linux/tools/testing/selftests/bpf
Daniel Borkmann 6f16101e6a bpf: mark dst unknown on inconsistent {s, u}bounds adjustments
syzkaller generated a BPF proglet and triggered a warning with
the following:

  0: (b7) r0 = 0
  1: (d5) if r0 s<= 0x0 goto pc+0
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0
  2: (1f) r0 -= r1
   R0=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0
  verifier internal error: known but bad sbounds

What happens is that in the first insn, r0's min/max value
are both 0 due to the immediate assignment, later in the jsle
test the bounds are updated for the min value in the false
path, meaning, they yield smin_val = 1, smax_val = 0, and when
ctx pointer is subtracted from r0, verifier bails out with the
internal error and throwing a WARN since smin_val != smax_val
for the known constant.

For min_val > max_val scenario it means that reg_set_min_max()
and reg_set_min_max_inv() (which both refine existing bounds)
demonstrated that such branch cannot be taken at runtime.

In above scenario for the case where it will be taken, the
existing [0, 0] bounds are kept intact. Meaning, the rejection
is not due to a verifier internal error, and therefore the
WARN() is not necessary either.

We could just reject such cases in adjust_{ptr,scalar}_min_max_vals()
when either known scalars have smin_val != smax_val or
umin_val != umax_val or any scalar reg with bounds
smin_val > smax_val or umin_val > umax_val. However, there
may be a small risk of breakage of buggy programs, so handle
this more gracefully and in adjust_{ptr,scalar}_min_max_vals()
just taint the dst reg as unknown scalar when we see ops with
such kind of src reg.

Reported-by: syzbot+6d362cadd45dc0a12ba4@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2018-01-17 16:23:17 -08:00
..
gnu selftests/bpf: get rid of -D__x86_64__ 2017-05-03 09:51:25 -04:00
include/uapi/linux License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
.gitignore
bpf_endian.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
bpf_helpers.h bpf: Revert bpf_overrid_function() helper changes. 2017-11-11 18:24:55 +09:00
bpf_util.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
cgroup_helpers.c bpf: move cgroup_helpers from samples/bpf/ to tools/testing/selftesting/bpf/ 2017-11-05 23:26:51 +09:00
cgroup_helpers.h bpf: move cgroup_helpers from samples/bpf/ to tools/testing/selftesting/bpf/ 2017-11-05 23:26:51 +09:00
config
dev_cgroup.c selftests/bpf: add a test for device cgroup controller 2017-11-05 23:26:51 +09:00
Makefile selftests/bpf: fix Makefile for passing LLC to the command line 2017-12-22 00:54:31 +01:00
sockmap_parse_prog.c selftests/bpf: remove useless bpf_trace_printk 2017-11-01 12:06:46 +09:00
sockmap_verdict_prog.c selftests/bpf: remove useless bpf_trace_printk 2017-11-01 12:06:46 +09:00
test_align.c selftests/bpf: fix test_align 2018-01-07 00:10:32 +01:00
test_dev_cgroup.c selftests/bpf: add a test for device cgroup controller 2017-11-05 23:26:51 +09:00
test_iptunnel_common.h selftests/bpf: add a test for basic XDP functionality 2017-04-01 12:45:57 -07:00
test_kmod.sh License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
test_l4lb.c bpf: Move endianness BPF helpers out of bpf_util.h 2017-05-01 12:43:49 -07:00
test_lpm_map.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
test_lru_map.c bpf: lru: Lower the PERCPU_NR_SCANS from 16 to 4 2017-04-17 13:55:52 -04:00
test_maps.c selftests/bpf: fix broken build of test_maps 2017-10-23 01:06:31 +01:00
test_obj_id.c bpf: Fix test_obj_id.c for llvm 5.0 2017-06-09 15:15:11 -04:00
test_pkt_access.c selftests/bpf: fix broken build due to types.h 2017-05-17 18:45:14 -04:00
test_pkt_md_access.c bpf: fix selftest/bpf/test_pkt_md_access on s390x 2017-08-07 10:06:27 -07:00
test_progs.c bpf: Fix tools and testing build. 2017-12-20 00:15:05 +01:00
test_tag.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
test_tcp_estats.c selftests/bpf: add a test case to check verifier pointer arithmetic 2017-05-03 09:51:25 -04:00
test_verifier_log.c tools/bpf: adjust rlimit RLIMIT_MEMLOCK for test_verifier_log 2017-11-30 19:55:18 +01:00
test_verifier.c bpf: mark dst unknown on inconsistent {s, u}bounds adjustments 2018-01-17 16:23:17 -08:00
test_xdp_meta.c bpf: improve selftests and add tests for meta pointer 2017-09-26 13:36:44 -07:00
test_xdp_meta.sh bpf: improve selftests and add tests for meta pointer 2017-09-26 13:36:44 -07:00
test_xdp_redirect.c selftests: bpf: add a test for XDP redirect 2017-08-08 18:12:50 -07:00
test_xdp_redirect.sh selftests: bpf: add check for ip XDP redirect 2017-08-11 14:57:31 -07:00
test_xdp.c selftests: bpf: Use bpf_endian.h in test_xdp.c 2017-05-02 07:52:01 -07:00