Syzbot reported a kernel warning due to a range invariant violation in the BPF verifier. The issue occurs when tnum_overlap() fails to detect that two tnums don't have any overlapping bits.
The problematic BPF program: 0: call bpf_get_prandom_u32 1: r6 = r0 2: r6 &= 0xFFFFFFFFFFFFFFF0 3: r7 = r0 4: r7 &= 0x07 5: r7 -= 0xFF 6: if r6 == r7 goto <exit> After instruction 5, R7 has the range: R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf) R6 and R7 don't overlap since they have no agreeing bits. However, is_branch_taken() fails to recognize this, causing the verifier to refine register bounds and trigger range bounds violation: 6: if r6 == r7 goto <exit> true_reg1: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) true_reg2: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) The root cause is that tnum_overlap() doesn't properly handle the case where the masks have no overlapping bits. Fix this by adding an early check for zero mask intersection in tnum_overlap(). Reported-by: [email protected] Fixes: f41345f47fb2 ("bpf: Use tnums for JEQ/JNE is_branch_taken logic") Signed-off-by: KaFai Wan <[email protected]> --- kernel/bpf/tnum.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c index f8e70e9c3998..1a75b7c9a73a 100644 --- a/kernel/bpf/tnum.c +++ b/kernel/bpf/tnum.c @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b) { u64 mu; + if (a.mask && b.mask && !(a.mask & b.mask)) + return false; mu = ~a.mask & ~b.mask; return (a.value & mu) == (b.value & mu); } -- 2.43.0
