Received: by 2002:a89:288:0:b0:1f7:eeee:6653 with SMTP id j8csp200225lqh; Mon, 6 May 2024 16:38:12 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXaxmDziQYXTYc9XuYCv0LWDIyXCxvT9I00CaRzC0rRao1kbT0PDQ0JMRCRiG5D9wfHPE44S8KYJl05ve1RHSQ17IBAd8SMMH5KwfODcw== X-Google-Smtp-Source: AGHT+IFbN6qmoNf2DMJO4I+Ly6F4wM2P0YnK5i+ZemMNbvqkMQ72FWcTGKwfJmLA7XTzjYnZCw3G X-Received: by 2002:a17:902:d38c:b0:1e3:e0a2:4fb8 with SMTP id e12-20020a170902d38c00b001e3e0a24fb8mr13718746pld.30.1715038692217; Mon, 06 May 2024 16:38:12 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1715038692; cv=pass; d=google.com; s=arc-20160816; b=diDSSPSpmNn7UAMIETFmgYxLxZL4koZWkyuE3i2ZG5+oAG2hKZGT95NeV40cPCQ6vN 9WBXmYepBDS+IhU+IeQjwcRlp4N42VEkPTWp4k1bxSagQfk3sGI0gg/9rgfpT0Rlnyff FWHLptyQG9WNbiH95EpjTYD2JKMZgFXXBVrXQrgsW/y1B5SMyG/F8r55BlVPnpsfQgOD Etnmzk6MTSesAZfsv3s2OZT//biM18a61AQIHHlg+Tc63J5UwjN+vDxSe29KafKrqo3O woZMRDHc2HjYXQtR9dkPKxHmmrUPfH2tijiqkzuEs2qcJRbKAR8iKhyB9wlqccyPX7wi Bg7A== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:list-unsubscribe:list-subscribe :list-id:precedence:dkim-signature; bh=1IVbn48SaZRlWHmSAYL0VGXv8W1m+hKXQFeTuINxXh8=; fh=AlhaD6gv9goL3lHnu6WkUv5yTBLVn0M+Pdvbg6DSRbQ=; b=JkWNQpNri3F5P56FaFVTcoxnpz4tj7tcAVvYPf76PCgj0MNQ+C2e5D8/n2SL8fGcum o08FIV7nU2KSSySk5BFr4gd2HwQ7M5L6plQhCKIV2/YGMCmwuZSwtg9BNJZ8kJUNQEFV 1n1cH8c4W7MQ7yx5r+zV6DwAI8K+UsNwYx4IxHnVjfH9gN4Q1c0WZ+6JJesCOhJtlSPs ec4zTRdURZAoNFZzZ2dq2eR7PKt3v1ZKkFilNFCdO0J1lfSzprE3A+4WWxuyvV+We9nd cRn+iBuHlC1F5Xg/dJkXIf5OQ5WPXYHvXLy2yNMTamcfrFPdZV2g8A6Nj+1jeEQIX98E md6w==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XqHaMFlA; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-170510-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170510-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from sy.mirrors.kernel.org (sy.mirrors.kernel.org. [2604:1380:40f1:3f00::1]) by mx.google.com with ESMTPS id k12-20020a170902ce0c00b001eb50fd78b6si9161545plg.620.2024.05.06.16.38.11 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 May 2024 16:38:12 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-170510-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) client-ip=2604:1380:40f1:3f00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=XqHaMFlA; arc=pass (i=1 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com); spf=pass (google.com: domain of linux-kernel+bounces-170510-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:40f1:3f00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-170510-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by sy.mirrors.kernel.org (Postfix) with ESMTPS id 85C38B21D0B for ; Mon, 6 May 2024 23:36:19 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 7A7D915D5B3; Mon, 6 May 2024 23:36:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="XqHaMFlA" Received: from mail-wr1-f52.google.com (mail-wr1-f52.google.com [209.85.221.52]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2767115B131; Mon, 6 May 2024 23:36:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.221.52 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715038569; cv=none; b=LLT2nt/NjL6qwi42zlpCYHr/C3WmAlOkrEXSRpGCJC+cbRhYw35yDHkLcYjFiA6pZ3vjLCuzn2qX+n+BoBfZmoiEzxCbt7bBtYCftJMP6SgvTLhqxGuUgeYvJXs7nhjrq8i/ggS49dybywY9nxkbAC9Qz7FUnvRMci7MRb2aAi0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1715038569; c=relaxed/simple; bh=1IVbn48SaZRlWHmSAYL0VGXv8W1m+hKXQFeTuINxXh8=; h=MIME-Version:References:In-Reply-To:From:Date:Message-ID:Subject: To:Cc:Content-Type; b=SCjxuXmI8VOr2HL02TyqAXJNnP/ulnUdecQOekHCK+wXW2z5TANGmqTLBHuC2VqQ2B9VUDO53QNApPkEjvSdGTEX34sDKq6tlH9oRLdIY8UVau67gGIDP7i1jqRCOquKPnWhETDL6DXYPlU8JhGAFcBI5hyYKC4arrc+rBRDodY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=XqHaMFlA; arc=none smtp.client-ip=209.85.221.52 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-wr1-f52.google.com with SMTP id ffacd0b85a97d-34db6a299b8so1645366f8f.3; Mon, 06 May 2024 16:36:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1715038566; x=1715643366; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=1IVbn48SaZRlWHmSAYL0VGXv8W1m+hKXQFeTuINxXh8=; b=XqHaMFlAzbah75MO6E50vlAVVf6dNegXYw0jzlfvjRXwLbiSRsQtvUiFaxqMylUgpp y+OHiIvBMcR49IdWxsVVDRuEqzyGqFqkmtIsePx7LSLS3OgrmVlfp3TsQ26mbzJbtg7r 9sfIWxxOoNMv+oPl9a5B77QUXNZkNKjWkcbCgFJWMlPP5syNVIVrlst/HDkV3kAYveWv EjLdlho5FiL7GxaRbp46ZjvMtsf6Wq2VktCc7c26QBHIThQh3iFpzeger36MD6kZlajp hiPl8EACdwBhjP9NMkqQ14/AYaeXW/1XUEezz5fqvAAcWQtPdwszW0E3kAYTlQ5elWAS Xaew== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1715038566; x=1715643366; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1IVbn48SaZRlWHmSAYL0VGXv8W1m+hKXQFeTuINxXh8=; b=nPfI88JJMO+wdVco2X3GuLH86fEUdA8jT/ltRDCXZ124f7XBWgtkK2h9uKE/kX1bgh 8XeUGRvScQLzwciE1glYbyVSQYQqXQ23wEsVkVDBAo77/TemiXVu1FYkHZhqmp/0w/+K Wd27wT665Gvca8MIYyWhxQuQ/mJ3034oLab3RKxtr1ZueWXJhJuWQMK4yN13d2yqzHiB cx7oce36pWpTZWG+lapjua76h/A841Tis2pm4cbNAfeUFLBqmu/62cqYMW2VAknYkVKV lhFEYqCZ9PAZd+GdK0G+/vJdgfwuniHyOeuqonGfuCmbbgmBETNkjBx/6j/cvKIegLRl YPOA== X-Forwarded-Encrypted: i=1; AJvYcCXMcFz4iQ79KtMnGxVw2HWFdPc8Lkd1jRp4B0uFkNO80gJOHJFi0l0SK56UCJ1Gr1gE/6Ywo7d0/v4rjOjKnxnrwMEZC3pBwgJgbRGMz267RpbUw3YSWHcRnBtTZbkh/WRe X-Gm-Message-State: AOJu0YzqI1l5CtctENqEN93AqkhMWCwe5mZpiMRUsdOYjL65UOIk0V6L urdfpwIEtYQ7FT5N/SpyQso4QuF8vW2IKUJ+z8YuXDoUPJrRp8rHfaZzEoAlP4l5OuzOYtLJIF+ kYyd1inIlAWsgMYPYf9GDix9ydrA= X-Received: by 2002:a05:6000:e42:b0:34d:9467:d6d7 with SMTP id dy2-20020a0560000e4200b0034d9467d6d7mr8401009wrb.9.1715038566138; Mon, 06 May 2024 16:36:06 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 References: <20240505014641.203643-1-cam.alvarez.i@gmail.com> <43a0853d-e7f3-702b-e7c4-f360ae1e3a70@macbook-pro-de-camila.local> In-Reply-To: <43a0853d-e7f3-702b-e7c4-f360ae1e3a70@macbook-pro-de-camila.local> From: Alexei Starovoitov Date: Mon, 6 May 2024 16:35:55 -0700 Message-ID: Subject: Re: [PATCH] fix array-index-out-of-bounds in bpf_prog_select_runtime To: Camila Alvarez Inostroza Cc: Alexei Starovoitov , Daniel Borkmann , bpf , LKML , syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Sun, May 5, 2024 at 4:18=E2=80=AFPM Camila Alvarez Inostroza wrote: > > > > On Sun, 5 May 2024, Alexei Starovoitov wrote: > > > On Sat, May 4, 2024 at 6:49=E2=80=AFPM Camila Alvarez wrote: > >> > >> The error indicates that the verifier is letting through a program wit= h > >> a stack depth bigger than 512. > >> > >> This is due to the verifier not checking the stack depth after > >> instruction rewrites are perfomed. For example, the MAY_GOTO instructi= on > >> adds 8 bytes to the stack, which means that if the stack at the moment > >> was already 512 bytes it would overflow after rewriting the instructio= n. > > > > This is by design. may_goto and other constructs like bpf_loop > > inlining can consume a few words above 512 limit. > > > > Is this the only case where the verifier should allow the stack to go ove= r > the 512 limit? If that's the case, maybe we could use the extra stack > depth to store how much the rewrites affect the stack depth? This would > only be used to obtain the correct interpreter when > CONFIG_BPF_JIT_ALWAYS_ON is not set. > That would allow choosing the interpreter by considering the stack depth > before the rewrites. > > >> The fix involves adding a stack depth check after all instruction > >> rewrites are performed. > >> > >> Reported-by: syzbot+d2a2c639d03ac200a4f1@syzkaller.appspotmail.com > > > > This syzbot report is likely unrelated. > > It says that it bisected it to may_goto, but it has this report > > before may_goto was introduced, so bisection is incorrect. > > > > pw-bot: cr > > I can see that may_goto was introduced on march 6th, and the first report > was on march 13th. Is there any report I'm missing? Could you please craft a selftest for this issue then? It will be much easier to reason about the fix. We can either add another interpreter to interpreters_args[] or just gate may_goto with prog->jit_requested.