Hello:
This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@xxxxxxxxxx>:
On Thu, 13 Jun 2024 13:53:08 +0200 you wrote:
> Juan reported that after doing some changes to buzzer [0] and implementing
> a new fuzzing strategy guided by coverage, they noticed the following in
> one of the probes:
>
> [...]
> 13: (79) r6 = *(u64 *)(r0 +0) ; R0=map_value(ks=4,vs=8) R6_w=scalar()
> 14: (b7) r0 = 0 ; R0_w=0
> 15: (b4) w0 = -1 ; R0_w=0xffffffff
> 16: (74) w0 >>= 1 ; R0_w=0x7fffffff
> 17: (5c) w6 &= w0 ; R0_w=0x7fffffff R6_w=scalar(smin=smin32=0,smax=umax=umax32=0x7fffffff,var_off=(0x0; 0x7fffffff))
> 18: (44) w6 |= 2 ; R6_w=scalar(smin=umin=smin32=umin32=2,smax=umax=umax32=0x7fffffff,var_off=(0x2; 0x7ffffffd))
> 19: (56) if w6 != 0x7ffffffd goto pc+1
> REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
> REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0x7fffffff, 0x7ffffffd] s64=[0x7fffffff, 0x7ffffffd] u32=[0x7fffffff, 0x7ffffffd] s32=[0x7fffffff, 0x7ffffffd] var_off=(0x7fffffff, 0x0)
> REG INVARIANTS VIOLATION (false_reg2): const tnum out of sync with range bounds u64=[0x0, 0xffffffffffffffff] s64=[0x8000000000000000, 0x7fffffffffffffff] u32=[0x0, 0xffffffff] s32=[0x80000000, 0x7fffffff] var_off=(0x7fffffff, 0x0)
> 19: R6_w=0x7fffffff
> 20: (95) exit
>
> [...]
Here is the summary with links:
- [bpf,v2,1/3] bpf: Fix reg_set_min_max corruption of fake_reg
https://git.kernel.org/bpf/bpf/c/92424801261d
- [bpf,v2,2/3] bpf: Reduce stack consumption in check_stack_write_fixed_off
https://git.kernel.org/bpf/bpf/c/e73cd1cfc217
- [bpf,v2,3/3] selftests/bpf: Add test coverage for reg_set_min_max handling
https://git.kernel.org/bpf/bpf/c/ceb65eb60026
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
