On Wed, Nov 20, 2024 at 4:16 AM Xu Kuohai <xukuohai@xxxxxxxxxxxxxxx> wrote: > > On 11/19/2024 7:40 PM, Shung-Hsi Yu wrote: > > Add more specific test cases into verifier_and.c to test against signed > > range deduction. > > > > WIP, Test failing. > > --- > > The GitHub action is at https://github.com/kernel-patches/bpf/actions/runs/11909088689/ > > > > For and_mixed_range_vs_neg_const() > > > > Error: #432/8 verifier_and/[-1,0] range vs negative constant @unpriv > > ... > > VERIFIER LOG: > > ============= > > 0: R1=ctx() R10=fp0 > > 0: (85) call bpf_get_prandom_u32#7 ; R0_w=Pscalar() > > 1: (67) r0 <<= 63 ; R0_w=Pscalar(smax=smax32=umax32=0,umax=0x8000000000000000,smin32=0,var_off=(0x0; 0x8000000000000000)) > > 2: (c7) r0 s>>= 63 ; R0_w=Pscalar(smin=smin32=-1,smax=smax32=0) > > 3: (b7) r1 = -13 ; R1_w=P-13 > > 4: (5f) r0 &= r1 ; R0_w=Pscalar(smin=smin32=-16,smax=smax32=0,umax=0xfffffffffffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3)) R1_w=P-13 > > 5: (b7) r2 = 0 ; R2_w=P0 > > 6: (6d) if r0 s> r2 goto pc+4 ; R0_w=Pscalar(smin=smin32=-16,smax=smax32=0,umax=0xfffffffffffffff3,umax32=0xfffffff3,var_off=(0x0; 0xfffffffffffffff3)) R2_w=P0 > > 7: (b7) r2 = -16 ; R2=P-16 > > 8: (cd) if r0 s< r2 goto pc+2 11: R0=Pscalar() R1=P-13 R2=Pscalar() R10=fp0 > > > > Somehow despite the verifier knows that r0's smin=-16 and smax=0, > > and r2's smin=-16 and smax=-16, it does determine that > > [-16, 0] s< -16 is always false. > > > > 11: (61) r1 = *(u32 *)(r1 +0) > > R1 invalid mem access 'scalar' > > > > Interesting, CI reported failure in unpriv test, while the priv > test ran well. It seems to be related to some security policy. > I think it is bypass_spec_v1, which makes the verifier to check > the unreachable target instruction. Correct. See speculative path in the verifier. The patch is missing SOB too. pw-bot: cr
