Skip to content

bpf: Fix tnum_overlap to check for zero mask intersection #6237

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 2 commits into from
Closed

bpf: Fix tnum_overlap to check for zero mask intersection #6237

wants to merge 2 commits into from
+25 −0

Conversation

@kernel-patches-daemon-bpf-rc
Copy link

Pull request for series with
subject: bpf: Fix tnum_overlap to check for zero mask intersection
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: f9db3a3
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: f9db3a3
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 8842732
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 23f852d
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 54c134f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 9f317bd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 54c134f
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: e2e668b
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: d28c0e4
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 5701d5a
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: ab01bfa
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: e6e10c5
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@mannkafai
bpf: Fix tnum_overlap to check for zero mask intersection
889bbcb 
Syzbot reported a kernel warning due to a range invariant violation in
the BPF verifier. The issue occurs when tnum_overlap() fails to detect
that two tnums don't have any overlapping bits.

The problematic BPF program:
   0: call bpf_get_prandom_u32
   1: r6 = r0
   2: r6 &= 0xFFFFFFFFFFFFFFF0
   3: r7 = r0
   4: r7 &= 0x07
   5: r7 -= 0xFF
   6: if r6 == r7 goto <exit>

After instruction 5, R7 has the range:
   R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf)

R6 and R7 don't overlap since they have no agreeing bits. However,
is_branch_taken() fails to recognize this, causing the verifier to
refine register bounds and trigger range bounds violation:

   6: if r6 == r7 goto <exit>
   true_reg1: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0)
   true_reg2: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0)

The root cause is that tnum_overlap() doesn't properly handle the case
where the masks have no overlapping bits.

Fix this by adding an early check for zero mask intersection in tnum_overlap().

Reported-by: [email protected]
Fixes: f41345f ("bpf: Use tnums for JEQ/JNE is_branch_taken logic")
Signed-off-by: KaFai Wan <[email protected]>
Reported-by: [email protected]
@mannkafai
selftests/bpf: Range analysis test case for JEQ
c029dae 
This patch adds coverage for the warning detected by syzkaller and fixed
in the previous patch. Without the previous patch, this test fails with:

  verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds
  violation u64=[0xffffffffffffff01, 0xffffffffffffff00]
  s64=[0xffffffffffffff01, 0xffffffffffffff00]
  u32=[0xffffff01, 0xffffff00] s32=[0xffffff00, 0xffffff00]
  var_off=(0xffffffffffffff00, 0x0)
  verifier bug: REG INVARIANTS VIOLATION (true_reg2): range bounds
  violation u64=[0xffffffffffffff01, 0xffffffffffffff00]
  s64=[0xffffffffffffff01, 0xffffffffffffff00]
  u32=[0xffffff01, 0xffffff00] s32=[0xffffff01, 0xffffff00]
  var_off=(0xffffffffffffff00, 0x0)

Signed-off-by: KaFai Wan <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 5dae745
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789
version: 2

@kernel-patches-daemon-bpf-rc
Copy link
Author

At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1016789 expired. Closing PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bpf-next changes-requested V2-ci-fail V2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mannkafai