From: Eduard Zingerman <eddyz87@gmail.com>
To: Xu Kuohai <xukuohai@huaweicloud.com>,
bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>,
Roberto Sassu <roberto.sassu@huawei.com>,
Matt Bobrowski <mattbobrowski@google.com>,
Yafang Shao <laoar.shao@gmail.com>,
Ilya Leoshkevich <iii@linux.ibm.com>,
"Jose E . Marchesi" <jose.marchesi@oracle.com>,
James Morris <jamorris@linux.microsoft.com>,
Kees Cook <kees@kernel.org>,
Brendan Jackman <jackmanb@google.com>,
Florent Revest <revest@google.com>
Subject: Re: [PATCH bpf-next v2 5/9] bpf, verifier: improve signed ranges inference for BPF_AND
Date: Mon, 22 Jul 2024 00:13:20 -0700 [thread overview]
Message-ID: <a5afdfca337a59bfe8f730a59ea40cd48d9a3d6b.camel@gmail.com> (raw)
In-Reply-To: <20240719110059.797546-6-xukuohai@huaweicloud.com>
On Fri, 2024-07-19 at 19:00 +0800, Xu Kuohai wrote:
> From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
[...]
>
> | src_reg
> smin' = ? +----------------------------+---------------------------
> smin'(r) <= smin(r) | negative | non-negative
> ---------+--------------+----------------------------+---------------------------
> | negative |negative_bit_floor( |negative_bit_floor(
> | | min(dst->smin, src->smin))| min(dst->smin, src->smin))
> dst_reg +--------------+----------------------------+---------------------------
> | non-negative |negative_bit_floor( |negative_bit_floor(
> | | min(dst->smin, src->smin))| min(dst->smin, src->smin))
>
> Meaning that simply using
>
> negative_bit_floor(min(dst_reg->smin_value, src_reg->smin_value))
>
> to calculate the resulting smin_value would work across all sign combinations.
>
> Together these allows the BPF verifier to infer the signed range of the
> result of BPF_AND operation using the signed range from its operands,
> and use that information
>
> r0 s>>= 63; R0_w=scalar(smin=smin32=-1,smax=smax32=0)
> r0 &= -13 ; R0_w=scalar(smin=smin32=-16,smax=smax32=0,umax=0xfffffffffffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3))
>
> [0] https://lore.kernel.org/bpf/e62e2971301ca7f2e9eb74fc500c520285cad8f5.camel@gmail.com/
>
> Link: https://lore.kernel.org/bpf/phcqmyzeqrsfzy7sb4rwpluc37hxyz7rcajk2bqw6cjk2x7rt5@m2hl6enudv7d/
> Cc: Eduard Zingerman <eddyz87@gmail.com>
> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> Acked-by: Xu Kuohai <xukuohai@huawei.com>
> ---
I find derivation of these new rules logical.
Also tried a simple brute force testing of this algorithm for 6-bit
signed integers, and have not found any constraint violations:
https://github.com/eddyz87/bpf-and-brute-force-check
As a nitpick, I think that it would be good to have some shortened
version of the derivation in the comments alongside the code.
(Maybe with a link to the mailing list).
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
[...]
next prev parent reply other threads:[~2024-07-22 7:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-19 11:00 [PATCH bpf-next v2 0/9] Add BPF LSM return value range check, BPF part Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 1/9] bpf, lsm: Add disabled BPF LSM hook list Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 2/9] bpf, lsm: Add check for BPF LSM return value Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 3/9] bpf: Prevent tail call between progs attached to different hooks Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 4/9] bpf: Fix compare error in function retval_range_within Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 5/9] bpf, verifier: improve signed ranges inference for BPF_AND Xu Kuohai
2024-07-22 7:13 ` Eduard Zingerman [this message]
2024-07-22 12:57 ` Shung-Hsi Yu
2024-07-22 18:47 ` Eduard Zingerman
2024-07-23 0:48 ` Alexei Starovoitov
2024-07-23 6:36 ` Shung-Hsi Yu
2024-07-23 7:07 ` Shung-Hsi Yu
2024-07-24 1:17 ` Alexei Starovoitov
2024-07-19 11:00 ` [PATCH bpf-next v2 6/9] selftests/bpf: Avoid load failure for token_lsm.c Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 7/9] selftests/bpf: Add return value checks for failed tests Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 8/9] selftests/bpf: Add test for lsm tail call Xu Kuohai
2024-07-19 11:00 ` [PATCH bpf-next v2 9/9] selftests/bpf: Add verifier tests for bpf lsm Xu Kuohai
2024-07-22 19:57 ` [PATCH bpf-next v2 0/9] Add BPF LSM return value range check, BPF part bot+bpf-ci
2024-07-23 0:50 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=a5afdfca337a59bfe8f730a59ea40cd48d9a3d6b.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=iii@linux.ibm.com \
--cc=jackmanb@google.com \
--cc=jamorris@linux.microsoft.com \
--cc=jose.marchesi@oracle.com \
--cc=kees@kernel.org \
--cc=kpsingh@kernel.org \
--cc=laoar.shao@gmail.com \
--cc=linux-security-module@vger.kernel.org \
--cc=mattbobrowski@google.com \
--cc=netdev@vger.kernel.org \
--cc=revest@google.com \
--cc=roberto.sassu@huawei.com \
--cc=shung-hsi.yu@suse.com \
--cc=xukuohai@huaweicloud.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox