Received: by 2002:a05:7208:3003:b0:81:def:69cd with SMTP id f3csp4190199rba; Tue, 2 Apr 2024 09:45:23 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUmPaW8EaDIzNkyX9yF6bN99S+4I5SQlwLXpg37yni+t6F6Oe1e82oSuLk4M1QfdPezlA+Dt7urzHG9WOtLmPFSxxFTPURZ8Krn01CNmw== X-Google-Smtp-Source: AGHT+IHlAKmpZp/Lx0/tV9bRTI0IK+a/NRY2/O4hYGP754BermyMSkgJPEvRZ0q/IU7sr66wbq/q X-Received: by 2002:a05:6a21:3995:b0:1a5:6f9f:26af with SMTP id ad21-20020a056a21399500b001a56f9f26afmr14608620pzc.2.1712076322539; Tue, 02 Apr 2024 09:45:22 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1712076322; cv=pass; d=google.com; s=arc-20160816; b=J+wCXbwTOOAot/2qchU+vDAE6EAFTVSPBMWn5c9FM29JvkXRM4m433zS6+hril3G1k MBLYBYS+Tgpr5TZ6iwnXrR/yeqiWjC/0aGQDAEsPMo3hpbJxuuyMP4W4Z22AhVwPKGAP QUcdt/K7TKYDhWKvdMSKDbIub6gdrQJ/6KvZhrqy1nGghaN7r4yogIEkIwZyLVjpfkjn bRw/rLbjikaHuNVoQAZJH++fva6bXY0pLqjugPehMyXrRTFwjO8+df2Gif78twJoH0tP 9v1ChV/YABwPIpLttOW2D7B6S6Trd+xbCVBSZgQGAsraLwzysI6f4qr4aJ/zRKq2n1Oj +JQA== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=bARqrFgsneD+covumrGgNw8HoiNpsNx2Oy2kurbEzMY=; fh=9WU3wRFn6SwnGhE1lbfK6K8U1QdUa7ph6f/+haRTmMs=; b=sNfOccyS7tjNFYj4P3ZRD511QDxLOrwjpLVS5UHgT2g4jcwfle3BeqVLSAdhzBTf0y ofkUyCYZdgQBChbpytNjR0HUPiZkBd3Dm/HO+iZwpSRciH0rQUGj/g4dUC1xMuDaCXRg 2gnGTBEQgckcHrVarD74z2w64kaa2nXj/Xb/Nl7GWSV06JPkd/Ns3yyOhyDLiGCYHRJd zmculK8YfRCVhazLw5FX9NuhVR+A7DFYchFwGcvMpI7Wk7E1gdcOxKmFam6h4pFO2AoY xsnjLpFVAJw1zgp7ODei2BeANeognsNt84zqW9ey9p8hzlpTMOHPd9GBHDn159rYm8jQ Tp6g==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="i2uap/MJ"; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-128364-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128364-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sv.mirrors.kernel.org (sv.mirrors.kernel.org. [139.178.88.99]) by mx.google.com with ESMTPS id lp7-20020a056a003d4700b006e69f482eccsi11947398pfb.316.2024.04.02.09.45.22 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 02 Apr 2024 09:45:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-128364-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) client-ip=139.178.88.99; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b="i2uap/MJ"; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-128364-linux.lists.archive=gmail.com@vger.kernel.org designates 139.178.88.99 as permitted sender) smtp.mailfrom="linux-kernel+bounces-128364-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sv.mirrors.kernel.org (Postfix) with ESMTPS id 4A22E28699E for ; Tue, 2 Apr 2024 16:44:04 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7129B15990B; Tue, 2 Apr 2024 16:43:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="i2uap/MJ" Received: from mail-vs1-f41.google.com (mail-vs1-f41.google.com [209.85.217.41]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D87602AD1E; Tue, 2 Apr 2024 16:43:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.217.41 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712076236; cv=none; b=DkQFeWLPNDBcYFi/2qhaTvfWWb9sF2rlpH10+9pqAJZ/7027ZNXxBH94VhQ4ptgs7uPbWobeKp2VIjaFsIis+f6hWN11X62RiPcqMw9otGJV7tlaZV/4OJZ4osHxR1Rp7UPNna8Uj0GdbSRYEtpnlpsRL2cG8Vigh3Ojm3wNc90= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1712076236; c=relaxed/simple; bh=fFnCKGfkqLN0RGRz6CY7g5EViCTuK6Py2Kheiwv8YEM=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=MN1LWBBHEqGMm85RcL5LXuwXslC4+EztTiaQKO0F/5B3UKkJFYtT5PgOsDgerjN19RLzMeQL+L7gPGnaQN81WUOzTIB+N3q+OJmj6N/hmc5lfV9TA6VSRo0TFvwQCk3ERZxd5xjMZdhesJVC07bLx06nS0RzvI11zcZ/qTcabpI= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=i2uap/MJ; arc=none smtp.client-ip=209.85.217.41 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-vs1-f41.google.com with SMTP id ada2fe7eead31-4788939769fso453871137.1; Tue, 02 Apr 2024 09:43:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1712076234; x=1712681034; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=bARqrFgsneD+covumrGgNw8HoiNpsNx2Oy2kurbEzMY=; b=i2uap/MJ42a9MfVhM34XZIwNrvav+LxizPyFnjVOcArllZ/jMDDBJetMlQ2Ej51otw Px6+ywf93hDqziGrR81m4r/cuzW17coGjZefb/QUmP78d4/z54bbemeuHQcrLWvK2bF4 hIG3F7JIfqOz6BjLQibZHxYvpMxa922CG5kr4fFiiV0NYxVysb3j7Dm8I8N4x6ZObqp4 Vu1UqTp8sRXKDaSlxEOVaZ7d61zv3rccNfmt3nz40eBRlylZ0T10VuvKIi4Tqn/iEtIW Orsn2HMcCmRIpYkGdYOcbQPUHdYjaAlriDt+UzgwMsLHJbjRCuOb6wJ7xHxj2L1/Hsm6 kJBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1712076234; x=1712681034; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bARqrFgsneD+covumrGgNw8HoiNpsNx2Oy2kurbEzMY=; b=bRIgpl3fD8OufWIBFlPpSDUVN3lBa9LeuJ3d0UwZukrs7rghNDLvjG6fmwdyjZnrP1 b7aW1QsmjraUENhE/LLCA/sy1igKWFBxX6zr8El3O+x0s6bVz+SG5qKhznMuUuJF2s90 W/DYiC2sBuRXMa+0UO+nKC+tqMoa48DtifAcawTmRR81QdRJTfxnHHZsU9uAbgIH38BO LOi8G5FlvAINKLGEdQ3yzUSIMKRu6zbccoS1gl41IxSESOHiTFOAH0FxK/6m0nRapcbi 6ommqQBDlSBnPbwcr/5SvVv0JSIpUy6NDQ4ds/W/QopAfIrsfmB8meESuyCzTBehuCxl e+Tw== X-Forwarded-Encrypted: i=1; AJvYcCXOfwXnBLuJ7rb/R1vy4SzFsnzZYoaWWPtJJ/BJ2fuocbBEgO9sb5yyG5WovqlQrJ2C1NbKlN1tnZ/avpW3U3mOTj0kK6YxynKIbDyF6Jx7A3X/EHm/jU1WzeKgedB1repy X-Gm-Message-State: AOJu0YyIeGuTkUmqglwxDy0614eZ98E80BcjJCWGduvmKnrmsVERR/ZK 1H0AxGT5vDMRZQI3HODtWjyrOGOBqdbrVxQHrJ6v6XMuV/zUbVNR+0gqCxqlUmx6GHYMvaL19a9 +e87X9F5tlfxNzQbjkx9by8QX3PI= X-Received: by 2002:a05:6102:4192:b0:476:f10a:b0da with SMTP id cd18-20020a056102419200b00476f10ab0damr13934082vsb.16.1712076233647; Tue, 02 Apr 2024 09:43:53 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240329030119.29995-1-harishankar.vishwanathan@gmail.com> <4229e0ff-777b-6afb-f0c0-a329e426d87e@iogearbox.net> In-Reply-To: <4229e0ff-777b-6afb-f0c0-a329e426d87e@iogearbox.net> From: Harishankar Vishwanathan Date: Tue, 2 Apr 2024 12:43:42 -0400 Message-ID: Subject: Re: [PATCH bpf-next] Fix latent unsoundness in and/or/xor value tracking To: Daniel Borkmann Cc: Andrii Nakryiko , Eduard Zingerman , ast@kernel.org, harishankar.vishwanathan@rutgers.edu, sn624@cs.rutgers.edu, sn349@cs.rutgers.edu, m.shachnai@rutgers.edu, paul@isovalent.com, Srinivas Narayana , Santosh Nagarakatte , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , bpf@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Tue, Apr 2, 2024 at 9:06=E2=80=AFAM Daniel Borkmann wrote: > > On 3/30/24 5:35 PM, Harishankar Vishwanathan wrote: > > On Sat, Mar 30, 2024 at 1:28=E2=80=AFAM Andrii Nakryiko > > wrote: > >> > >> On Fri, Mar 29, 2024 at 8:25=E2=80=AFPM Harishankar Vishwanathan > >> wrote: > >>> > >>> On Fri, Mar 29, 2024 at 6:27=E2=80=AFAM Eduard Zingerman wrote: > >>>> > >>>> On Thu, 2024-03-28 at 23:01 -0400, Harishankar Vishwanathan wrote: > >>>> > >>>> [...] > >>>> > >>>>> @@ -13387,18 +13389,19 @@ static void scalar32_min_max_or(struct bp= f_reg_state *dst_reg, > >>>>> */ > >>>>> dst_reg->u32_min_value =3D max(dst_reg->u32_min_value, umin_= val); > >>>>> dst_reg->u32_max_value =3D var32_off.value | var32_off.mask; > >>>>> - if (dst_reg->s32_min_value < 0 || smin_val < 0) { > >>>>> + if (dst_reg->s32_min_value > 0 && smin_val > 0 && > >>>> > >>>> Hello, > >>>> > >>>> Could you please elaborate a bit, why do you use "> 0" not ">=3D 0" = here? > >>>> It seems that having one of the min values as 0 shouldn't be an issu= e, > >>>> but maybe I miss something. > >>> > >>> You are right, this is a mistake, I sent the wrong version of the pat= ch. Thanks > >>> for catching it. I will send a new patch. > >>> > >>> Note that in the correct version i'll be sending, instead of the foll= owing > >>> if condition, > >>> > >>> if (dst_reg->s32_min_value >=3D 0 && smin_val >=3D 0 && > >>> (s32)dst_reg->u32_min_value <=3D (s32)dst_reg->u32_max_value) > >>> > >>> it will use this if condition: > >>> > >>> if ((s32)dst_reg->u32_min_value <=3D (s32)dst_reg->u32_max_value) > >>> > >>> Inside the if, the output signed bounds are updated using the unsigne= d > >>> bounds; the only case in which this is unsafe is when the unsigned > >>> bounds cross the sign boundary. The shortened if condition is enough= to > >>> prevent this. The shortened has the added benefit of being more > >>> precise. We will make a note of this in the new commit message. > >> > >> And that's exactly what reg_bounds_sync() checks as well, which is why > >> my question/suggestion to not duplicate this logic, rather reset s32 > >> bounds to unknown (S32_MIN/S32_MAX), and let generic reg_bounds_sync() > >> handle the re-derivation of whatever can be derived. > > > > We tried your suggestion (setting the bounds to be completely unbounded= ). > > This would indeed make the abstract operator scalar(32)_min_max_and > > sound. However, we found (through Agni and SMT verification) that our p= atch is > > more precise than just unconditionally setting the signed bounds to unb= ounded > > [S32_MIN/S32_MAX], [S64_MIN,S64_MAX]. > > > > For example, consider these inputs to BPF_AND: > > > > dst_reg > > ----------------------------------------- > > var_off.value: 8608032320201083347 > > var_off.mask: 615339716653692460 > > smin_value: 8070450532247928832 > > smax_value: 8070450532247928832 > > umin_value: 13206380674380886586 > > umax_value: 13206380674380886586 > > s32_min_value: -2110561598 > > s32_max_value: -133438816 > > u32_min_value: 4135055354 > > u32_max_value: 4135055354 > > > > src_reg > > ----------------------------------------- > > var_off.value: 8584102546103074815 > > var_off.mask: 9862641527606476800 > > smin_value: 2920655011908158522 > > smax_value: 7495731535348625717 > > umin_value: 7001104867969363969 > > umax_value: 8584102543730304042 > > s32_min_value: -2097116671 > > s32_max_value: 71704632 > > u32_min_value: 1047457619 > > u32_max_value: 4268683090 > > > > After going through > > tnum_and() -> scalar32_min_max_and() -> scalar_min_max_and() -> > > reg_bounds_sync() > > > > Our patch produces the following bounds for s32: > > s32_min_value: -1263875629 > > s32_max_value: -159911942 > > > > Whereas, setting the signed bounds to unbounded in > > scalar(32)_min_max_and produces: > > s32_min_value: -1263875629 > > s32_max_value: -1 > > > > Our patch produces a tighter bound as you can see. We also confirmed > > using SMT that > > our patch always produces signed bounds that are equal to or more > > precise than setting > > the signed bounds to unbounded in scalar(32)_min_max_and. > > > > Admittedly, this is a contrived example. It is likely the case that > > such precision > > gains are never realized in an actual BPF program. > > > > Overall, both the fixes are sound. We're happy to send a patch for > > either of them. > > Given your version is more precise, then that would be preferred. Might > be good to have the above as part of the commit description for future > reference. > > Thanks, > Daniel Thanks Shung-Hsi, Eduard, Andrii, Daniel. I'll send over a new version of the patch addressing all the points discussed above. Best, Hari