On Fri, 2023-12-08 at 18:15 -0800, Andrii Nakryiko wrote: [...] > Now, the subtle thing here is that this doesn't happen with STACK_ZERO > or STACK_MISC. Let's look at STACK_MISC/STACK_INVALID case. > > 1: *(u8 *)(r10 -1) = 123; /* now fp-8=m??????? */ > 2: r1 = *(u64 *)(r10 - 8); /* STACK_MISC read, r1 is set to unknown scalar */ > 3: if r1 == 123 goto +10; > > Let's do analysis again. At 3: we mark r1 as precise, go back to 2:. > Here 2: instruction is not marked as INSN_F_STACK_ACCESS because it > wasn't stack fill due to STACK_MISC (that's handled in > check_read_fixed_off logic). So mark_chain_precision() stops here > because that instruction is resetting r1, so we clear r1 from the > mask, but this instruction isn't STACK_ACCESS, so we don't look for > fp-8 here. Ok, so STACK_MISC does not actually leak any information, when misc byte read it's still full range. Makes sense. I think STACK_ZERO handling is fine, there is no need remember it as stack access, as it marks precision right away. Thank you for explanation and sorry for false alarm. Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
