Patch "bpf: Add missed var_off setting in coerce_subreg_to_size_sx()" has been added to the 6.9-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 29 Jun 2024 07:50:36 -0400

This is a note to let you know that I've just added the patch titled

    bpf: Add missed var_off setting in coerce_subreg_to_size_sx()

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-add-missed-var_off-setting-in-coerce_subreg_to_s.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c0ed5718e229cfa75496e3d3433d64eabf241c9b
Author: Yonghong Song <yonghong.song@xxxxxxxxx>
Date:   Sat Jun 15 10:46:32 2024 -0700

    bpf: Add missed var_off setting in coerce_subreg_to_size_sx()
    
    [ Upstream commit 44b7f7151dfc2e0947f39ed4b9bc4b0c2ccd46fc ]
    
    In coerce_subreg_to_size_sx(), for the case where upper
    sign extension bits are the same for smax32 and smin32
    values, we missed to setup properly. This is especially
    problematic if both smax32 and smin32's sign extension
    bits are 1.
    
    The following is a simple example illustrating the inconsistent
    verifier states due to missed var_off:
    
      0: (85) call bpf_get_prandom_u32#7    ; R0_w=scalar()
      1: (bf) r3 = r0                       ; R0_w=scalar(id=1) R3_w=scalar(id=1)
      2: (57) r3 &= 15                      ; R3_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=15,var_off=(0x0; 0xf))
      3: (47) r3 |= 128                     ; R3_w=scalar(smin=umin=smin32=umin32=128,smax=umax=smax32=umax32=143,var_off=(0x80; 0xf))
      4: (bc) w7 = (s8)w3
      REG INVARIANTS VIOLATION (alu): range bounds violation u64=[0xffffff80, 0x8f] s64=[0xffffff80, 0x8f]
        u32=[0xffffff80, 0x8f] s32=[0x80, 0xffffff8f] var_off=(0x80, 0xf)
    
    The var_off=(0x80, 0xf) is not correct, and the correct one should
    be var_off=(0xffffff80; 0xf) since from insn 3, we know that at
    insn 4, the sign extension bits will be 1. This patch fixed this
    issue by setting var_off properly.
    
    Fixes: 8100928c8814 ("bpf: Support new sign-extension mov insns")
    Signed-off-by: Yonghong Song <yonghong.song@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20240615174632.3995278-1-yonghong.song@xxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4ad77ed8059e4..add5ccbe87523 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6268,6 +6268,7 @@ static void coerce_subreg_to_size_sx(struct bpf_reg_state *reg, int size)
 		reg->s32_max_value = s32_max;
 		reg->u32_min_value = (u32)s32_min;
 		reg->u32_max_value = (u32)s32_max;
+		reg->var_off = tnum_subreg(tnum_range(s32_min, s32_max));
 		return;
 	}
 







