linux/tools/testing/selftests/bpf/verifier
Daniel Borkmann 10bf4e8316 bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds
Similarly as b02709587e ("bpf: Fix propagation of 32-bit signed bounds
from 64-bit bounds."), we also need to fix the propagation of 32 bit
unsigned bounds from 64 bit counterparts. That is, really only set the
u32_{min,max}_value when /both/ {umin,umax}_value safely fit in 32 bit
space. For example, the register with a umin_value == 1 does /not/ imply
that u32_min_value is also equal to 1, since umax_value could be much
larger than 32 bit subregister can hold, and thus u32_min_value is in
the interval [0,1] instead.

Before fix, invalid tracking result of R2_w=inv1:

  [...]
  5: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0
  5: (35) if r2 >= 0x1 goto pc+1
  [...] // goto path
  7: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,umin_value=1) R10=fp0
  7: (b6) if w2 <= 0x1 goto pc+1
  [...] // goto path
  9: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,smin_value=-9223372036854775807,smax_value=9223372032559808513,umin_value=1,umax_value=18446744069414584321,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_max_value=1) R10=fp0
  9: (bc) w2 = w2
  10: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv1 R10=fp0
  [...]

After fix, correct tracking result of R2_w=inv(id=0,umax_value=1,var_off=(0x0; 0x1)):

  [...]
  5: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0
  5: (35) if r2 >= 0x1 goto pc+1
  [...] // goto path
  7: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,umin_value=1) R10=fp0
  7: (b6) if w2 <= 0x1 goto pc+1
  [...] // goto path
  9: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,smax_value=9223372032559808513,umax_value=18446744069414584321,var_off=(0x0; 0xffffffff00000001),s32_min_value=0,s32_max_value=1,u32_max_value=1) R10=fp0
  9: (bc) w2 = w2
  10: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,umax_value=1,var_off=(0x0; 0x1)) R10=fp0
  [...]

Thus, same issue as in b02709587e holds for unsigned subregister tracking.
Also, align __reg64_bound_u32() similarly to __reg64_bound_s32() as done in
b02709587e to make them uniform again.

Fixes: 3f50f132d8 ("bpf: Verifier, do explicit ALU32 bounds tracking")
Reported-by: Manfred Paul (@_manfp)
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
2021-04-27 17:13:49 +02:00
..
.gitignore .gitignore: add SPDX License Identifier 2020-03-25 11:50:48 +01:00
and.c bpf: Add AND verifier test case where 32bit and 64bit bounds differ 2020-09-25 16:47:21 -07:00
array_access.c bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds 2021-04-27 17:13:49 +02:00
atomic_and.c bpf, x86: Fix BPF_FETCH atomic and/or/xor with r0 as src 2021-02-22 18:03:11 +01:00
atomic_bounds.c bpf: Propagate stack bounds to registers in atomics w/ BPF_FETCH 2021-02-02 18:23:29 -08:00
atomic_cmpxchg.c bpf: Explicitly zero-extend R0 after 32-bit cmpxchg 2021-03-04 19:06:03 -08:00
atomic_fetch_add.c bpf: Add tests for new BPF atomic operations 2021-01-14 18:34:29 -08:00
atomic_or.c bpf: Explicitly zero-extend R0 after 32-bit cmpxchg 2021-03-04 19:06:03 -08:00
atomic_xchg.c bpf: Add tests for new BPF atomic operations 2021-01-14 18:34:29 -08:00
atomic_xor.c selftests/bpf: Fix endianness issues in atomic tests 2021-02-10 11:55:22 -08:00
basic.c selftests/bpf: Fix test_verifier after introducing resolve_pseudo_ldimm64 2020-10-06 20:16:57 -07:00
basic_call.c
basic_instr.c selftests: bpf: add tests for shifts by zero 2019-07-03 11:14:28 +02:00
basic_stack.c selftest/bpf: Adjust expected verifier errors 2021-02-10 10:44:19 -08:00
basic_stx_ldx.c
bounds.c bpf: Update selftests to reflect new error states 2021-04-16 23:52:15 +02:00
bounds_deduction.c bpf: Update selftests to reflect new error states 2021-04-16 23:52:15 +02:00
bounds_mix_sign_unsign.c bpf: Update selftests to reflect new error states 2021-04-16 23:52:15 +02:00
bpf_get_stack.c bpf/selftests: Add bpf_get_task_stack retval bounds verifier test 2021-04-19 18:23:33 -07:00
calls.c bpf: Support bpf program calling kernel function 2021-03-26 20:41:51 -07:00
cfg.c selftests/bpf: fix tests 2019-06-19 02:22:52 +02:00
cgroup_inv_retcode.c selftests: bpf: break up the rest of test_verifier 2019-01-27 21:37:45 -08:00
cgroup_skb.c
cgroup_storage.c
const_or.c selftest/bpf: Adjust expected verifier errors 2021-02-10 10:44:19 -08:00
ctx.c bpf: Rename BPF_XADD and prepare to encode other atomics in .imm 2021-01-14 18:34:29 -08:00
ctx_sk_lookup.c selftests: bpf: Don't run sk_lookup in verifier tests 2021-03-04 19:11:30 -08:00
ctx_sk_msg.c selftests/bpf: add "any alignment" annotation for some tests 2019-02-05 16:56:10 +01:00
ctx_skb.c selftests/bpf: Add asm tests for pkt vs pkt_end comparison. 2020-11-13 01:42:11 +01:00
d_path.c selftests/bpf: Add verifier test for d_path helper 2020-08-25 15:41:15 -07:00
dead_code.c bpf: Support bpf program calling kernel function 2021-03-26 20:41:51 -07:00
direct_packet_access.c bpf: Rename BPF_XADD and prepare to encode other atomics in .imm 2021-01-14 18:34:29 -08:00
direct_stack_access_wraparound.c
direct_value_access.c selftests/bpf: Mark tests that require unaligned memory access 2020-11-18 17:45:35 -08:00
div0.c
div_overflow.c bpf: fix div64 overflow tests to properly detect errors 2019-06-13 23:07:00 +02:00
event_output.c selftests/bpf: Fix cgroup sockopt verifier test 2020-07-11 01:32:15 +02:00
helper_access_var_len.c selftest/bpf: Adjust expected verifier errors 2021-02-10 10:44:19 -08:00
helper_packet_access.c
helper_value_access.c bpf, selftests: Use bpf_probe_read_kernel 2020-06-02 21:04:04 +02:00
int_ptr.c selftest/bpf: Adjust expected verifier errors 2021-02-10 10:44:19 -08:00
jit.c selftests/bpf: Add verifier tests for x64 jit jump padding 2021-01-20 14:13:52 -08:00
jmp32.c selftests: bpf: Add test for JMP32 JSET BPF_X with upper bits set 2020-03-06 14:17:39 +01:00
jset.c selftests/bpf: add "any alignment" annotation for some tests 2019-02-05 16:56:10 +01:00
jump.c bpf: add various test cases for backward jumps 2019-05-13 01:08:55 +02:00
junk_insn.c
ld_abs.c selftests: bpf: break up the rest of test_verifier 2019-01-27 21:37:45 -08:00
ld_dw.c selftests/bpf: synthetic tests to push verifier limits 2019-04-04 01:27:38 +02:00
ld_imm64.c selftests/bpf: Fix test_verifier after introducing resolve_pseudo_ldimm64 2020-10-06 20:16:57 -07:00
ld_ind.c
leak_ptr.c bpf: Rename BPF_XADD and prepare to encode other atomics in .imm 2021-01-14 18:34:29 -08:00
loops1.c bpf: Add loop test case with 32 bit reg comparison against 0 2019-10-04 12:27:36 -07:00
lwt.c
map_in_map.c
map_ptr.c bpf: Update selftests to reflect new error states 2021-04-16 23:52:15 +02:00
map_ptr_mixing.c bpf: Support access to bpf map fields 2020-06-22 22:22:58 +02:00
map_ret_val.c
masking.c selftests: bpf: break up the rest of test_verifier 2019-01-27 21:37:45 -08:00
meta_access.c bpf: Rename BPF_XADD and prepare to encode other atomics in .imm 2021-01-14 18:34:29 -08:00
perf_event_sample_period.c
precise.c bpf, selftests: Use bpf_probe_read_kernel 2020-06-02 21:04:04 +02:00
prevent_map_lookup.c selftests/bpf: Test that lookup on SOCKMAP/SOCKHASH is allowed 2020-04-29 23:30:59 +02:00
raw_stack.c selftest/bpf: Adjust expected verifier errors 2021-02-10 10:44:19 -08:00
raw_tp_writable.c selftests/bpf: Mark tests that require unaligned memory access 2020-11-18 17:45:35 -08:00
ref_tracking.c selftests/bpf: Mark tests that require unaligned memory access 2020-11-18 17:45:35 -08:00
regalloc.c selftests/bpf: Mark tests that require unaligned memory access 2020-11-18 17:45:35 -08:00
runtime_jit.c bpf: Add further test_verifier cases for record_func_key 2019-12-19 13:39:22 -08:00
scale.c selftests/bpf: two scale tests 2019-04-16 10:18:15 +02:00
search_pruning.c selftests: bpf: break up the rest of test_verifier 2019-01-27 21:37:45 -08:00
sock.c bpf: selftest: Ensure the return value of bpf_skc_to helpers must be checked 2020-10-19 15:57:42 -07:00
spill_fill.c selftests/bpf: Add verifier test for PTR_TO_MEM spill 2021-01-13 19:47:44 -08:00
spin_lock.c selftests/bpf: add "any alignment" annotation for some tests 2019-02-05 16:56:10 +01:00
stack_ptr.c selftest/bpf: Adjust expected verifier errors 2021-02-10 10:44:19 -08:00
subreg.c selftests: bpf: complete sub-register zero extension checks 2019-05-29 13:31:05 +02:00
uninit.c
unpriv.c bpf: Update selftests to reflect new error states 2021-04-16 23:52:15 +02:00
value.c
value_adj_spill.c
value_illegal_alu.c bpf: Rename BPF_XADD and prepare to encode other atomics in .imm 2021-01-14 18:34:29 -08:00
value_or_null.c bpf: Selftests, verifier case for non null pointer map value branch 2020-05-21 17:44:25 -07:00
value_ptr_arith.c bpf: Update selftests to reflect new error states 2021-04-16 23:52:15 +02:00
var_off.c selftest/bpf: Verifier tests for var-off access 2021-02-10 10:44:19 -08:00
wide_access.c selftests/bpf: Mark tests that require unaligned memory access 2020-11-18 17:45:35 -08:00
xadd.c bpf: Rename BPF_XADD and prepare to encode other atomics in .imm 2021-01-14 18:34:29 -08:00
xdp.c selftests: bpf: break up the rest of test_verifier 2019-01-27 21:37:45 -08:00
xdp_direct_packet_access.c selftests: bpf: break up the rest of test_verifier 2019-01-27 21:37:45 -08:00