Re: [PATCH stable 6.6.y v2 1/3] bpf: drop knowledge-losing __reg_combine_{32,64}_into_{64,32} logic

[sashiko-bot@kernel.org]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [High] Loss of bounds precision causing false-positive rejections of valid BPF programs due to an incomplete backport.
--

commit 759dc64a1dfbfd0437d50a8eab924162772ab60c
Author: Andrii Nakryiko <andrii@kernel.org>

bpf: drop knowledge-losing __reg_combine_{32,64}_into_{64,32} logic

This commit replaces __reg_combine_32_into_64() and __reg_combine_64_into_32()
with reg_bounds_sync() in the BPF verifier. It aims to prevent information loss
during register boundary synchronization after conditional jumps.

Link: https://lore.kernel.org/r/20231102033759.2541186-10-andrii@kernel.org

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 0d90236d0ad94..5f94bff12aa08 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

> @@ -14329,13 +14285,13 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
>  					     tnum_subreg(false_32off));
>  		true_reg->var_off = tnum_or(tnum_clear_subreg(true_64off),
>  					    tnum_subreg(true_32off));
> -		__reg_combine_32_into_64(false_reg);
> -		__reg_combine_32_into_64(true_reg);
> +		reg_bounds_sync(false_reg);
> +		reg_bounds_sync(true_reg);
>  	} else {
>  		false_reg->var_off = false_64off;
>  		true_reg->var_off = true_64off;
> -		__reg_combine_64_into_32(false_reg);
> -		__reg_combine_64_into_32(true_reg);
> +		reg_bounds_sync(false_reg);
> +		reg_bounds_sync(true_reg);
>  	}
>  }

[Severity: High]
Does this backport drop bounds precision by relying on an older version of
reg_bounds_sync()?

Upstream, this change seems safe because reg_bounds_sync() was rewritten to
perform exact algebraic bounds derivation as part of a larger patch series.
However, in this 6.6.y backport, that bounds derivation engine appears to be
missing.

Without the updated bounds derivation, reg_bounds_sync() still uses the older,
lossy logic that synchronizes 32-bit and 64-bit bounds by intersecting tnum
bitwise masks. For example, a tightly bounded 64-bit range of [6, 10]
translates to a tnum bitmask of 0xF (15). When reg_bounds_sync() derives the
32-bit bound from this tnum, the bound expands to [0, 15]. Before this patch,
__reg_combine_64_into_32() would precisely copy [6, 10].

Could this loss of precision expand the tracked bounds after conditional jumps
and register coercion, causing the verifier to falsely reject valid BPF
programs that rely on tight bounds for safety?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260607170959.823755-1-jt26wzz@gmail.com?part=1