From patchwork Tue Dec 19 04:11:59 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexei Starovoitov <ast@kernel.org>
X-Patchwork-Id: 850556
X-Patchwork-Delegate: bpf@iogearbox.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3z14Hk09JTz9t0m
	for <patchwork-incoming@ozlabs.org>;
	Tue, 19 Dec 2017 15:12:34 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S966379AbdLSEMQ (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Mon, 18 Dec 2017 23:12:16 -0500
Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:47422 "EHLO
	mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S965498AbdLSEMF (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 18 Dec 2017 23:12:05 -0500
Received: from pps.filterd (m0109334.ppops.net [127.0.0.1])
	by mx0a-00082601.pphosted.com (8.16.0.21/8.16.0.21) with SMTP id
	vBJ47ewC007773
	for <netdev@vger.kernel.org>; Mon, 18 Dec 2017 20:12:05 -0800
Received: from mail.thefacebook.com ([199.201.64.23])
	by mx0a-00082601.pphosted.com with ESMTP id 2exmm7900k-10
	(version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <netdev@vger.kernel.org>; Mon, 18 Dec 2017 20:12:04 -0800
Received: from PRN-CHUB02.TheFacebook.com (2620:10d:c081:35::11) by
	PRN-CHUB10.TheFacebook.com (2620:10d:c081:35::19) with Microsoft SMTP
	Server (TLS) id 14.3.361.1; Mon, 18 Dec 2017 20:12:03 -0800
Received: from mx-out.facebook.com (192.168.52.123) by
	PRN-CHUB02.TheFacebook.com (192.168.16.12) with Microsoft SMTP Server
	id 14.3.361.1; Mon, 18 Dec 2017 20:12:02 -0800
Received: by devbig500.prn1.facebook.com (Postfix, from userid 572438)  id
	85B69218109C; Mon, 18 Dec 2017 20:12:02 -0800 (PST)
Smtp-Origin-Hostprefix: devbig
From: Alexei Starovoitov <ast@kernel.org>
Smtp-Origin-Hostname: devbig500.prn1.facebook.com
To: "David S . Miller" <davem@davemloft.net>
CC: Daniel Borkmann <daniel@iogearbox.net>, Jann Horn <jannh@google.com>,
	Edward Cree <ecree@solarflare.com>, <netdev@vger.kernel.org>,
	<kernel-team@fb.com>
Smtp-Origin-Cluster: prn1c29
Subject: [PATCH bpf 7/9] bpf: don't prune branches when a scalar is replaced
	with a pointer
Date: Mon, 18 Dec 2017 20:11:59 -0800
Message-ID: <20171219041201.1979983-8-ast@kernel.org>
X-Mailer: git-send-email 2.9.5
In-Reply-To: <20171219041201.1979983-1-ast@kernel.org>
References: <20171219041201.1979983-1-ast@kernel.org>
X-FB-Internal: Safe
MIME-Version: 1.0
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, ,
	definitions=2017-12-19_03:, , signatures=0
X-Proofpoint-Spam-Reason: safe
X-FB-Internal: Safe
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Jann Horn <jannh@google.com>

This could be made safe by passing through a reference to env and checking
for env->allow_ptr_leaks, but it would only work one way and is probably
not worth the hassle - not doing it will not directly lead to program
rejection.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---
 kernel/bpf/verifier.c | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 102c519836f6..982bd9ec721a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3467,15 +3467,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
 			return range_within(rold, rcur) &&
 			       tnum_in(rold->var_off, rcur->var_off);
 		} else {
-			/* if we knew anything about the old value, we're not
-			 * equal, because we can't know anything about the
-			 * scalar value of the pointer in the new value.
+			/* We're trying to use a pointer in place of a scalar.
+			 * Even if the scalar was unbounded, this could lead to
+			 * pointer leaks because scalars are allowed to leak
+			 * while pointers are not. We could make this safe in
+			 * special cases if root is calling us, but it's
+			 * probably not worth the hassle.
 			 */
-			return rold->umin_value == 0 &&
-			       rold->umax_value == U64_MAX &&
-			       rold->smin_value == S64_MIN &&
-			       rold->smax_value == S64_MAX &&
-			       tnum_is_unknown(rold->var_off);
+			return false;
 		}
 	case PTR_TO_MAP_VALUE:
 		/* If the new min/max/var_off satisfy the old ones and