Re: [PATCH bpf-next 1/2] bpf: Fix __reg_bound_offset 64->32 var_off subreg propagation

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Mar 21, 2023 at 08:33:53PM +0100, Daniel Borkmann wrote:
> Xu reports that after commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32
> bounds tracking"), the following BPF program is rejected by the verifier:
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
...
> index d517d13878cf..d66e70707172 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -1823,9 +1823,9 @@ static void __reg_bound_offset(struct bpf_reg_state *reg)
>  	struct tnum var64_off = tnum_intersect(reg->var_off,
>  					       tnum_range(reg->umin_value,
>  							  reg->umax_value));
> -	struct tnum var32_off = tnum_intersect(tnum_subreg(reg->var_off),
> -						tnum_range(reg->u32_min_value,
> -							   reg->u32_max_value));
> +	struct tnum var32_off = tnum_intersect(tnum_subreg(var64_off),
> +					       tnum_range(reg->u32_min_value,
> +							  reg->u32_max_value));

Great fix and excellent analysis!
The CI is complaining though:
test_align:FAIL:pointer variable subtraction unexpected error: 1 (errno 13)
#1/12    align/pointer variable subtraction:FAIL
#1       align:FAIL
Summary: 289/1752 PASSED, 29 SKIPPED, 1 FAILED

Please roll the update for the test into the fix.

Also agree that bpf-next is a good target for the fix.
It doesn't look risky, but since it was there for so long it can go through
bpf-next just fine.



[Index of Archives]     [Linux Samsung SoC]     [Linux Rockchip SoC]     [Linux Actions SoC]     [Linux for Synopsys ARC Processors]     [Linux NFS]     [Linux NILFS]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]


  Powered by Linux