From: Stanislav Fomichev <sdf@fomichev.me>
To: Zac Ecob <zacecob@protonmail.com>
Cc: "bpf@vger.kernel.org" <bpf@vger.kernel.org>
Subject: Re: Fixing coerce_subreg_to_size_sx invalidly setting reg->umax_value
Date: Thu, 11 Jul 2024 18:16:05 -0700 [thread overview]
Message-ID: <ZpCD1fDXkr7wLGhZ@mini-arch> (raw)
In-Reply-To: <h3qKLDEO6m9nhif0eAQX4fVrqdO0D_OPb0y5HfMK9jBePEKK33wQ3K-bqSVnr0hiZdFZtSJOsbNkcEQGpv_yJk61PAAiO8fUkgMRSO-lB50=@protonmail.com>
On 07/11, Zac Ecob wrote:
> Hi,
>
> My fuzzer recently found another bug, in which `reg->umax_value` is being invalidly set in regards to sign extensions.
>
> The lines below contain the bug:
> ```
> reg->umin_value = reg->u32_min_value = s64_min;
> reg->umax_value = reg->u32_max_value = s64_max;
> ```
>
> If `s64_min` / `s64_max` are negative values here, they correctly cast when assigning to the u32 values. However, when assigned to `umin_value` / `umax_value`, it seems there is an implicit (u32) cast applied, causing the top 32 bits to not be set.
>
>
> I've attached the files to reproduce, as well as the patch file, based off of 6.10-rc4 - albeit this is my first patch so I'd appreciate someone checking it's formatted fine.
>
> Thanks.
> From da5ef523f7cd018f3f0991454a18bc961ea1abba Mon Sep 17 00:00:00 2001
> From: Zac Ecob <zacecob@protonmail.com>
> Date: Thu, 11 Jul 2024 17:41:55 +1000
> Subject: [PATCH] Fixed sign-extension issue in coerce_subreg_to_size_sx
>
> ---
> kernel/bpf/verifier.c | 10 ++++++++--
> 1 file changed, 8 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 010a6eb864dc..eccf3ac8996a 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -6213,8 +6213,14 @@ static void coerce_reg_to_size_sx(struct bpf_reg_state *reg, int size)
> if ((s64_max >= 0) == (s64_min >= 0)) {
> reg->smin_value = reg->s32_min_value = s64_min;
> reg->smax_value = reg->s32_max_value = s64_max;
> - reg->umin_value = reg->u32_min_value = s64_min;
> - reg->umax_value = reg->u32_max_value = s64_max;
> +
> + // Cannot chain assignments, like reg->umax_val = reg->u32_max_val = (signed input)
> + // Because of the implicit cast leading to reg->umax_val not being properly set for negative numbers
Pls use /* */ comments instead, use [PATCH bpf] subject in a followup and
try to find a commit that introduced the problem to mention it in the
'Fixes:' tag.
Also, instead of your custom reproducer, can you add a small reproducer
to the test_verifier.c (tools/testing/selftests/bpf/verifier/**) to
demonstrate the issue and avoid similar regressions in the future?
> + reg->u32_min_value = s64_min;
> + reg->u32_max_value = s64_max;
> + reg->umin_value = s64_min;
> + reg->umax_value = s64_max;
> +
> reg->var_off = tnum_range(s64_min, s64_max);
> return;
> }
> --
> 2.30.2
>
prev parent reply other threads:[~2024-07-12 1:16 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-11 8:07 Fixing coerce_subreg_to_size_sx invalidly setting reg->umax_value Zac Ecob
2024-07-12 1:16 ` Stanislav Fomichev [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZpCD1fDXkr7wLGhZ@mini-arch \
--to=sdf@fomichev.me \
--cc=bpf@vger.kernel.org \
--cc=zacecob@protonmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.