Received: by 2002:ab2:1149:0:b0:1f3:1f8c:d0c6 with SMTP id z9csp355029lqz; Fri, 29 Mar 2024 22:29:09 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXFD7EDKsHSaQpBAr3UtNsskS0eQQcBh8Qj78FOeng5JY0jXeV2dQvQlk4mCDegAzXajM8M7D21Ldak/plZkfrBdnEYtvAF6P1ik5/QRA== X-Google-Smtp-Source: AGHT+IFpmS61e2B5YAsNOQUBmqvdPuskj6K+nCn11IkAu7Sp3BEOevxhIAfULN5UAV9gIo7X3MnH X-Received: by 2002:a17:906:1993:b0:a4e:4278:8a01 with SMTP id g19-20020a170906199300b00a4e42788a01mr1094750ejd.11.1711776549727; Fri, 29 Mar 2024 22:29:09 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711776549; cv=pass; d=google.com; s=arc-20160816; b=X3LjAtTk4WSPWOM1I4iNfMIbPaEnYN9YFDT44OBrHWx8N/STRyiMq/J2bKVcAQ9mk4 hIBSgKThm5997OrQRrsp6r1KHe3cOvPTkluWkrV9750Y3B8Yscxj8WXZF2nLVhgTun9f tH3Gg8o/4uMQ/ba0OE+A8guhSjBdaQmP61L4q1Xi7Na0dnfJ6lsQpqxSOlL4jGKZDn27 yc3wuiOI79zIuib8k2RNFjr1Ujwv/JABmr5NMIQ+QJ99SS9HmwG7mvCJ05Owm8hw+EeV 7M12jcFjgr+K8dN5bIAUXLIJLljJ8a5ASJe/3muzZ70jQzeMZnjw+h2QQPTfJYYjO+KO yKMg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=HzHyUcYN9rBRgPi5AsHIJZShKuTLwgsqehdZBFMpuRw=; fh=R5niHP7vM0Y2L9tAxc2XCoREjH2cixLuuCdG4TbMPoE=; b=q9D8L7KNpOFJMsMa/QazhwzB2eaM4BXdZcJNmJv0PP31J5depfKqjPFU0kRcfCcMPv 2B74UlihROO1ABF8kORU2KrdUkpMIMl4tqY+znpDJDBzBVZE84BmkjK+VAAWPH0mKwYR oHFTZoCpz70I4nUL5iRZQO+gD6tMgsamxkFLc2rlRL4K9J0MnG+IBwOCfvVE0BfTjOLT pA3D2zabYu7BR44KfAfen5G9SsE8gP9FvrEhnazLoIcw4q4oaYXLM0izluxPM7c4FPjw yMmLz0aGNdXIr+un/ZS0T/vYV+xjUsNQvDr0P1DkbtqyjCldR7cyfi/kFi/Lg+9kMhj+ 0K3g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VsQ6MkHy; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-125603-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125603-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id ky8-20020a170907778800b00a45cdfe075esi2419431ejc.940.2024.03.29.22.29.09 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 22:29:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-125603-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=VsQ6MkHy; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-125603-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-125603-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 450941F22319 for ; Sat, 30 Mar 2024 05:29:09 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 445D88821; Sat, 30 Mar 2024 05:28:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="VsQ6MkHy" Received: from mail-pg1-f174.google.com (mail-pg1-f174.google.com [209.85.215.174]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C339C881F; Sat, 30 Mar 2024 05:28:56 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.215.174 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711776538; cv=none; b=ZlULKB+hSZTnsEdwTtFc58KZ2mcF9ZHxEoCr0j43SULFOpNL73AOvaeavUOPulyvxEgZur2mXK/CSGgcE1X3asr0PUKmj4qaWtDfx8RJQeG/R9QaXhCHhLRfzkthEYrvX9W6RELxVj/H/1msgZivrWzzwJvyJy9qpVO6F3sjtKw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711776538; c=relaxed/simple; bh=EUcUQklyNbH8/SNk483PELZG1vakzV9Wr9CnM70ULio=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=W/2HkhYnWh/MXJeBWuxa99I/vLb4mzb/L8ltsD1b2Is/d8fU3yrv19FjTR1UsVLt3Cz0Fj5qBNnwoebNTiNG4U7nYuI2w/zBKi3f2IPShJiRbDRcbR8zEVpEwVTXciWc1K/BFzSouuAwasS7WNnzWPqt4CM40+IVU4zaaSz15NE= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=VsQ6MkHy; arc=none smtp.client-ip=209.85.215.174 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-pg1-f174.google.com with SMTP id 41be03b00d2f7-5dbd519bde6so1799905a12.1; Fri, 29 Mar 2024 22:28:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1711776536; x=1712381336; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HzHyUcYN9rBRgPi5AsHIJZShKuTLwgsqehdZBFMpuRw=; b=VsQ6MkHyvVdqeiFVmzVlhzKOw6JRtj+QvUwAY8SvSxvePwH+sZUYByZb1JeCUAQwHG BA4LB6O61zDE5U9WxBAlnZfBHicnhVJp3Sj4uXf4oEml9b3bTfYWvqbofRrF0xhAn5WC 3mNlXgxfn/5fM/H6Rupr22TT0RAaYItPUozWMNpiBODV4b5NG1tl6lW6fWqyvZDMtQzI fNnPhUbqX59yeHSFYLQGw2OvHVoyABsZUB5eUgcaUhfoFVeCSsv/imoE4h9DOnZ/+5uL 75Z8U6nci78KGtagRgeK4ZYDhRpA333gMYmMddraJn7XxwATDn6MwB2tgtqk19aZAt+h I8+A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1711776536; x=1712381336; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HzHyUcYN9rBRgPi5AsHIJZShKuTLwgsqehdZBFMpuRw=; b=Xl3nDi5Z/KSywfmLTG6gei40BJ195czVu4SnU0SAYqHO51SoqCN/Fd5OSCITJD6e2I 7nQVIT4miWfaZbpf/HTY6JM4zOWx4xwyytRk1+a4YoyLWcPe2Da/vmfDV3o1Tys/khVL snOwTSMCM70d+dikgwvzXFBWHVXSyQvcsmPIIAHT7bo586tnUfml0XxM2et+ANM+D/aZ qKdJOqgjupwHE1wuHB2Glb/F30NxgBdLOdNlu6OaqNpViVHAEx0LqQGaPwIB8tG7N6yD tFsVMcz/+ir//EuUCwhkborG0fmkvVZeDzk3TldPMychd/3yrVZ2MPvFzrEBvJjczzIE j4UA== X-Forwarded-Encrypted: i=1; AJvYcCWmG7kHfmLwGkU4VlTdzqbmDyd8b5uow1tDs5et6M99JOCSbAm2Mg+gTl9nl7lsfUmB/LZx6xnWL86iy+QcORYf9tFLnuFbfvxudqpjBdIOBio5+QH9SJ1Lyc/tNYxeAik2 X-Gm-Message-State: AOJu0Yx2MgyPJzkT1Q8EeVrltkb0T0mCBMGgchfNW+rVQ/PA1qQ/bnM1 UjJApPRgScm17UKw7M2Oe1gBTLJHmzTJztR2Ss7GO/Vf7AUk0nmo4S+Wb3YDmdaYzEYmy/4rMcO tedPz4mHuPLo+l1v4boNz7D5GgHY= X-Received: by 2002:a05:6a21:3384:b0:1a5:6fde:8303 with SMTP id yy4-20020a056a21338400b001a56fde8303mr4307453pzb.38.1711776535998; Fri, 29 Mar 2024 22:28:55 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240329030119.29995-1-harishankar.vishwanathan@gmail.com> In-Reply-To: From: Andrii Nakryiko Date: Fri, 29 Mar 2024 22:28:43 -0700 Message-ID: Subject: Re: [PATCH bpf-next] Fix latent unsoundness in and/or/xor value tracking To: Harishankar Vishwanathan Cc: Eduard Zingerman , ast@kernel.org, harishankar.vishwanathan@rutgers.edu, sn624@cs.rutgers.edu, sn349@cs.rutgers.edu, m.shachnai@rutgers.edu, paul@isovalent.com, Srinivas Narayana , Santosh Nagarakatte , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Fri, Mar 29, 2024 at 8:25=E2=80=AFPM Harishankar Vishwanathan wrote: > > On Fri, Mar 29, 2024 at 6:27=E2=80=AFAM Eduard Zingerman wrote: > > > > On Thu, 2024-03-28 at 23:01 -0400, Harishankar Vishwanathan wrote: > > > > [...] > > > > > @@ -13387,18 +13389,19 @@ static void scalar32_min_max_or(struct bpf_= reg_state *dst_reg, > > > */ > > > dst_reg->u32_min_value =3D max(dst_reg->u32_min_value, umin_val= ); > > > dst_reg->u32_max_value =3D var32_off.value | var32_off.mask; > > > - if (dst_reg->s32_min_value < 0 || smin_val < 0) { > > > + if (dst_reg->s32_min_value > 0 && smin_val > 0 && > > > > Hello, > > > > Could you please elaborate a bit, why do you use "> 0" not ">=3D 0" her= e? > > It seems that having one of the min values as 0 shouldn't be an issue, > > but maybe I miss something. > > You are right, this is a mistake, I sent the wrong version of the patch. = Thanks > for catching it. I will send a new patch. > > Note that in the correct version i'll be sending, instead of the followin= g > if condition, > > if (dst_reg->s32_min_value >=3D 0 && smin_val >=3D 0 && > (s32)dst_reg->u32_min_value <=3D (s32)dst_reg->u32_max_value) > > it will use this if condition: > > if ((s32)dst_reg->u32_min_value <=3D (s32)dst_reg->u32_max_value) > > Inside the if, the output signed bounds are updated using the unsigned > bounds; the only case in which this is unsafe is when the unsigned > bounds cross the sign boundary. The shortened if condition is enough to > prevent this. The shortened has the added benefit of being more > precise. We will make a note of this in the new commit message. And that's exactly what reg_bounds_sync() checks as well, which is why my question/suggestion to not duplicate this logic, rather reset s32 bounds to unknown (S32_MIN/S32_MAX), and let generic reg_bounds_sync() handle the re-derivation of whatever can be derived. > > This applies to all scalar(32)_min_max_and/or/xor. > > > > + (s32)dst_reg->u32_min_value <=3D (s32)dst_reg->u32_max_= value) { > > > + /* ORing two positives gives a positive, so safe to cas= t > > > + * u32 result into s32 when u32 doesn't cross sign boun= dary. > > > + */ > > > + dst_reg->s32_min_value =3D dst_reg->u32_min_value; > > > + dst_reg->s32_max_value =3D dst_reg->u32_max_value; > > > + } else { > > > /* Lose signed bounds when ORing negative numbers, > > > * ain't nobody got time for that. > > > */ > > > dst_reg->s32_min_value =3D S32_MIN; > > > dst_reg->s32_max_value =3D S32_MAX; > > > - } else { > > > - /* ORing two positives gives a positive, so safe to > > > - * cast result into s64. > > > - */ > > > - dst_reg->s32_min_value =3D dst_reg->u32_min_value; > > > - dst_reg->s32_max_value =3D dst_reg->u32_max_value; > > > } > > > } > > > > [...] > > > > > @@ -13453,10 +13457,10 @@ static void scalar32_min_max_xor(struct bpf= _reg_state *dst_reg, > > > /* We get both minimum and maximum from the var32_off. */ > > > dst_reg->u32_min_value =3D var32_off.value; > > > dst_reg->u32_max_value =3D var32_off.value | var32_off.mask; > > > - > > > - if (dst_reg->s32_min_value >=3D 0 && smin_val >=3D 0) { > > > - /* XORing two positive sign numbers gives a positive, > > > - * so safe to cast u32 result into s32. > > > + if (dst_reg->s32_min_value > 0 && smin_val > 0 && > > > > Same question here. > > > > > + (s32)dst_reg->u32_min_value <=3D (s32)dst_reg->u32_max_= value) { > > > + /* XORing two positives gives a positive, so safe to ca= st > > > + * u32 result into s32 when u32 doesn't cross sign boun= dary. > > > */ > > > dst_reg->s32_min_value =3D dst_reg->u32_min_value; > > > dst_reg->s32_max_value =3D dst_reg->u32_max_value; > > > > [...]