forked from Minki/linux
0af2ffc93a
Anatoly has been fuzzing with kBdysch harness and reported a hang in one of the outcomes: 0: R1=ctx(id=0,off=0,imm=0) R10=fp0 0: (85) call bpf_get_socket_cookie#46 1: R0_w=invP(id=0) R10=fp0 1: (57) r0 &= 808464432 2: R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0 2: (14) w0 -= 810299440 3: R0_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0 3: (c4) w0 s>>= 1 4: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0 4: (76) if w0 s>= 0x30303030 goto pc+216 221: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0 221: (95) exit processed 6 insns (limit 1000000) [...] Taking a closer look, the program was xlated as follows: # ./bpftool p d x i 12 0: (85) call bpf_get_socket_cookie#7800896 1: (bf) r6 = r0 2: (57) r6 &= 808464432 3: (14) w6 -= 810299440 4: (c4) w6 s>>= 1 5: (76) if w6 s>= 0x30303030 goto pc+216 6: (05) goto pc-1 7: (05) goto pc-1 8: (05) goto pc-1 [...] 220: (05) goto pc-1 221: (05) goto pc-1 222: (95) exit Meaning, the visible effect is very similar tof54c7898ed
("bpf: Fix precision tracking for unbounded scalars"), that is, the fall-through branch in the instruction 5 is considered to be never taken given the conclusion from the min/max bounds tracking in w6, and therefore the dead-code sanitation rewrites it as goto pc-1. However, real-life input disagrees with verification analysis since a soft-lockup was observed. The bug sits in the analysis of the ARSH. The definition is that we shift the target register value right by K bits through shifting in copies of its sign bit. In adjust_scalar_min_max_vals(), we do first coerce the register into 32 bit mode, same happens after simulating the operation. However, for the case of simulating the actual ARSH, we don't take the mode into account and act as if it's always 64 bit, but location of sign bit is different: dst_reg->smin_value >>= umin_val; dst_reg->smax_value >>= umin_val; dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val); Consider an unknown R0 where bpf_get_socket_cookie() (or others) would for example return 0xffff. With the above ARSH simulation, we'd see the following results: [...] 1: R1=ctx(id=0,off=0,imm=0) R2_w=invP65535 R10=fp0 1: (85) call bpf_get_socket_cookie#46 2: R0_w=invP(id=0) R10=fp0 2: (57) r0 &= 808464432 -> R0_runtime = 0x3030 3: R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0 3: (14) w0 -= 810299440 -> R0_runtime = 0xcfb40000 4: R0_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0 (0xffffffff) 4: (c4) w0 s>>= 1 -> R0_runtime = 0xe7da0000 5: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0 (0x67c00000) (0x7ffbfff8) [...] In insn 3, we have a runtime value of 0xcfb40000, which is '1100 1111 1011 0100 0000 0000 0000 0000', the result after the shift has 0xe7da0000 that is '1110 0111 1101 1010 0000 0000 0000 0000', where the sign bit is correctly retained in 32 bit mode. In insn4, the umax was 0xffffffff, and changed into 0x7ffbfff8 after the shift, that is, '0111 1111 1111 1011 1111 1111 1111 1000' and means here that the simulation didn't retain the sign bit. With above logic, the updates happen on the 64 bit min/max bounds and given we coerced the register, the sign bits of the bounds are cleared as well, meaning, we need to force the simulation into s32 space for 32 bit alu mode. Verification after the fix below. We're first analyzing the fall-through branch on 32 bit signed >= test eventually leading to rejection of the program in this specific case: 0: R1=ctx(id=0,off=0,imm=0) R10=fp0 0: (b7) r2 = 808464432 1: R1=ctx(id=0,off=0,imm=0) R2_w=invP808464432 R10=fp0 1: (85) call bpf_get_socket_cookie#46 2: R0_w=invP(id=0) R10=fp0 2: (bf) r6 = r0 3: R0_w=invP(id=0) R6_w=invP(id=0) R10=fp0 3: (57) r6 &= 808464432 4: R0_w=invP(id=0) R6_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0 4: (14) w6 -= 810299440 5: R0_w=invP(id=0) R6_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0 5: (c4) w6 s>>= 1 6: R0_w=invP(id=0) R6_w=invP(id=0,umin_value=3888119808,umax_value=4294705144,var_off=(0xe7c00000; 0x183bfff8)) R10=fp0 (0x67c00000) (0xfffbfff8) 6: (76) if w6 s>= 0x30303030 goto pc+216 7: R0_w=invP(id=0) R6_w=invP(id=0,umin_value=3888119808,umax_value=4294705144,var_off=(0xe7c00000; 0x183bfff8)) R10=fp0 7: (30) r0 = *(u8 *)skb[808464432] BPF_LD_[ABS|IND] uses reserved fields processed 8 insns (limit 1000000) [...] Fixes:9cbe1f5a32
("bpf/verifier: improve register value range tracking with ARSH") Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20200115204733.16648-1-daniel@iogearbox.net
197 lines
4.3 KiB
C
197 lines
4.3 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/* tnum: tracked (or tristate) numbers
|
|
*
|
|
* A tnum tracks knowledge about the bits of a value. Each bit can be either
|
|
* known (0 or 1), or unknown (x). Arithmetic operations on tnums will
|
|
* propagate the unknown bits such that the tnum result represents all the
|
|
* possible results for possible values of the operands.
|
|
*/
|
|
#include <linux/kernel.h>
|
|
#include <linux/tnum.h>
|
|
|
|
#define TNUM(_v, _m) (struct tnum){.value = _v, .mask = _m}
|
|
/* A completely unknown value */
|
|
const struct tnum tnum_unknown = { .value = 0, .mask = -1 };
|
|
|
|
struct tnum tnum_const(u64 value)
|
|
{
|
|
return TNUM(value, 0);
|
|
}
|
|
|
|
struct tnum tnum_range(u64 min, u64 max)
|
|
{
|
|
u64 chi = min ^ max, delta;
|
|
u8 bits = fls64(chi);
|
|
|
|
/* special case, needed because 1ULL << 64 is undefined */
|
|
if (bits > 63)
|
|
return tnum_unknown;
|
|
/* e.g. if chi = 4, bits = 3, delta = (1<<3) - 1 = 7.
|
|
* if chi = 0, bits = 0, delta = (1<<0) - 1 = 0, so we return
|
|
* constant min (since min == max).
|
|
*/
|
|
delta = (1ULL << bits) - 1;
|
|
return TNUM(min & ~delta, delta);
|
|
}
|
|
|
|
struct tnum tnum_lshift(struct tnum a, u8 shift)
|
|
{
|
|
return TNUM(a.value << shift, a.mask << shift);
|
|
}
|
|
|
|
struct tnum tnum_rshift(struct tnum a, u8 shift)
|
|
{
|
|
return TNUM(a.value >> shift, a.mask >> shift);
|
|
}
|
|
|
|
struct tnum tnum_arshift(struct tnum a, u8 min_shift, u8 insn_bitness)
|
|
{
|
|
/* if a.value is negative, arithmetic shifting by minimum shift
|
|
* will have larger negative offset compared to more shifting.
|
|
* If a.value is nonnegative, arithmetic shifting by minimum shift
|
|
* will have larger positive offset compare to more shifting.
|
|
*/
|
|
if (insn_bitness == 32)
|
|
return TNUM((u32)(((s32)a.value) >> min_shift),
|
|
(u32)(((s32)a.mask) >> min_shift));
|
|
else
|
|
return TNUM((s64)a.value >> min_shift,
|
|
(s64)a.mask >> min_shift);
|
|
}
|
|
|
|
struct tnum tnum_add(struct tnum a, struct tnum b)
|
|
{
|
|
u64 sm, sv, sigma, chi, mu;
|
|
|
|
sm = a.mask + b.mask;
|
|
sv = a.value + b.value;
|
|
sigma = sm + sv;
|
|
chi = sigma ^ sv;
|
|
mu = chi | a.mask | b.mask;
|
|
return TNUM(sv & ~mu, mu);
|
|
}
|
|
|
|
struct tnum tnum_sub(struct tnum a, struct tnum b)
|
|
{
|
|
u64 dv, alpha, beta, chi, mu;
|
|
|
|
dv = a.value - b.value;
|
|
alpha = dv + a.mask;
|
|
beta = dv - b.mask;
|
|
chi = alpha ^ beta;
|
|
mu = chi | a.mask | b.mask;
|
|
return TNUM(dv & ~mu, mu);
|
|
}
|
|
|
|
struct tnum tnum_and(struct tnum a, struct tnum b)
|
|
{
|
|
u64 alpha, beta, v;
|
|
|
|
alpha = a.value | a.mask;
|
|
beta = b.value | b.mask;
|
|
v = a.value & b.value;
|
|
return TNUM(v, alpha & beta & ~v);
|
|
}
|
|
|
|
struct tnum tnum_or(struct tnum a, struct tnum b)
|
|
{
|
|
u64 v, mu;
|
|
|
|
v = a.value | b.value;
|
|
mu = a.mask | b.mask;
|
|
return TNUM(v, mu & ~v);
|
|
}
|
|
|
|
struct tnum tnum_xor(struct tnum a, struct tnum b)
|
|
{
|
|
u64 v, mu;
|
|
|
|
v = a.value ^ b.value;
|
|
mu = a.mask | b.mask;
|
|
return TNUM(v & ~mu, mu);
|
|
}
|
|
|
|
/* half-multiply add: acc += (unknown * mask * value).
|
|
* An intermediate step in the multiply algorithm.
|
|
*/
|
|
static struct tnum hma(struct tnum acc, u64 value, u64 mask)
|
|
{
|
|
while (mask) {
|
|
if (mask & 1)
|
|
acc = tnum_add(acc, TNUM(0, value));
|
|
mask >>= 1;
|
|
value <<= 1;
|
|
}
|
|
return acc;
|
|
}
|
|
|
|
struct tnum tnum_mul(struct tnum a, struct tnum b)
|
|
{
|
|
struct tnum acc;
|
|
u64 pi;
|
|
|
|
pi = a.value * b.value;
|
|
acc = hma(TNUM(pi, 0), a.mask, b.mask | b.value);
|
|
return hma(acc, b.mask, a.value);
|
|
}
|
|
|
|
/* Note that if a and b disagree - i.e. one has a 'known 1' where the other has
|
|
* a 'known 0' - this will return a 'known 1' for that bit.
|
|
*/
|
|
struct tnum tnum_intersect(struct tnum a, struct tnum b)
|
|
{
|
|
u64 v, mu;
|
|
|
|
v = a.value | b.value;
|
|
mu = a.mask & b.mask;
|
|
return TNUM(v & ~mu, mu);
|
|
}
|
|
|
|
struct tnum tnum_cast(struct tnum a, u8 size)
|
|
{
|
|
a.value &= (1ULL << (size * 8)) - 1;
|
|
a.mask &= (1ULL << (size * 8)) - 1;
|
|
return a;
|
|
}
|
|
|
|
bool tnum_is_aligned(struct tnum a, u64 size)
|
|
{
|
|
if (!size)
|
|
return true;
|
|
return !((a.value | a.mask) & (size - 1));
|
|
}
|
|
|
|
bool tnum_in(struct tnum a, struct tnum b)
|
|
{
|
|
if (b.mask & ~a.mask)
|
|
return false;
|
|
b.value &= ~a.mask;
|
|
return a.value == b.value;
|
|
}
|
|
|
|
int tnum_strn(char *str, size_t size, struct tnum a)
|
|
{
|
|
return snprintf(str, size, "(%#llx; %#llx)", a.value, a.mask);
|
|
}
|
|
EXPORT_SYMBOL_GPL(tnum_strn);
|
|
|
|
int tnum_sbin(char *str, size_t size, struct tnum a)
|
|
{
|
|
size_t n;
|
|
|
|
for (n = 64; n; n--) {
|
|
if (n < size) {
|
|
if (a.mask & 1)
|
|
str[n - 1] = 'x';
|
|
else if (a.value & 1)
|
|
str[n - 1] = '1';
|
|
else
|
|
str[n - 1] = '0';
|
|
}
|
|
a.mask >>= 1;
|
|
a.value >>= 1;
|
|
}
|
|
str[min(size - 1, (size_t)64)] = 0;
|
|
return 64;
|
|
}
|