Daniel Borkmann 10bf4e8316 bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds ... Similarly as b02709587e ("bpf: Fix propagation of 32-bit signed bounds from 64-bit bounds."), we also need to fix the propagation of 32 bit unsigned bounds from 64 bit counterparts. That is, really only set the u32_{min,max}_value when /both/ {umin,umax}_value safely fit in 32 bit space. For example, the register with a umin_value == 1 does /not/ imply that u32_min_value is also equal to 1, since umax_value could be much larger than 32 bit subregister can hold, and thus u32_min_value is in the interval [0,1] instead. Before fix, invalid tracking result of R2_w=inv1: [...] 5: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0 5: (35) if r2 >= 0x1 goto pc+1 [...] // goto path 7: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,umin_value=1) R10=fp0 7: (b6) if w2 <= 0x1 goto pc+1 [...] // goto path 9: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,smin_value=-9223372036854775807,smax_value=9223372032559808513,umin_value=1,umax_value=18446744069414584321,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_max_value=1) R10=fp0 9: (bc) w2 = w2 10: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv1 R10=fp0 [...] After fix, correct tracking result of R2_w=inv(id=0,umax_value=1,var_off=(0x0; 0x1)): [...] 5: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0) R10=fp0 5: (35) if r2 >= 0x1 goto pc+1 [...] // goto path 7: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,umin_value=1) R10=fp0 7: (b6) if w2 <= 0x1 goto pc+1 [...] // goto path 9: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2=inv(id=0,smax_value=9223372032559808513,umax_value=18446744069414584321,var_off=(0x0; 0xffffffff00000001),s32_min_value=0,s32_max_value=1,u32_max_value=1) R10=fp0 9: (bc) w2 = w2 10: R0=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,umax_value=1,var_off=(0x0; 0x1)) R10=fp0 [...] Thus, same issue as in b02709587e holds for unsigned subregister tracking. Also, align __reg64_bound_u32() similarly to __reg64_bound_s32() as done in b02709587e to make them uniform again. Fixes: 3f50f132d8 ("bpf: Verifier, do explicit ALU32 bounds tracking") Reported-by: Manfred Paul (@_manfp) Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org>		2021-04-27 17:13:49 +02:00
..
accounting
arch	ia64: tools: remove duplicate definition of ia64_mf() on ia64	2021-04-16 16:10:37 -07:00
bootconfig	tools/bootconfig: Add tracing_on support to helper scripts	2021-01-14 10:32:20 -05:00
bpf	bpftool: Dump more info about DATASEC members	2021-04-23 14:05:26 -07:00
build	perf build: Move feature cleanup under tools/build	2021-03-06 16:54:24 -03:00
cgroup
debugging
edid
firewire
firmware
gpio	tools: gpio: remove uAPI v1 code no longer used by selftests	2021-02-15 11:43:28 +01:00
hv
iio
include	Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2021-04-25 18:02:32 -07:00
io_uring
kvm/kvm_stat	tools/kvm_stat: Add restart delay	2021-03-30 13:07:09 -04:00
laptop
leds
lib	selftests/bpf: Fix BPF_CORE_READ_BITFIELD() macro	2021-04-26 18:37:13 -07:00
memory-model	tools/memory-model: Fix typo in klitmus7 compatibility table	2021-01-04 14:40:50 -08:00
objtool	objtool,x86: Fix uaccess PUSHF/POPF validation	2021-03-12 09:15:49 +01:00
pci
pcmcia
perf	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2021-04-17 11:08:07 -07:00
power	platform-drivers-x86 for v5.12-1	2021-02-22 08:50:01 -08:00
scripts	tools: Allow proper CC/CXX/... override with LLVM=1 in Makefile.include	2021-04-15 16:50:21 -07:00
spi
testing	bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds	2021-04-27 17:13:49 +02:00
thermal/tmon
time
tracing	tracing/tools: fix a couple of spelling mistakes	2021-02-25 12:54:16 -05:00
usb
virtio
vm
wmi
Makefile	tracing/tools: Add the latency-collector to tools directory	2021-02-12 11:52:59 -05:00