On 8/10/22 12:08 PM, Youlin Li wrote:
The commit ("bpf: Do more tight ALU bounds tracking") introduces a bug
that fails some selftests.
in previous versions of the code, when
__reg_combine_64_into_32() was called, the 32bit boundary was
completely deduced from the 64bit boundary, so there was a call to
__mark_reg32_unbounded() in __reg_combine_64_into_32(). But before
adjust_scalar_min_max_vals() calls
__reg_combine_64_into_32() , the 32bit bounds are already calculated
to some extent, and __mark_reg32_unbounded() will eliminate these
information.
Simply remove the call to __reg_combine_64_into_32() and copying a code
without __mark_reg32_unbounded() should work.
Before:
./test_verifier 142
#142/p bounds check after truncation of non-boundary-crossing range FAIL
Failed to load prog 'Permission denied'!
invalid access to map value, value_size=8 off=16777215 size=1
R0 max value is outside of the allowed memory range
verification time 149 usec
stack depth 8
processed 15 insns (limit 1000000) max_states_per_insn 0
total_states 0 peak_states 0 mark_read 0
Summary: 0 PASSED, 1 SKIPPED, 1 FAILED
After:
./test_verifier 142
#142/p bounds check after truncation of non-boundary-crossing range OK
Summary: 1 PASSED, 1 SKIPPED, 0 FAILED
Signed-off-by: Youlin Li <liulin063@xxxxxxxxx>
---
kernel/bpf/verifier.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 11d8bb54ba6b..7ea6e0372d62 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -9014,7 +9014,17 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
/* ALU32 ops are zero extended into 64bit register */
zext_32_to_64(dst_reg);
} else {
- __reg_combine_64_into_32(dst_reg);
+ if (__reg64_bound_s32(dst_reg->smin_value) &&
+ __reg64_bound_s32(dst_reg->smax_value)) {
+ dst_reg->s32_min_value = (s32)dst_reg->smin_value;
+ dst_reg->s32_max_value = (s32)dst_reg->smax_value;
+ }
+ if (__reg64_bound_u32(dst_reg->umin_value) &&
+ __reg64_bound_u32(dst_reg->umax_value)) {
+ dst_reg->u32_min_value = (u32)dst_reg->umin_value;
+ dst_reg->u32_max_value = (u32)dst_reg->umax_value;
+ }
+ reg_bounds_sync(dst_reg);
Hm, this doesn't apply to the bpf tree. Is this on top of your previous patch [0]?
Please squash both together in that case and resubmit your previous one as a v2.
[0] https://lore.kernel.org/bpf/9f954e67-67fc-e3b9-d810-22bfea95d2aa@xxxxxxxxxxxxx/
Thanks,
Daniel
