On 04/12/17 17:03, Jann Horn wrote:
> As far as I can tell, commit b03c9f9fdc37 ("bpf/verifier: track signed
> and unsigned min/max values") introduced the following effectless bug
> in the BPF_RSH case of adjust_scalar_min_max_vals() (unless that's
> intentional):
>
> `dst_reg->smax_value` is only updated in the case where
> `dst_reg->smin_value < 0` and `umin_val == 0`. This is obviously
> harmless if `dst_reg->smax_value >= 0`, but if `dst_reg->smax_value <
> 0`, this will temporarily result in a state where the signed upper
> bound of `dst_reg` is lower than the signed lower bound (which will be
> set to 0). I don't think this should ever happen.
Yep, I think you're right that there's a bug there; but I'm not sure it's
harmless in the dst_reg->smax_value >= 0 case either. Consider: if
dst_reg->smin_value < 0 and dst_reg->smax_value >= 0, then -1 is a
possible value; and ((u64)-1) >> 1 == S64_MAX. So in that case we have
to set dst_reg->smax_value = ((u64)-1) >> umin_val (so long as umin_val
isn't 0, which is the other branch).
If dst_reg->smax_value < 0, then we should set dst_reg->smax_value =
((u64)dst_reg->smax_value) >> umin_val, again excepting the case of
umin_val == 0.
Thanks for spotting this!
I'll rustle up a patch tomorrow, unless you beat me to it. Can I have an
SOB for your BPF bytecode, so I can incorporate it into selftests?
-Ed
