Re: [PATCH RFC bpf-next 1/7] bpf/verifier: Use intersection checks when simulating to detect dead branches

[sashiko-bot@kernel.org]

Sashiko AI review found 1 potential issue(s):
- [Critical] Returning early from `reg_bounds_sync` on `!reg_bounds_intersect(reg)` masks verifier soundness bugs and turns them into exploitable branch-pruning vulnerabilities.
--

commit 6f55ebe5b292297be4b3fa774e1c6b87de6d0862
Author: Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>

bpf/verifier: Use intersection checks when simulating to detect dead branches

This commit introduces a new check to detect if register bounds across
domains (u64, s64, u32, s32, tnum) have an intersection. It uses this new
check to prune dead branches and to exit early during register bounds
synchronization.

> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 9e4980128151b..1d5d2b7e5140b 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c

[ ... ]

> @@ -2345,12 +2345,15 @@ static void __reg_bound_offset(struct bpf_reg_state *reg)
>  static void reg_bounds_sync(struct bpf_reg_state *reg)
>  {
> -	/* If the input reg_state is invalid, we can exit early */
> -	if (range_bounds_violation(reg))
> +	/* If the input reg_state has no intersection between abstract values, it is
> +	 * invalid. We can exit early, ensuring that subsequent operations don't
> +	 * inadvertently fix the reg_state.
> +	 */
> +	if (!reg_bounds_intersect(reg))
>  		return;

Does returning early from reg_bounds_sync() here mask verifier soundness
bugs and potentially turn them into exploitable branch-pruning regressions?

If a buggy arithmetic operation produces a register state with disjoint
domains (e.g., conflicting u32 and u64 bounds) but does not immediately
have a min > max within a single domain, reg_bounds_intersect() will
return false.

This causes reg_bounds_sync() to exit early, explicitly skipping
__update_reg_bounds() and __reg_deduce_bounds().

Before this patch, running those deduction functions on disjoint domains
would cross-constrain the bounds and naturally produce a state with
min > max (range_bounds_violation). This explicit violation would
subsequently trigger a verifier panic in reg_bounds_sanity_check(),
safely rejecting the broken program.

By skipping the deduction, the state retains its logically impossible
disjoint domains but avoids generating a range_bounds_violation. Because
reg_bounds_sanity_check() was not updated to also fail when
!reg_bounds_intersect() is true, the broken state silently passes all
verifier sanity checks.

When this disjoint register is later evaluated at a conditional jump,
simulate_both_branches_taken() will see !reg_bounds_intersect() and
conclude that the branches are dead, pruning them from verification.
This could allow out-of-bounds memory accesses in the unverified branches,
which the verifier assumes are dead but the kernel will still execute at
runtime.

Should reg_bounds_sanity_check() be updated to also fail if
!reg_bounds_intersect(reg) is true?

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/cover.1776344897.git.paul.chaignon@gmail.com?part=1