Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp242964lqz; Fri, 29 Mar 2024 15:19:58 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWC+zDyaUAO8k9KnwyTgP44uytlwqN3qocksC+BtxW3fVP7oKvMGdtIpfwcs24vppsyIz24FtCtLEJBogGJz/NbXjy7mz8uJ+zgm+QnRA== X-Google-Smtp-Source: AGHT+IGHdLDKK6/Y2Z2DeBJSjzdQKUK3d6HocMo+bmyInZ1t0rlqUFsrwbqvGoEa9ez65t5mdWPZ X-Received: by 2002:a17:90a:d50e:b0:2a0:3fe1:2e1 with SMTP id t14-20020a17090ad50e00b002a03fe102e1mr3295860pju.6.1711750798610; Fri, 29 Mar 2024 15:19:58 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711750798; cv=pass; d=google.com; s=arc-20160816; b=g+u7IXVdZwzekO+g1rO+HqWjtXEfozC9MEGiQKDbcVvRiHDwDThu1K2s4vNB5ujQi9 gEVYYGfdZ03XmrGjI24/MswKDguVDmLIlqCaoRmyA7t2O3EnLX+SlOa9oNWNdS/nXcFU 9JqQx4N9zmWUxtrSWyDfNoKXYtpsFbGiA0w3RpDR8HcAKBDGpOhLUBABF1ikwnNshRHF EzFnZ1cs8aK0TtvLMNR9NHHJR6r90iBMQotGjfivLDr3wJ8IPd/N3Veuxt/mc7ht7oGL yva1N+tbVjglRvZg7KatbUG31a0z8JG1YIKc9fA8XKBzp16tSdLEiIYabC7ehpsRvT+k 1HXA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=zMnaIYbqA7d/kZC+ybw/xWIqwL2oTfIft72gidYLOFE=; fh=3YaAfBQSpAn3+L7v5hjk+ULVaInnQKVp1p1qMtW2y94=; b=ZZrDXijnjIO7faWwAChuvnInsHdPwGAZOHZHPBaKWaKcd7cqH8kHd7dU7Uqnzq3HAY ZlJ0JQGSkLa6Z1asERzo7AkPxNS9m2O2T3vJ8gWMvrw8xB+LpTPLI04jk3lp1Ghg2/QY OlwawKa4CFR/LT6Y+0H89Z5pG3rk8m5FGQ8An0eixampJX9KjTnoJvsk2qn6Q+mzkwcs PpzQDPkxCLPMAgbp7aMeFwoyPIR77jCmXwV8y2FrDIOXhJFPMGw0a2SNA4g7mrJWS5RF mBedK3YK2IYjNDsnYoL9x8+qk8/TwPMUR2EX54EHQLIPihtFiFSbuWnui9M/pnXu7vbs FN9Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Oyxzrm6j; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-125475-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125475-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id c18-20020a17090a8d1200b002a08eec02b4si6447347pjo.25.2024.03.29.15.19.58 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 15:19:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-125475-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=Oyxzrm6j; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-125475-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125475-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 481E2283C51 for ; Fri, 29 Mar 2024 22:19:58 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 906EB13D518; Fri, 29 Mar 2024 22:19:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Oyxzrm6j" Received: from mail-ej1-f42.google.com (mail-ej1-f42.google.com [209.85.218.42]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 002BD79DF; Fri, 29 Mar 2024 22:19:46 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.218.42 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711750788; cv=none; b=hc8co0G9xIMT/oVcfsq1nqbLbgIRByceqOx1miKuDcLR/lA+TlkGLDdDsSVEWvsp2Z1ML2msFnjxDtbXVWYeoWZxi+a5uJjH3TsGCKopNYXjqqDc/2rMnm+A8GSdmnnkZ0mtnZXZsm3UnDVtcdpcCn2ay0NpOx9yYXr5+uTLj7s= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711750788; c=relaxed/simple; bh=R2WU90g1cLuEDJZk3E6aleef6JXzOr4Axg53ZSaOO+8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=JPMCPJDyE8dC+KXdL/TjL60lA2tVzRuIZCXEMPj2MYNYQuTs6scNVk7dwti9FuLeUkRVdCGKiJMhKrrZSwHKe7KmXJ2RPReIUgkB7+7zJrFWHR8uh1D+hsBh95bg+JQjBy6lGwFCc48GhKreQwHI58r3TtyDYzJhu77ANq3eM+A= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=Oyxzrm6j; arc=none smtp.client-ip=209.85.218.42 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-ej1-f42.google.com with SMTP id a640c23a62f3a-a2f22bfb4e6so322877266b.0; Fri, 29 Mar 2024 15:19:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711750785; x=1712355585; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=zMnaIYbqA7d/kZC+ybw/xWIqwL2oTfIft72gidYLOFE=; b=Oyxzrm6j0lAuhDsmlgxUzUJVkkyWxS8lEh5kqUJjdyKvQcgfBRvk35LnoPx92OeSuL 07KHoAt/lk/f4ldM+mYs1FzoT3mCSGqPV0GvKeRtElkZHRf/4TWdgLsM+gO/pug9VlQi WGWMo7mHN6OXwqGXKmQY2lpeAR3RTH65du0AE2NjN0czZ70kUbPLkl+0sWr+/KlPTZgw LKUAs3Nj6bIOD72BDo53yHJHLNtTj2HgHc+tclEhApMovAOoaN8YOfjsGmN5GINbcI6G cpJYY3shr3xb2Ph4ve46zw4dL2G/uNDxCdayvxPg51UVW7mfeXEcVIlH8y3nHtVnhAtW KbAg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711750785; x=1712355585; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=zMnaIYbqA7d/kZC+ybw/xWIqwL2oTfIft72gidYLOFE=; b=K5j3ZozFu9FbIqWNtnvQz9TGTJgMCZBpkTKNJrafGFWlYsaa1Dwd3PbBcTzXZCtVSm 8uzlRbuqVhF3NRKmLf4uJenwjJW4h53UCL3FMLKB+E5unRDugZhjr6q0HzmJ/510qOJb LZ+g5D6YESsd/Ped9BYL32cGR3lD1PjinYoX9KkGGAFcTJugiY02IzJ1sepFsucBt2d1 qYq1SqDWMFUtGtbv+FDe5YJp43mrb7wEG+qtlJ8y9RL+SMC/tfPQ4in4ywXHcbYc3YRM GAfzmW3brpEao1UQCR1/6RLLJ0j9s6U6A2vMMiT6Xc383EvexPgkuW0aqKzlUkqHnw34 lZ3A== X-Forwarded-Encrypted: i=1; AJvYcCVRVyhTewPQv2FstE1TD2Tj4+EccjDTQ0xB+AzYmC6LV9IEgJ7cnV5PyWOwo/HrQEJGbT7ffnaItOczXteokfAAaSHUr8rYMD5rdjKql+kx23yQjpwElyXPj/r8XD7rr8IX X-Gm-Message-State: AOJu0Yz452HOKmkNJLD/JxNhNgAYRvjDufiPTccoYVdOgiKaFLRbLKwb cpNUhUp4oM2XjfpMaX1eSQzG8RQWUU3m8knV0rTQfe13KRIBLNVdAO7M59j3rAUuQgLB6rBujZL HeNqTIv1np4UPE2DA2MzPZtTFN88= X-Received: by 2002:a17:906:1716:b0:a4e:292e:7e8d with SMTP id c22-20020a170906171600b00a4e292e7e8dmr1980553eje.19.1711750785361; Fri, 29 Mar 2024 15:19:45 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240329030119.29995-1-harishankar.vishwanathan@gmail.com> In-Reply-To: <20240329030119.29995-1-harishankar.vishwanathan@gmail.com> From: Andrii Nakryiko Date: Fri, 29 Mar 2024 15:19:30 -0700 Message-ID: Subject: Re: [PATCH bpf-next] Fix latent unsoundness in and/or/xor value tracking To: Harishankar Vishwanathan Cc: ast@kernel.org, harishankar.vishwanathan@rutgers.edu, sn624@cs.rutgers.edu, sn349@cs.rutgers.edu, m.shachnai@rutgers.edu, paul@isovalent.com, Srinivas Narayana , Santosh Nagarakatte , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Thu, Mar 28, 2024 at 8:02=E2=80=AFPM Harishankar Vishwanathan wrote: > > The scalar(32)_min_max_and/or/xor functions can exhibit unsound behavior > when setting signed bounds. The following example illustrates the issue f= or > scalar_min_max_and(), but it applies to the other functions. > > In scalar_min_max_and() the following clause is executed when ANDing > positive numbers: > > /* ANDing two positives gives a positive, so safe to > * cast result into s64. > */ > dst_reg->smin_value =3D dst_reg->umin_value; > dst_reg->smax_value =3D dst_reg->umax_value; > > However, if umin_value and umax_value of dst_reg cross the sign boundary > (i.e., if (s64)dst_reg->umin_value > (s64)dst_reg->umax_value), then we > will end up with smin_value > smax_value, which is unsound. > > Previous works [1, 2] have discovered and reported this issue. Our tool > Agni [3] consideres it a false positive. This is because, during the > verification of the abstract operator scalar_min_max_and(), Agni restrict= s > its inputs to those passing through reg_bounds_sync(). This mimics > real-world verifier behavior, as reg_bounds_sync() is invariably executed > at the tail of every abstract operator. Therefore, such behavior is > unlikely in an actual verifier execution. > > However, it is still unsound for an abstract operator to exhibit behavior > where smin_value > smax_value. This patch fixes it, making the abstract > operator sound for all (well-formed) inputs. > > It's worth noting that this patch only modifies the output signed bounds > (smin/smax_value) in cases where it was previously unsound. As such, ther= e > is no change in precision. When the unsigned bounds (umin/umax_value) cro= ss > the sign boundary, they shouldn't be used to update the signed bounds > (smin/max_value). In only such cases, we set the output signed bounds to > unbounded [S64_MIN, S64_MAX]. We confirmed through SMT verification that > the problem occurs if and only if the unsigned bounds cross the sign > boundary. > > [1] https://sanjit-bhat.github.io/assets/pdf/ebpf-verifier-range-analysis= 22.pdf > [2] https://github.com/bpfverif/agni > [3] https://link.springer.com/chapter/10.1007/978-3-031-37709-9_12 > > Co-developed-by: Matan Shachnai > Signed-off-by: Matan Shachnai > Co-developed-by: Srinivas Narayana > Signed-off-by: Srinivas Narayana > Co-developed-by: Santosh Nagarakatte > Signed-off-by: Santosh Nagarakatte > Signed-off-by: Harishankar Vishwanathan > --- > kernel/bpf/verifier.c | 76 +++++++++++++++++++++++-------------------- > 1 file changed, 40 insertions(+), 36 deletions(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index ca6cacf7b42f..9bc4c2b1ca2e 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -13318,18 +13318,19 @@ static void scalar32_min_max_and(struct bpf_reg= _state *dst_reg, > */ > dst_reg->u32_min_value =3D var32_off.value; > dst_reg->u32_max_value =3D min(dst_reg->u32_max_value, umax_val); > - if (dst_reg->s32_min_value < 0 || smin_val < 0) { > + if (dst_reg->s32_min_value >=3D 0 && smin_val >=3D 0 && > + (s32)dst_reg->u32_min_value < (s32)dst_reg->u32_max_value= ) { > + /* ANDing two positives gives a positive, so safe to cast > + * u32 result into s32 when u32 doesn't cross sign bounda= ry. > + */ > + dst_reg->s32_min_value =3D dst_reg->u32_min_value; > + dst_reg->s32_max_value =3D dst_reg->u32_max_value; > + } else { > /* Lose signed bounds when ANDing negative numbers, > * ain't nobody got time for that. > */ > dst_reg->s32_min_value =3D S32_MIN; > dst_reg->s32_max_value =3D S32_MAX; > - } else { > - /* ANDing two positives gives a positive, so safe to > - * cast result into s64. > - */ > - dst_reg->s32_min_value =3D dst_reg->u32_min_value; > - dst_reg->s32_max_value =3D dst_reg->u32_max_value; > } have you tried just unconditionally setting s32_{min,max}_value to S32_{MIN,MAX} and letting reg_bounds_sync perform u32/s32 bounds derivation? > } > [...]