From: Eduard Zingerman <eddyz87@gmail.com>
To: Paul Chaignon <paul.chaignon@gmail.com>
Cc: syzbot <syzbot+c711ce17dd78e5d4fdcf@syzkaller.appspotmail.com>,
andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
daniel@iogearbox.net, haoluo@google.com,
john.fastabend@gmail.com, jolsa@kernel.org, kpsingh@kernel.org,
linux-kernel@vger.kernel.org, martin.lau@linux.dev,
netdev@vger.kernel.org, sdf@fomichev.me, song@kernel.org,
syzkaller-bugs@googlegroups.com, yonghong.song@linux.dev
Subject: Re: [syzbot] [bpf?] WARNING in reg_bounds_sanity_check
Date: Mon, 07 Jul 2025 17:37:09 -0700 [thread overview]
Message-ID: <c35d5392b961a4d5b54bdb4b92c4e104bd7857cc.camel@gmail.com> (raw)
In-Reply-To: <2fb0a354ec117d36a24fe37a3184c1d40849ef1a.camel@gmail.com>
On Mon, 2025-07-07 at 16:29 -0700, Eduard Zingerman wrote:
> On Tue, 2025-07-08 at 00:30 +0200, Paul Chaignon wrote:
>
> [...]
>
> > This is really nice! I think we can extend it to detect some
> > always-true branches as well, and thus handle the initial case reported
> > by syzbot.
> >
> > - if a_min == 0: we don't deduce anything
> > - bits that may be set in 'a' are: possible_a = or_range(a_min, a_max)
> > - bits that are always set in 'b' are: always_b = b_value & ~b_mask
> > - if possible_a & always_b == possible_a: only true branch is possible
> > - otherwise, we can't deduce anything
> >
> > For BPF_X case, we probably want to also check the reverse with
> > possible_b & always_a.
>
> So, this would extend existing predictions:
> - [old] always_a & always_b -> infer always true
> - [old] !(possible_a & possible_b) -> infer always false
> - [new] if possible_a & always_b == possible_a -> infer true
> (but make sure 0 is not in possible_a)
>
> And it so happens, that it covers example at hand.
> Note that or_range(1, (u64)-1) == (u64)-1, so maybe tnum would be
> sufficient, w/o the need for or_range().
>
> The part of the verifier that narrows the range after prediction:
>
> regs_refine_cond_op:
>
> case BPF_JSET | BPF_X: /* reverse of BPF_JSET, see rev_opcode() */
> if (!is_reg_const(reg: reg2, subreg32: is_jmp32))
> swap(reg1, reg2);
> if (!is_reg_const(reg: reg2, subreg32: is_jmp32))
> break;
> val = reg_const_value(reg: reg2, subreg32: is_jmp32);
> ...
> reg1->var_off = tnum_and(a: reg1->var_off, b: tnum_const(value: ~val));
> ...
> break;
>
> And after suggested change this part would be executed only if tnum
> bounds can be changed by jset. So, this eliminates at-least a
> sub-class of a problem.
But I think the program below would still be problematic:
SEC("socket")
__success
__retval(0)
__naked void jset_bug1(void)
{
asm volatile (" \
call %[bpf_get_prandom_u32]; \
if r0 < 2 goto 1f; \
r0 |= 1; \
if r0 & -2 goto 1f; \
1: r0 = 0; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}
The possible_r0 would be changed by `if r0 & -2`, so new rule will not hit.
And the problem remains unsolved. I think we need to reset min/max
bounds in regs_refine_cond_op for JSET:
- in some cases range is more precise than tnum
- in these cases range cannot be compressed to a tnum
- predictions in jset are done for a tnum
- to avoid issues when narrowing tnum after prediction, forget the
range.
next prev parent reply other threads:[~2025-07-08 0:37 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-02 1:55 [syzbot] [bpf?] WARNING in reg_bounds_sanity_check syzbot
2025-07-03 17:02 ` Paul Chaignon
2025-07-03 18:54 ` Eduard Zingerman
2025-07-04 17:14 ` Paul Chaignon
2025-07-04 17:26 ` Eduard Zingerman
2025-07-04 21:13 ` Eduard Zingerman
2025-07-04 21:27 ` Eduard Zingerman
2025-07-07 22:30 ` Paul Chaignon
2025-07-07 23:29 ` Eduard Zingerman
2025-07-08 0:37 ` Eduard Zingerman [this message]
2025-07-08 0:51 ` Alexei Starovoitov
2025-07-08 0:57 ` Eduard Zingerman
2025-07-08 16:19 ` Paul Chaignon
2025-07-08 17:39 ` Eduard Zingerman
2025-07-07 21:57 ` Paul Chaignon
2025-07-07 23:36 ` Eduard Zingerman
2025-07-05 16:02 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c35d5392b961a4d5b54bdb4b92c4e104bd7857cc.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=netdev@vger.kernel.org \
--cc=paul.chaignon@gmail.com \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=syzbot+c711ce17dd78e5d4fdcf@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).