On 3/22/23 4:03 AM, Alexei Starovoitov wrote:
On Tue, Mar 21, 2023 at 08:33:53PM +0100, Daniel Borkmann wrote:
Xu reports that after commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32
bounds tracking"), the following BPF program is rejected by the verifier:
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
...
index d517d13878cf..d66e70707172 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1823,9 +1823,9 @@ static void __reg_bound_offset(struct bpf_reg_state *reg)
struct tnum var64_off = tnum_intersect(reg->var_off,
tnum_range(reg->umin_value,
reg->umax_value));
- struct tnum var32_off = tnum_intersect(tnum_subreg(reg->var_off),
- tnum_range(reg->u32_min_value,
- reg->u32_max_value));
+ struct tnum var32_off = tnum_intersect(tnum_subreg(var64_off),
+ tnum_range(reg->u32_min_value,
+ reg->u32_max_value));
Great fix and excellent analysis!
The CI is complaining though:
test_align:FAIL:pointer variable subtraction unexpected error: 1 (errno 13)
#1/12 align/pointer variable subtraction:FAIL
#1 align:FAIL
Summary: 289/1752 PASSED, 29 SKIPPED, 1 FAILED
Please roll the update for the test into the fix.
Also agree that bpf-next is a good target for the fix.
It doesn't look risky, but since it was there for so long it can go through
bpf-next just fine.
Agree wrt to above. I'll look into the test_progs one and get this fixed today in a v2.
Thanks,
Daniel
