From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mx0b-00082601.pphosted.com (mx0b-00082601.pphosted.com [67.231.153.30]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A01D131 for ; Fri, 1 Dec 2023 10:34:17 -0800 (PST) Received: from pps.filterd (m0109332.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.17.1.19/8.17.1.19) with ESMTP id 3B1IBZTJ027008 for ; Fri, 1 Dec 2023 10:34:16 -0800 Received: from mail.thefacebook.com ([163.114.132.120]) by mx0a-00082601.pphosted.com (PPS) with ESMTPS id 3uq7jsvgt9-11 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 01 Dec 2023 10:34:16 -0800 Received: from twshared19681.14.frc2.facebook.com (2620:10d:c085:108::4) by mail.thefacebook.com (2620:10d:c085:11d::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.34; Fri, 1 Dec 2023 10:34:09 -0800 Received: by devbig019.vll3.facebook.com (Postfix, from userid 137359) id 6B63C3C6DB48E; Fri, 1 Dec 2023 10:34:06 -0800 (PST) From: Andrii Nakryiko To: , , , CC: , , Eduard Zingerman , Shung-Hsi Yu Subject: [PATCH v4 bpf-next 03/11] bpf: enforce precision of R0 on callback return Date: Fri, 1 Dec 2023 10:33:51 -0800 Message-ID: <20231201183359.1769668-4-andrii@kernel.org> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20231201183359.1769668-1-andrii@kernel.org> References: <20231201183359.1769668-1-andrii@kernel.org> Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-FB-Internal: Safe Content-Type: text/plain X-Proofpoint-GUID: 8xzM0yRgH0-D_Eo7-AAExXiREMyFxumH X-Proofpoint-ORIG-GUID: 8xzM0yRgH0-D_Eo7-AAExXiREMyFxumH X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-01_16,2023-11-30_01,2023-05-22_02 Given verifier checks actual value, r0 has to be precise, so we need to propagate precision properly. r0 also has to be marked as read, otherwise subsequent state comparisons will ignore such register as unimportant and precision won't really help here. Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") Acked-by: Eduard Zingerman Acked-by: Shung-Hsi Yu Signed-off-by: Andrii Nakryiko --- kernel/bpf/verifier.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 25b9d470957e..849fbf47b5f3 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9590,6 +9590,13 @@ static int prepare_func_exit(struct bpf_verifier_e= nv *env, int *insn_idx) verbose(env, "R0 not a scalar value\n"); return -EACCES; } + + /* we are going to rely on register's precise value */ + err =3D mark_reg_read(env, r0, r0->parent, REG_LIVE_READ64); + err =3D err ?: mark_chain_precision(env, BPF_REG_0); + if (err) + return err; + if (!tnum_in(range, r0->var_off)) { verbose_invalid_scalar(env, r0, &range, "callback return", "R0"); return -EINVAL; --=20 2.34.1