Received: by 2002:ab2:7b86:0:b0:1f7:5705:b850 with SMTP id q6csp1091574lqh;
        Sun, 5 May 2024 16:18:56 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCUh+x2lrDy+dTBpjmmZWSz/0jW+gqHPACQritxR4VfzawCZqX75Dvf9e/mObI7ITcwHKsHcH0PB01a0oj6E7nTJWmpeVj2Nr31QvB/e5Q==
X-Google-Smtp-Source: AGHT+IEyNTFkLALvicwLKolqRQZHWkwTBO76FE9vSZHbhgayWMjldcc2w5rgi+gzR8dnbW1zXtat
X-Received: by 2002:a81:6d04:0:b0:615:b6c:b4bc with SMTP id i4-20020a816d04000000b006150b6cb4bcmr8587345ywc.5.1714951135924;
        Sun, 05 May 2024 16:18:55 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1714951135; cv=pass;
        d=google.com; s=arc-20160816;
        b=b+ETjR52yzSDKy/VfncKay3HEZNecMVkQ6Qbbta61BDejkaYJFPWsjyJlBXF/T7acm
         P60AKkT+1h75ro3qYsQ0nyftf0UsYvji6RNBIlQ+5Mwqr3qnWKYZovaDaucGX5cyiNoj
         y3/BTMvvY2p8WhYyMEmn9C73M5pS9sqHlJIve0Sd7E2mOZW4uICODvZJY3m4MjV/g/Ji
         YoSjr3E90Ru0Z63pcaaO7TiLPWSvAahigORC3EpU9ty8R9b2piWQSn6tOg/G95F+46l+
         Bji9yO4k5LlLsmPVLptCS9OqoLpTcAfdnWPGi7sC+WVUP+sK6nO/gmwfOr3yQHIk9/6N
         oxUg==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:list-unsubscribe:list-subscribe:list-id:precedence
         :references:message-id:in-reply-to:subject:cc:to:date:from
         :dkim-signature;
        bh=LhtBH+zVyaq0jwB0WYt/7fS9n7RE1Ufjplzj1peE8As=;
        fh=7Hpk9BiLEhWCkMZZnszVQkRCh4FCFTzwUTZ/rYf3ZuA=;
        b=lvyvxXFiIglwkfX7i92dyPbTWGVuMzechCsSB4lf2dE9rk3CK6+u6ui9npKhXoYCFO
         YsgY50EYlNfcmrZZBIbUHVmbFVsa59IJM8V7uQKSdyDv4ppUxu/hprDaAbFPnHqf934e
         CY73piRtVWEUpzffnReAfCWFMI5UfuFddamZ8t4EJnKLQLxUgJbJcmQJrWOXmGPvsp4W
         2VwHdvcyd+XSzaFbvo1Qpmz1IoGj8+61WsXAgcff8SJw8Gag7kJBieUYTfRT0iRwM3vn
         97UKLB+xtGK5W+/YziUA6JT9nDqgZAYBgLB7SlHvtvSiusRR47ZdHJw0iSGpImV+98v3
         NWdQ==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=mEZA2dnC;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-kernel+bounces-169199-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169199-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel+bounces-169199-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id u20-20020a05622a14d400b0043adb3826a8si8237865qtx.113.2024.05.05.16.18.55
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 May 2024 16:18:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-169199-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=mEZA2dnC;
       arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);
       spf=pass (google.com: domain of linux-kernel+bounces-169199-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-169199-linux.lists.archive=gmail.com@vger.kernel.org";
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 974781C20999
	for <linux.lists.archive@gmail.com>; Sun,  5 May 2024 23:18:55 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 15168140387;
	Sun,  5 May 2024 23:18:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="mEZA2dnC"
Received: from mail-pf1-f178.google.com (mail-pf1-f178.google.com [209.85.210.178])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D2A81374CB;
	Sun,  5 May 2024 23:18:43 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.178
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1714951125; cv=none; b=Yh8ZA5LowMKu7SqaQQsQCL9kteJtGDAMW/3h/4DNRm3vsady5sXRpCg9qNSshJt5WOzFcz4Sb6G8Cep1BeGM9//dWuaPFaVc8G6hMxxjPjufNrhJkVNUafLjnwGLjTJJIFVVWH9ANFbaGoG/y3wY14k8Dl4ECa/XZ0mfj9doDoo=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1714951125; c=relaxed/simple;
	bh=QMSm7gaIeCSBJ9AJO+66XOh2Au8JkP9LSoqn5IaB/9A=;
	h=From:Date:To:cc:Subject:In-Reply-To:Message-ID:References:
	 MIME-Version:Content-Type; b=Sxlr4pL7xxxzaQ4CUEHNz/GHR8ngqtbivpd6Sz7C0wTzGqauXiTQGyR0IPvmGBlvXHTR2i3iiiqT3d+Sd3dFfqO1FbnzV0xwX8JLYDG4pxAXa7vZbWpFuclZQ4W1dS0Y6yLfueYzlW6EmdCcz5goztCL5t0shdy2IxzSpgEeqOk=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=mEZA2dnC; arc=none smtp.client-ip=209.85.210.178
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pf1-f178.google.com with SMTP id d2e1a72fcca58-6f44dc475f4so746396b3a.2;
        Sun, 05 May 2024 16:18:43 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1714951123; x=1715555923; darn=vger.kernel.org;
        h=mime-version:references:message-id:in-reply-to:subject:cc:to:date
         :from:from:to:cc:subject:date:message-id:reply-to;
        bh=LhtBH+zVyaq0jwB0WYt/7fS9n7RE1Ufjplzj1peE8As=;
        b=mEZA2dnCrxxMvE0DQ+4TjByOI91bTSQQgC10JQMjCIja9epj6oXhfCUghS6YjuFHVn
         B7Ir4HLlDDjST63tz7AKzXIwNTpwe8vDK6b5IIJCGK6GIKZ1WmM/4dl/vXS1DpCfXCOk
         dbPKoQHBLsMcLh1yEZCsYhaw31lH8OfhgDf6Xhs2yN3eVlGZ2eIiqeud24D9zDOx60LB
         Yg2qF38S9L5WnKMeW2MRLoCBrhSTtpK9o+6SflOi7n0WuG0yuBjaIE8lU4ROYusB62Qm
         OFXFzRwiL7Gd4C5/szUPt1Lp3nJyu9dylPIROjA/RUl9Wk8SBd/23TCfyBh1N/g0WfRx
         DOfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1714951123; x=1715555923;
        h=mime-version:references:message-id:in-reply-to:subject:cc:to:date
         :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
        bh=LhtBH+zVyaq0jwB0WYt/7fS9n7RE1Ufjplzj1peE8As=;
        b=Z8IYTV5UnCwV8l5WUH2IOgkmsYbgOjhXUS260gVbsRKD0Wvzf1vb9TzAh6ezgYYlhU
         aCjds4uA+SnxTEigka1R4rXOAZS0HQQnPlHRJ72wvNaVEXghZZ3NPpjhGxrxMXw1aoJA
         Nte/2i8//k9Lku2JTmIw9IcvzLt5jaUTYhqEAuomF2Eu2IaiTlOS7u1AG9y1Fwkco1KF
         txvJgov+DXSNzFRTiraXgXI8d8bEhaMxt5B1Vx0LzBsHfkiALs4jxgS069HLd25mHyxQ
         0AmqtKRBY4apjJvYhlkInR9VxbvNa/7f3ic0MKg3dgffrRsBewv0quNcuDWQgmmfwBa8
         7LBQ==
X-Forwarded-Encrypted: i=1; AJvYcCX9L9adZqq1jjjsYWhApW4P69fD/3cyYQjeekMU8hhIZHZXnWajuzOECcIW6l2tGqMOI+/DTxNhOQ7PBPrIgQb6rSRSQeZ0GpNIXq7OO5NUZAfq2K0suZyo9H7XMcIfKs9m
X-Gm-Message-State: AOJu0YyCbspw0K7noohAD7fDKfAXs9RLT03AJ734vEYkz75h657ApxXk
	UTQTvfZEWB9t90nZYcQ3xpe9p32pWgPK5Fq16DsayHgB38z2WN0K6lQM41Vf
X-Received: by 2002:a05:6a00:3d06:b0:6e7:20a7:9fc0 with SMTP id lo6-20020a056a003d0600b006e720a79fc0mr9987637pfb.34.1714951123078;
        Sun, 05 May 2024 16:18:43 -0700 (PDT)
Received: from [192.168.7.110] ([190.196.101.184])
        by smtp.gmail.com with ESMTPSA id jw12-20020a056a00928c00b006f4669f0b2asm2223562pfb.134.2024.05.05.16.18.41
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 05 May 2024 16:18:42 -0700 (PDT)
From: Camila Alvarez Inostroza <cam.alvarez.i@gmail.com>
X-Google-Original-From: Camila Alvarez Inostroza <calvarez@macbook-pro-de-camila.local>
Date: Sun, 5 May 2024 19:18:39 -0400 (-04)
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
cc: Camila Alvarez <cam.alvarez.i@gmail.com>, 
    Alexei Starovoitov <ast@kernel.org>, 
    Daniel Borkmann <daniel@iogearbox.net>, bpf <bpf@vger.kernel.org>, 
    LKML <linux-kernel@vger.kernel.org>, 
    syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com
Subject: Re: [PATCH] fix array-index-out-of-bounds in
 bpf_prog_select_runtime
In-Reply-To: <CAADnVQ+Y5k0XMytXo9CLGYDUnVNXcgtz+2mTLUdS-yWV7JDjeQ@mail.gmail.com>
Message-ID: <43a0853d-e7f3-702b-e7c4-f360ae1e3a70@macbook-pro-de-camila.local>
References: <20240505014641.203643-1-cam.alvarez.i@gmail.com> <CAADnVQ+Y5k0XMytXo9CLGYDUnVNXcgtz+2mTLUdS-yWV7JDjeQ@mail.gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="0-1612698177-1714951122=:93655"

  This message is in MIME format.  The first part should be readable text,
  while the remaining parts are likely unreadable without MIME-aware tools.

--0-1612698177-1714951122=:93655
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8BIT



On Sun, 5 May 2024, Alexei Starovoitov wrote:

> On Sat, May 4, 2024 at 6:49 PM Camila Alvarez <cam.alvarez.i@gmail.com> wrote:
>>
>> The error indicates that the verifier is letting through a program with
>> a stack depth bigger than 512.
>>
>> This is due to the verifier not checking the stack depth after
>> instruction rewrites are perfomed. For example, the MAY_GOTO instruction
>> adds 8 bytes to the stack, which means that if the stack at the moment
>> was already 512 bytes it would overflow after rewriting the instruction.
>
> This is by design. may_goto and other constructs like bpf_loop
> inlining can consume a few words above 512 limit.
>

Is this the only case where the verifier should allow the stack to go over 
the 512 limit? If that's the case, maybe we could use the extra stack 
depth to store how much the rewrites affect the stack depth? This would 
only be used to obtain the correct interpreter when 
CONFIG_BPF_JIT_ALWAYS_ON is not set.
That would allow choosing the interpreter by considering the stack depth 
before the rewrites.

>> The fix involves adding a stack depth check after all instruction
>> rewrites are performed.
>>
>> Reported-by: syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com
>
> This syzbot report is likely unrelated.
> It says that it bisected it to may_goto, but it has this report
> before may_goto was introduced, so bisection is incorrect.
>
> pw-bot: cr

I can see that may_goto was introduced on march 6th, and the first report 
was on march 13th. Is there any report I'm missing?

>
>> Signed-off-by: Camila Alvarez <cam.alvarez.i@gmail.com>
>> ---
>>  kernel/bpf/verifier.c | 4 ++++
>>  1 file changed, 4 insertions(+)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index 63749ad5ac6b..a9e23b6b8e8f 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -21285,6 +21285,10 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr, __u3
>>         if (ret == 0)
>>                 ret = do_misc_fixups(env);
>>
>> +        /* max stack depth verification must be done after rewrites as well */
>> +        if (ret == 0)
>> +                ret = check_max_stack_depth(env);
>> +
>>         /* do 32-bit optimization after insn patching has done so those patched
>>          * insns could be handled correctly.
>>          */
>> --
>> 2.34.1
>>
>
--0-1612698177-1714951122=:93655--