On 11/19/2024 7:40 PM, Shung-Hsi Yu wrote:
Add more specific test cases into verifier_and.c to test against signed range deduction. WIP, Test failing. --- The GitHub action is at https://github.com/kernel-patches/bpf/actions/runs/11909088689/ For and_mixed_range_vs_neg_const() Error: #432/8 verifier_and/[-1,0] range vs negative constant @unpriv ... VERIFIER LOG: ============= 0: R1=ctx() R10=fp0 0: (85) call bpf_get_prandom_u32#7 ; R0_w=Pscalar() 1: (67) r0 <<= 63 ; R0_w=Pscalar(smax=smax32=umax32=0,umax=0x8000000000000000,smin32=0,var_off=(0x0; 0x8000000000000000)) 2: (c7) r0 s>>= 63 ; R0_w=Pscalar(smin=smin32=-1,smax=smax32=0) 3: (b7) r1 = -13 ; R1_w=P-13 4: (5f) r0 &= r1 ; R0_w=Pscalar(smin=smin32=-16,smax=smax32=0,umax=0xfffffffffffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3)) R1_w=P-13 5: (b7) r2 = 0 ; R2_w=P0 6: (6d) if r0 s> r2 goto pc+4 ; R0_w=Pscalar(smin=smin32=-16,smax=smax32=0,umax=0xfffffffffffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3)) R2_w=P0 7: (b7) r2 = -16 ; R2=P-16 8: (cd) if r0 s< r2 goto pc+2 11: R0=Pscalar() R1=P-13 R2=Pscalar() R10=fp0 Somehow despite the verifier knows that r0's smin=-16 and smax=0, and r2's smin=-16 and smax=-16, it does determine that [-16, 0] s< -16 is always false. 11: (61) r1 = *(u32 *)(r1 +0) R1 invalid mem access 'scalar'
Interesting, CI reported failure in unpriv test, while the priv test ran well. It seems to be related to some security policy. I think it is bypass_spec_v1, which makes the verifier to check the unreachable target instruction.