This patch series addresses a truncation bug in the eBPF verifier function
coerce_reg_to_size_sx(). The issue was caused by the incorrect ordering
of assignments between 32-bit and 64-bit min/max values, leading to
improper truncation when updating the register state. This issue has been
reported previously by Zac Ecob[1] , but was not followed up on.
The first patch fixes the assignment order in coerce_reg_to_size_sx()
to ensure correct truncation. The subsequent patches add selftests for
coerce_{reg,subreg}_to_size_sx.
Changelog:
v1 -> v2:
- Moved selftests inside the conditional check for cpuv4
[1] (https://lore.kernel.org/bpf/h3qKLDEO6m9nhif0eAQX4fVrqdO0D_OPb0y5HfMK9jBePEKK33wQ3K-bqSVnr0hiZdFZtSJOsbNkcEQGpv_yJk61PAAiO8fUkgMRSO-lB50=@protonmail.com/)
Dimitar Kanaliev (3):
bpf: Fix truncation bug in coerce_reg_to_size_sx()
selftests/bpf: Add test for truncation after sign extension in
coerce_reg_to_size_sx()
selftests/bpf: Add test for sign extension in
coerce_subreg_to_size_sx()
kernel/bpf/verifier.c | 8 ++--
.../selftests/bpf/progs/verifier_movsx.c | 40 +++++++++++++++++++
2 files changed, 44 insertions(+), 4 deletions(-)
--
2.43.0
