From patchwork Wed Nov 1 12:33:51 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Hao Sun X-Patchwork-Id: 160536 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:abcd:0:b0:403:3b70:6f57 with SMTP id f13csp384787vqx; Wed, 1 Nov 2023 05:38:34 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHo6tO6l4bZ/7D9vzkEHR8AcmD3psptHrvJnl/w1uz4GwLqjOa+JRfu77TK+Sl42XxKjiZq X-Received: by 2002:ac2:4a79:0:b0:503:90d:e0df with SMTP id q25-20020ac24a79000000b00503090de0dfmr10885219lfp.34.1698842313922; Wed, 01 Nov 2023 05:38:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698842313; cv=none; d=google.com; s=arc-20160816; b=tIiupz6TPFlBvTOkIGKg3kd16JPmZZjFTp20nbjqsmJTnf4CeYIGRG8qu8lQrZn50B TfxLPoPe4/AirCd5QfWV/QudPT6oDSYtee9scqhJYC9yBcRQZeNlI+NA+baaFEvf6HQF vw9P5vFthx/8W/g3Qk3ugQTf45jBe6Zif0k675sGm6eR+ZdoMsrs8fDX61Agb00znOkL GNTCD4OLZNmzFZoKq3AoDROWT5xayL4rVbeybnKknz7gdqQ4dl1oXtUhAvMtpKdKrtCB 930TdzpMJ6y0FSEmoJMZr2R5mL+jL3mcy03tZkIRH4RvbBTtmpU5tSZI7dyS5j6SH/+e DuMA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=C/NwfKtoyspxT9DotnbjmoTKFlNWUE7/HmaMh4d/yZM=; fh=jfziyIVOQDNOZBGPiw9gaxcqMRAwxDHSKC0F0xcYq1k=; b=JLg/MlCEWLcfjjDMuDtoyk7F2RHxY3rz8xCbKXgWlXsVhDO/dfyZiE0kiY+Xs2oYC0 K/A+XbYY7M2U6of1WhSu0xAzW4rFny1H0Knx3BDKgrs3Bk190IWJm/Td5XyBUQI1+bDj 4lVzLYYujcjNQNePn6PJHvctOIoYGcJSxKiJxlnmRqu50mRyCC4SERKCAvNZFLBAcCQm wxzcDE+W+rLxPg7tJtKLSF8WIP4bU6dql7jcQxBDumhaMZ3h+cNOJmHcG+VG4loITn5i e+10NEu5CsJYzW4g/i0zhMrDWyS3B0DxDx7sUMs0beMgZXmezXdu10BYldtd9bNi9zjT krzQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jDubYWjf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from groat.vger.email (groat.vger.email. [23.128.96.35]) by mx.google.com with ESMTPS id z15-20020a05640235cf00b005435888a89bsi724261edc.279.2023.11.01.05.38.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 05:38:33 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) client-ip=23.128.96.35; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=jDubYWjf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.35 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 0485F8053F8E; Wed, 1 Nov 2023 05:38:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1343956AbjKAMeG (ORCPT + 35 others); Wed, 1 Nov 2023 08:34:06 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51102 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343670AbjKAMeF (ORCPT ); Wed, 1 Nov 2023 08:34:05 -0400 Received: from mail-lj1-x230.google.com (mail-lj1-x230.google.com [IPv6:2a00:1450:4864:20::230]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 617A4E4; Wed, 1 Nov 2023 05:34:02 -0700 (PDT) Received: by mail-lj1-x230.google.com with SMTP id 38308e7fff4ca-2c50d1b9f22so87049791fa.0; Wed, 01 Nov 2023 05:34:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1698842040; x=1699446840; darn=vger.kernel.org; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:from:to:cc:subject:date:message-id :reply-to; bh=C/NwfKtoyspxT9DotnbjmoTKFlNWUE7/HmaMh4d/yZM=; b=jDubYWjfISERIunB27vuNZspL9NmWjE1butfVlPShGaRwEctheifwbZSz6O5ge4IMs QKdTE3GtEQky+qJ7hHCopRmkU3dzdnuTD8+k1zXLw6Zi1cVsdYMzPuZnXwV4tRZ03cXc TJK6oe2aYuvXMRGa9rpRN9d1u/LuD+uefoH4a3wbZfcCNZyACRQ7FJjg/3+LxFfXWCXp B7bXWjpvbX0Ag6qui7cgHbG5Lp8PJMKam/Fh7iKa0xN6vuhZEMrQv67f7ToJM/ANQZ6x WxAq15n+ePkiy98vvPt+EDAGQLtQKYpmdxI8+zRMRkjb4VQY1HeIwmqxL8rX7KXacqRQ X0dw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1698842040; x=1699446840; h=cc:to:in-reply-to:references:message-id:content-transfer-encoding :mime-version:subject:date:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=C/NwfKtoyspxT9DotnbjmoTKFlNWUE7/HmaMh4d/yZM=; b=Oy+eb3D0iyN2HOcfgBfTygCDjPNMM4j8ZDJUDbcJaviriSiUnCAcP3vH/ox3Eg3Vi9 uWDhihum1KCtXb/6U4wRHl8OSjjs6oOoiI6u967mnfjv5jyuWObkU0K+xFnSR3GQkvAX ORsXRDkHoCqjGTwgfVl8+05JaiC3eTFQ+ItDfjjt3gwgyuPz+t1o1fceXKtV6xbemde4 KyBJgEeMYT29VDZ7mDqnVylj4lTx0Ha3jX3JaUfNhhvjOAE7vprwvui6Xpdm3BLOjjyX ijNO/yPQLPEegXYRMSEPDKSalkyoGlX+jyPFNnF8vtT2vg9oyS017GpQ4uGy0Bg48Ke9 vdpA== X-Gm-Message-State: AOJu0YzNgnZafC6m5em5NA4lUVRYdonQTqen3YezQf3GHFAsLLwN95GA CvmNBw1TjpjCP1m01KHJ+A== X-Received: by 2002:a2e:3e1a:0:b0:2bf:ab17:d48b with SMTP id l26-20020a2e3e1a000000b002bfab17d48bmr12931671lja.34.1698842040205; Wed, 01 Nov 2023 05:34:00 -0700 (PDT) Received: from amdsuplus2.inf.ethz.ch (amdsuplus2.inf.ethz.ch. [129.132.31.88]) by smtp.gmail.com with ESMTPSA id fk15-20020a05600c0ccf00b0040849ce7116sm1453505wmb.43.2023.11.01.05.33.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 Nov 2023 05:33:59 -0700 (PDT) From: Hao Sun Date: Wed, 01 Nov 2023 13:33:51 +0100 Subject: [PATCH bpf v3 1/2] bpf: Fix check_stack_write_fixed_off() to correctly spill imm MIME-Version: 1.0 Message-Id: <20231101-fix-check-stack-write-v3-1-f05c2b1473d5@gmail.com> References: <20231101-fix-check-stack-write-v3-0-f05c2b1473d5@gmail.com> In-Reply-To: <20231101-fix-check-stack-write-v3-0-f05c2b1473d5@gmail.com> To: Alexei Starovoitov , Daniel Borkmann , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Mykola Lysenko , Shuah Khan , Eduard Zingerman , Shung-Hsi Yu Cc: bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org, Hao Sun , stable@vger.kernel.org X-Mailer: b4 0.12.3 X-Developer-Signature: v=1; a=ed25519-sha256; t=1698842036; l=2139; i=sunhao.th@gmail.com; s=20231009; h=from:subject:message-id; bh=4BtzXLkq4i2wNmdy8ecUMdiwriJ5sawqxpkEKLH1c/8=; b=sBMS/uPQK6NCw+m9NjK4TUB4ZeIxMxZnXuNhGWMxzje1/bQxqOz6YDGyGxVIIjZWFLm30UKJ2 gMS37A4LHYJDI6FE8DLdpAb5ihedoaHU20y5UFPcAWzxZ4Fis0HB235 X-Developer-Key: i=sunhao.th@gmail.com; a=ed25519; pk=AHFxrImGtyqXOuw4f5xTNh4PGReb7hzD86ayyTZCXd4= X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 01 Nov 2023 05:38:04 -0700 (PDT) X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1781365278475464198 X-GMAIL-MSGID: 1781365278475464198 In check_stack_write_fixed_off(), imm value is cast to u32 before being spilled to the stack. Therefore, the sign information is lost, and the range information is incorrect when load from the stack again. For the following prog: 0: r2 = r10 1: *(u64*)(r2 -40) = -44 2: r0 = *(u64*)(r2 - 40) 3: if r0 s<= 0xa goto +2 4: r0 = 1 5: exit 6: r0 = 0 7: exit The verifier gives: func#0 @0 0: R1=ctx(off=0,imm=0) R10=fp0 0: (bf) r2 = r10 ; R2_w=fp0 R10=fp0 1: (7a) *(u64 *)(r2 -40) = -44 ; R2_w=fp0 fp-40_w=4294967252 2: (79) r0 = *(u64 *)(r2 -40) ; R0_w=4294967252 R2_w=fp0 fp-40_w=4294967252 3: (c5) if r0 s< 0xa goto pc+2 mark_precise: frame0: last_idx 3 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r0 stack= before 2: (79) r0 = *(u64 *)(r2 -40) 3: R0_w=4294967252 4: (b7) r0 = 1 ; R0_w=1 5: (95) exit verification time 7971 usec stack depth 40 processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0 So remove the incorrect cast, since imm field is declared as s32, and __mark_reg_known() takes u64, so imm would be correctly sign extended by compiler. Fixes: ecdf985d7615 ("bpf: track immediate values written to stack by BPF_ST instruction") Cc: stable@vger.kernel.org Signed-off-by: Hao Sun Acked-by: Shung-Hsi Yu Acked-by: Eduard Zingerman --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 857d76694517..44af69ce1301 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4674,7 +4674,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, insn->imm != 0 && env->bpf_capable) { struct bpf_reg_state fake_reg = {}; - __mark_reg_known(&fake_reg, (u32)insn->imm); + __mark_reg_known(&fake_reg, insn->imm); fake_reg.type = SCALAR_VALUE; save_register_state(state, spi, &fake_reg, size); } else if (reg && is_spillable_regtype(reg->type)) {