[PATCH bpf] bpf: take into account liveness when propagating precision

[PATCH bpf] bpf: take into account liveness when propagating precision

[Andrii Nakryiko]

When doing state comparison, if old state has register that is not
marked as REG_LIVE_READ, then we just skip comparison, regardless what's
the state of corresponing register in current state. This is because not
REG_LIVE_READ register is irrelevant for further program execution and
correctness. All good here.

But when we get to precision propagation, after two states were declared
equivalent, we don't take into account old register's liveness, and thus
attempt to propagate precision for register in current state even if
that register in old state was not REG_LIVE_READ anymore. This is bad,
because register in current state could be anything at all and this
could cause -EFAULT due to internal logic bugs.

Fix by taking into account REG_LIVE_READ liveness mark to keep the logic
in state comparison in sync with precision propagation.

Fixes: a3ce685dd01a ("bpf: fix precision tracking")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
---
 kernel/bpf/verifier.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 272563a0b770..c847266d523b 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -14201,7 +14201,8 @@ static int propagate_precision(struct bpf_verifier_env *env,
 		state_reg = state->regs;
 		for (i = 0; i < BPF_REG_FP; i++, state_reg++) {
 			if (state_reg->type != SCALAR_VALUE ||
-			    !state_reg->precise)
+			    !state_reg->precise ||
+			    !(state_reg->live & REG_LIVE_READ))
 				continue;
 			if (env->log.level & BPF_LOG_LEVEL2)
 				verbose(env, "frame %d: propagating r%d\n", i, fr);
@@ -14215,7 +14216,8 @@ static int propagate_precision(struct bpf_verifier_env *env,
 				continue;
 			state_reg = &state->stack[i].spilled_ptr;
 			if (state_reg->type != SCALAR_VALUE ||
-			    !state_reg->precise)
+			    !state_reg->precise ||
+			    !(state_reg->live & REG_LIVE_READ))
 				continue;
 			if (env->log.level & BPF_LOG_LEVEL2)
 				verbose(env, "frame %d: propagating fp%d\n",
-- 
2.34.1

Re: [PATCH bpf] bpf: take into account liveness when propagating precision

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to bpf/bpf-next.git (master)
by Alexei Starovoitov <ast@kernel.org>:

On Thu, 9 Mar 2023 14:41:31 -0800 you wrote:
> When doing state comparison, if old state has register that is not
> marked as REG_LIVE_READ, then we just skip comparison, regardless what's
> the state of corresponing register in current state. This is because not
> REG_LIVE_READ register is irrelevant for further program execution and
> correctness. All good here.
> 
> But when we get to precision propagation, after two states were declared
> equivalent, we don't take into account old register's liveness, and thus
> attempt to propagate precision for register in current state even if
> that register in old state was not REG_LIVE_READ anymore. This is bad,
> because register in current state could be anything at all and this
> could cause -EFAULT due to internal logic bugs.
> 
> [...]

Here is the summary with links:
  - [bpf] bpf: take into account liveness when propagating precision
    https://git.kernel.org/bpf/bpf-next/c/52c2b005a3c1

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html