Thanks for the report, Hao. I'll reacquaint myself with this code and investigate tomorrow. On Sun, Nov 12, 2023 at 8:57 AM Hao Sun <sunhao.th@xxxxxxxxx> wrote: > > Hi, > > The verifier allows stack access with var off, but the stack depth is > only updated > with `fix` off. For the following program, the verifier incorrectly > marks stack_depth > as 221, yet the smin of r8 is -12 and is overlooked, and thus the interpreter > incorrectly calls `__bpf_prog_run224`, leading to the OOB: > > (bf) r6 = r10 ; R6_w=fp0 R10=fp0 > (bc) w8 = w6 ; R6_w=fp0 > R8_w=scalar(smin=0,smax=umax=429496729) > (47) r8 |= -12 ; > R8_w=scalar(smin=smin32=-12,smax=smax32=-1,umin) > (0f) r8 += r10 > (72) *(u8 *)(r8 -221) = -19 ; > R8_w=fp(off=0,smin=smin32=-12,smax=smax32=-1,.. > (95) exit > > verification time 231 usec > stack depth 221 > processed 12 insns (limit 1000000) max_states_per_insn 0 total_states > 0 peak_states 0 m0 > > This C program can cause a stack OOB access: > C Repro: https://pastebin.com/raw/5ReUbCar > OOB: https://pastebin.com/raw/DzVz3NDn > > Andrei, you added support for stack access with var off in > `01f810ace9ed3`, in which only > `allocated_stack` is updated, should we also update stack depth? > > Best > Hao Sun
