci9GlxkQ161rh1PM4TprUCxzxoixGfaYa5BllGXbpk0EnpnefqR+4w UJDmtdEHkFffKWrri28sx/wzX8qYFbKVqdZ8K98bjampgxfKx0oGYyI1m3JD0EmCwh q21q894omQc1vsTROaEXvLnw/AmC9OlONvxQnnrZxEZ8N5f/+QTmvW5XUu7vyEj0RS sOL0UJuylckKY5X+4A9a5MUKKNghJnifNIh1zu81IQrVfxHqg4CTbI3bLJbQY1Fy+N sZnSNd7gMU/CQ== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Eduard Zingerman , Yonghong Song , Alexei Starovoitov , Sasha Levin Subject: [PATCH 6.6 29/60] bpf: check bpf_func_state->callback_depth when pruning states Date: Wed, 13 Mar 2024 12:36:36 -0400 Message-ID: <20240313163707.615000-30-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240313163707.615000-1-sashal@kernel.org> References: <20240313163707.615000-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.22-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-6.6.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 6.6.22-rc1 X-KernelTest-Deadline: 2024-03-15T16:36+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit From: Eduard Zingerman [ Upstream commit e9a8e5a587ca55fec6c58e4881742705d45bee54 ] When comparing current and cached states verifier should consider bpf_func_state->callback_depth. Current state cannot be pruned against cached state, when current states has more iterations left compared to cached state. Current state has more iterations left when it's callback_depth is smaller. Below is an example illustrating this bug, minimized from mailing list discussion [0] (assume that BPF_F_TEST_STATE_FREQ is set). The example is not a safe program: if loop_cb point (1) is followed by loop_cb point (2), then division by zero is possible at point (4). struct ctx { __u64 a; __u64 b; __u64 c; }; static void loop_cb(int i, struct ctx *ctx) { /* assume that generated code is "fallthrough-first": * if ... == 1 goto * if ... == 2 goto * */ switch (bpf_get_prandom_u32()) { case 1: /* 1 */ ctx->a = 42; return 0; break; case 2: /* 2 */ ctx->b = 42; return 0; break; default: /* 3 */ ctx->c = 42; return 0; break; } } SEC("tc") __failure __flag(BPF_F_TEST_STATE_FREQ) int test(struct __sk_buff *skb) { struct ctx ctx = { 7, 7, 7 }; bpf_loop(2, loop_cb, &ctx, 0); /* 0 */ /* assume generated checks are in-order: .a first */ if (ctx.a == 42 && ctx.b == 42 && ctx.c == 7) asm volatile("r0 /= 0;":::"r0"); /* 4 */ return 0; } Prior to this commit verifier built the following checkpoint tree for this example: .------------------------------------- Checkpoint / State name | .-------------------------------- Code point number | | .---------------------------- Stack state {ctx.a,ctx.b,ctx.c} | | | .------------------- Callback depth in frame #0 v v v v - (0) {7P,7P,7},depth=0 - (3) {7P,7P,7},depth=1 - (0) {7P,7P,42},depth=1 - (3) {7P,7,42},depth=2 - (0) {7P,7,42},depth=2 loop terminates because of depth limit - (4) {7P,7,42},depth=0 predicted false, ctx.a marked precise - (6) exit (a) - (2) {7P,7,42},depth=2 - (0) {7P,42,42},depth=2 loop terminates because of depth limit - (4) {7P,42,42},depth=0 predicted false, ctx.a marked precise - (6) exit (b) - (1) {7P,7P,42},depth=2 - (0) {42P,7P,42},depth=2 loop terminates because of depth limit - (4) {42P,7P,42},depth=0 predicted false, ctx.{a,b} marked precise - (6) exit - (2) {7P,7,7},depth=1 considered safe, pruned using checkpoint (a) (c) - (1) {7P,7P,7},depth=1 considered safe, pruned using checkpoint (b) Here checkpoint (b) has callback_depth of 2, meaning that it would never reach state {42,42,7}. While checkpoint (c) has callback_depth of 1, and thus could yet explore the state {42,42,7} if not pruned prematurely. This commit makes forbids such premature pruning, allowing verifier to explore states sub-tree starting at (c): (c) - (1) {7,7,7P},depth=1 - (0) {42P,7,7P},depth=1 ... - (2) {42,7,7},depth=2 - (0) {42,42,7},depth=2 loop terminates because of depth limit - (4) {42,42,7},depth=0 predicted true, ctx.{a,b,c} marked precise - (5) division by zero [0] https://lore.kernel.org/bpf/9b251840-7cb8-4d17-bd23-1fc8071d8eef@linux.dev/ Fixes: bb124da69c47 ("bpf: keep track of max number of bpf_loop callback iterations") Suggested-by: Yonghong Song Signed-off-by: Eduard Zingerman Acked-by: Yonghong Song Link: https://lore.kernel.org/r/20240222154121.6991-2-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a7901ed358a0f..396c4c66932f2 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16238,6 +16238,9 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat { int i; + if (old->callback_depth > cur->callback_depth) + return false; + for (i = 0; i < MAX_BPF_REG; i++) if (!regsafe(env, &old->regs[i], &cur->regs[i], &env->idmap_scratch, exact)) -- 2.43.0