From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-wm1-f50.google.com (mail-wm1-f50.google.com [209.85.128.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1C4A329CB24 for ; Mon, 22 Jun 2026 23:01:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.50 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782169289; cv=none; b=RdbjW8gFANO4XbN9u9GNQ/SA7N5WROd5VjarEZppizdYsPCYzpn7tZcidTrmhflLs4tPCnerhjmNyC1cawYOm5sVZFNEF8/SJOA3PFkQBKqwglTMpOEs2dD9Cj8wrz/5/EHi3qZxnkzOCTlLS8klanHjTylXL1EJWvQUJdGZFnc= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782169289; c=relaxed/simple; bh=AY0KwQ4uOXbD9Hbywkfxc8PNp9Pydpf1VKVhjJyGU+8=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=NvD6i8zU7AHMGS6b57APzdy2a7W1eC/lys5GA+XJy3eszaGOfQhUxAqPWn/UMVPfXniZhNPVNP4BOJANLWL1UDs73NuMXZyUOL4AmbBiq54oXHQ+BcHs/2iR5q0U5qsaPWsjCDR0jX4scDwIcZMP0HtCQkM+N24+ApG6zo3D7Qk= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=TiTRBng4; arc=none smtp.client-ip=209.85.128.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="TiTRBng4" Received: by mail-wm1-f50.google.com with SMTP id 5b1f17b1804b1-490bc6a7958so2403245e9.1 for ; Mon, 22 Jun 2026 16:01:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1782169287; x=1782774087; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=KMJlbIB7pXSZcrQfPPwy0Yezg5A38/CdVpGKj5pZHB0=; b=TiTRBng417C0+eIglfcvBswRl9l+YNl+EKfYxUBYV/Bey1TtQ1Fzk5bCXYSPyHemnA po2rXEgF4qCKoOI1FQfOVS4BaOuKT0RXL7Wh7VWBT62U8B4jCZkYY+RGE+f1B0CcWrwV YtPvQTx1JRDRn8VokrSkKtpQN65liUGGGLHAFc63jPPhaiN6rwpJjPhiWSBOh5vWBq5a 1rptsnCL6sYA75O0557QuVtwNxLZR+4MtR/1GTchYx+nuQ8PYT2HTAie+0gVXU8JZHyA 9qWndTdcpCN/Zg2Mvetym70Lhd+ElkXAFJxtiioDwe2TRRzXQ9vKaQDnq4IgtWo/DLVj 9iaA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782169287; x=1782774087; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=KMJlbIB7pXSZcrQfPPwy0Yezg5A38/CdVpGKj5pZHB0=; b=KmDtGsDDwWCP04H0nUVQa9pBG7/k9SIRkHf1sUrMS+KNiZFWUyrB1rkvlwTowzhX/U JnskaxndVMKNS75sEQ/iRTl4got9xRjVo0lxqZG6hwJkoVegPd/ulAdjQFVf7E1GlyPk rL1HsMSqRtekIoOmDvJfBFNX3AUfNC0ve+yYB+dHz5DEX2r+J+WdNdBz9+dvW7k7+wL7 v/OcO4YIg+R4usF/T8SYtZCjsI3+Bw1kKrGv8AHBlncikZZbRtLP5SF8w7mcLkr0krD7 GldGlYcetpYD2XFchiR5UUhVi2GZL8Msok5ahEbVWeRZ/BGl9RzkWBMX3gtjaIfwCh/6 zBJQ== X-Forwarded-Encrypted: i=1; AFNElJ+GxKZyP+5zmvKZzfkGNtshDoIRYvxDAZhDqwW6mHPrW+sms0HpL34YPiRRXZY6mX2jpkY=@vger.kernel.org X-Gm-Message-State: AOJu0Ywi3E0GQRlgceHzRNnOWtWGiJiN6puCKPu7gp6qRhUvrrJeXG49 zs6TBfgeJmVKZc50j4jt/mDnk69u6DMmIBnQFzKvb3tb2YDXbhRmI40= X-Gm-Gg: AfdE7cmzX660OSQzjyG0k0gFd/gSGtYUHeONxVCQUfOIwXKxeV5xPwriacVklGEcDJs mzM7D5Q3eLc90PNwvLGh8NJiCBcnbkIuHpBWkZt5e8j7JGBLGMF+VMbknDtkEn5WOSoy3GKJaV0 k80e1NDIgGT+eG0DoyGxKgJlDk5Vqx93fB2y4mdupNFmadqVbE1QRYLsfYhclW7mR8Fi19WLxz3 mQIUCJnb9gwzuRkmiAFtzYQDBO7Kav9sC1N2WoOxPjdxleDJYTet/7DivtOXLMeyPNgKxLzHBKw XPpZ+LxS/ttfDhYvKyFm2B4ik2J0iASrP3xDNrsN0w22ILD2A2PwqlwAlNf9nYNoR4vrmJpjek2 fjDo1Gzxn14/MQ9QOqZY7iu9G+tlGVDdgr1BuO8MC4mwTr7v7CQgW3S24qw== X-Received: by 2002:a05:600c:480f:b0:490:3cf0:8d81 with SMTP id 5b1f17b1804b1-4925a0c4f1cmr10788635e9.13.1782169286603; Mon, 22 Jun 2026 16:01:26 -0700 (PDT) Received: from debian.. ([2001:41d0:303:db6b::]) by smtp.gmail.com with ESMTPSA id 5b1f17b1804b1-4923fd1fa34sm371339255e9.5.2026.06.22.16.01.25 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Jun 2026 16:01:26 -0700 (PDT) From: Tristan Madani To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko Cc: Eduard Zingerman , Xu Kuohai , Jiri Olsa , John Fastabend , Martin KaFai Lau , bpf@vger.kernel.org, stable@vger.kernel.org, tristan@talencesecurity.com Subject: [PATCH bpf v3 2/2] selftests/bpf: Add test for stale bounds on LSM retval context load Date: Mon, 22 Jun 2026 23:01:23 +0000 Message-ID: <20260622230123.3695446-3-tristmd@gmail.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20260622230123.3695446-1-tristmd@gmail.com> References: <20260622230123.3695446-1-tristmd@gmail.com> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Tristan Madani Add a verifier test that catches the stale-bounds issue fixed in the previous patch. The test sets r6 = 0 to create known bounds, then loads the LSM hook return value into r6 from the context. Without the fix, the verifier intersects the retval range with the stale bounds and incorrectly narrows r6 to a single value, pruning the fall-through branch as dead code and missing the div-by-zero. Suggested-by: Eduard Zingerman Signed-off-by: Tristan Madani --- tools/testing/selftests/bpf/progs/verifier_lsm.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_lsm.c b/tools/testing/selftests/bpf/progs/verifier_lsm.c index 2f8103bfa14e..c724bf389f5c 100644 --- a/tools/testing/selftests/bpf/progs/verifier_lsm.c +++ b/tools/testing/selftests/bpf/progs/verifier_lsm.c @@ -197,4 +197,19 @@ int BPF_PROG(sleepable_lsm_cgroup) return 0; } +SEC("lsm/file_mprotect") +__description("lsm retval load must reset stale register bounds") +__failure __msg("div by zero") +__naked int retval_load_resets_bounds(void *ctx) +{ + asm volatile ( + "r6 = 0;" + "r6 = *(u64 *)(r1 + 24);" + "if r6 == 0 goto +1;" + "r6 /= 0;" + "r0 = 0;" + "exit;" + ::: __clobber_all); +} + char _license[] SEC("license") = "GPL"; -- 2.47.3