From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Maxim Mikityanskiy <maximmi@nvidia.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Ovidiu Panait <ovidiu.panait@windriver.com>
Subject: [PATCH 4.14 03/61] bpf: Fix the off-by-two error in range markings
Date: Tue, 13 Sep 2022 16:07:05 +0200 [thread overview]
Message-ID: <20220913140346.623139487@linuxfoundation.org> (raw)
In-Reply-To: <20220913140346.422813036@linuxfoundation.org>
From: Maxim Mikityanskiy <maximmi@nvidia.com>
commit 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 upstream.
The first commit cited below attempts to fix the off-by-one error that
appeared in some comparisons with an open range. Due to this error,
arithmetically equivalent pieces of code could get different verdicts
from the verifier, for example (pseudocode):
// 1. Passes the verifier:
if (data + 8 > data_end)
return early
read *(u64 *)data, i.e. [data; data+7]
// 2. Rejected by the verifier (should still pass):
if (data + 7 >= data_end)
return early
read *(u64 *)data, i.e. [data; data+7]
The attempted fix, however, shifts the range by one in a wrong
direction, so the bug not only remains, but also such piece of code
starts failing in the verifier:
// 3. Rejected by the verifier, but the check is stricter than in #1.
if (data + 8 >= data_end)
return early
read *(u64 *)data, i.e. [data; data+7]
The change performed by that fix converted an off-by-one bug into
off-by-two. The second commit cited below added the BPF selftests
written to ensure than code chunks like #3 are rejected, however,
they should be accepted.
This commit fixes the off-by-two error by adjusting new_range in the
right direction and fixes the tests by changing the range into the
one that should actually fail.
Fixes: fb2a311a31d3 ("bpf: fix off by one for range markings with L{T, E} patterns")
Fixes: b37242c773b2 ("bpf: add test cases to bpf selftests to cover all access tests")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20211130181607.593149-1-maximmi@nvidia.com
[OP: only cherry-pick selftest changes applicable to 4.14]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/bpf/test_verifier.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -7438,10 +7438,10 @@ static struct bpf_test tests[] = {
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct xdp_md, data_end)),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
BPF_JMP_REG(BPF_JGT, BPF_REG_3, BPF_REG_1, 1),
BPF_JMP_IMM(BPF_JA, 0, 0, 1),
- BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -6),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
@@ -7494,10 +7494,10 @@ static struct bpf_test tests[] = {
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct xdp_md, data_end)),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
BPF_JMP_REG(BPF_JLT, BPF_REG_1, BPF_REG_3, 1),
BPF_JMP_IMM(BPF_JA, 0, 0, 1),
- BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -6),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
@@ -7603,9 +7603,9 @@ static struct bpf_test tests[] = {
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct xdp_md, data_end)),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
BPF_JMP_REG(BPF_JGE, BPF_REG_1, BPF_REG_3, 1),
- BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -6),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
@@ -7770,9 +7770,9 @@ static struct bpf_test tests[] = {
BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1,
offsetof(struct xdp_md, data_end)),
BPF_MOV64_REG(BPF_REG_1, BPF_REG_2),
- BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 8),
+ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 6),
BPF_JMP_REG(BPF_JLE, BPF_REG_3, BPF_REG_1, 1),
- BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -8),
+ BPF_LDX_MEM(BPF_DW, BPF_REG_0, BPF_REG_1, -6),
BPF_MOV64_IMM(BPF_REG_0, 0),
BPF_EXIT_INSN(),
},
next prev parent reply other threads:[~2022-09-13 17:52 UTC|newest]
Thread overview: 65+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-13 14:07 [PATCH 4.14 00/61] 4.14.293-rc1 review Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 01/61] bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 02/61] selftests/bpf: Fix test_align verifier log patterns Greg Kroah-Hartman
2022-09-13 14:07 ` Greg Kroah-Hartman [this message]
2022-09-13 14:07 ` [PATCH 4.14 04/61] drm/msm/dsi: Fix number of regulators for msm8996_dsi_cfg Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 05/61] platform/x86: pmc_atom: Fix SLP_TYPx bitfield mask Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 06/61] wifi: cfg80211: debugfs: fix return type in ht40allow_map_read() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 07/61] ethernet: rocker: fix sleep in atomic context bug in neigh_timer_handler Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 08/61] kcm: fix strp_init() order and cleanup Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 09/61] serial: fsl_lpuart: RS485 RTS polariy is inverse Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 10/61] staging: rtl8712: fix use after free bugs Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 11/61] vt: Clear selection before changing the font Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 12/61] USB: serial: ftdi_sio: add Omron CS1W-CIF31 device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 13/61] binder: fix UAF of ref->proc caused by race condition Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 14/61] drm/i915/reg: Fix spelling mistake "Unsupport" -> "Unsupported" Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 15/61] Input: rk805-pwrkey - fix module autoloading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 16/61] hwmon: (gpio-fan) Fix array out of bounds access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 17/61] thunderbolt: Use the actual buffer in tb_async_error() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 18/61] xhci: Add grace period after xHC start to prevent premature runtime suspend Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 19/61] USB: serial: cp210x: add Decagon UCA device id Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 20/61] USB: serial: option: add support for OPPO R11 diag port Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 21/61] USB: serial: option: add Quectel EM060K modem Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 22/61] USB: serial: option: add support for Cinterion MV32-WA/WB RmNet mode Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 23/61] usb: dwc2: fix wrong order of phy_power_on and phy_init Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 24/61] USB: cdc-acm: Add Icom PMR F3400 support (0c26:0020) Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 25/61] usb-storage: Add ignore-residue quirk for NXP PN7462AU Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 26/61] s390/hugetlb: fix prepare_hugepage_range() check for 2 GB hugepages Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 27/61] s390: fix nospec table alignments Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 28/61] USB: core: Prevent nested device-reset calls Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 29/61] usb: gadget: mass_storage: Fix cdrom data transfers on MAC-OS Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 30/61] wifi: mac80211: Dont finalize CSA in IBSS mode if state is disconnected Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 31/61] net: mac802154: Fix a condition in the receive path Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 32/61] ALSA: seq: oss: Fix data-race for max_midi_devs access Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 33/61] ALSA: seq: Fix data-race at module auto-loading Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 34/61] efi: capsule-loader: Fix use-after-free in efi_capsule_write Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 35/61] wifi: iwlegacy: 4965: corrected fix for potential off-by-one overflow in il4965_rs_fill_link_cmd() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 36/61] fs: only do a memory barrier for the first set_buffer_uptodate() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 37/61] Revert "mm: kmemleak: take a full lowmem check in kmemleak_*_phys()" Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 38/61] drm/amdgpu: Check num_gfx_rings for gfx v9_0 rb setup Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 39/61] drm/radeon: add a force flush to delay work when radeon Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 40/61] parisc: ccio-dma: Handle kmalloc failure in ccio_init_resources() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 41/61] parisc: Add runtime check to prevent PA2.0 kernels on PA1.x machines Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 42/61] arm64/signal: Raise limit on stack frames Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 43/61] fbdev: chipsfb: Add missing pci_disable_device() in chipsfb_pci_init() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 44/61] ALSA: emu10k1: Fix out of bounds access in snd_emu10k1_pcm_channel_alloc() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 45/61] ALSA: aloop: Fix random zeros in capture data when using jiffies timer Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 46/61] ALSA: usb-audio: Fix an out-of-bounds bug in __snd_usb_parse_audio_interface() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 47/61] kprobes: Prohibit probes in gate area Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 48/61] scsi: mpt3sas: Fix use-after-free warning Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 49/61] driver core: Dont probe devices after bus_type.match() probe deferral Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 50/61] netfilter: br_netfilter: Drop dst references before setting Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 51/61] netfilter: nf_conntrack_irc: Fix forged IP logic Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 52/61] sch_sfb: Dont assume the skb is still around after enqueueing to child Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 53/61] tipc: fix shift wrapping bug in map_get() Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 54/61] ipv6: sr: fix out-of-bounds read when setting HMAC data Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 55/61] tcp: fix early ETIMEDOUT after spurious non-SACK RTO Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 56/61] sch_sfb: Also store skb len before calling child enqueue Greg Kroah-Hartman
2022-09-13 14:07 ` [PATCH 4.14 57/61] usb: dwc3: fix PHY disable sequence Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.14 58/61] USB: serial: ch341: fix lost character on LCR updates Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.14 59/61] USB: serial: ch341: fix disabled rx timer on older devices Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.14 60/61] MIPS: loongson32: ls1c: Fix hang during startup Greg Kroah-Hartman
2022-09-13 14:08 ` [PATCH 4.14 61/61] SUNRPC: use _bh spinlocking on ->transport_lock Greg Kroah-Hartman
2022-09-14 12:37 ` [PATCH 4.14 00/61] 4.14.293-rc1 review Naresh Kamboju
2022-09-14 15:26 ` Jon Hunter
2022-09-15 0:15 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220913140346.623139487@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=maximmi@nvidia.com \
--cc=ovidiu.panait@windriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.