From patchwork Mon Nov 14 20:45:36 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Josef Bacik X-Patchwork-Id: 694699 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3tHjH31WQrz9t1L for ; Tue, 15 Nov 2016 07:46:23 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; unprotected) header.d=fb.com header.i=@fb.com header.b="eg6cbQVl"; dkim=pass (1024-bit key; unprotected) header.d=fb.onmicrosoft.com header.i=@fb.onmicrosoft.com header.b="P44yPPFW"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934486AbcKNUqQ (ORCPT ); Mon, 14 Nov 2016 15:46:16 -0500 Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:38386 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934199AbcKNUqO (ORCPT ); Mon, 14 Nov 2016 15:46:14 -0500 Received: from pps.filterd (m0044008.ppops.net [127.0.0.1]) by mx0a-00082601.pphosted.com (8.16.0.17/8.16.0.17) with SMTP id uAEKjTFG028366; Mon, 14 Nov 2016 12:45:57 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=fb.com; h=from : to : subject : date : message-id : mime-version : content-type; s=facebook; bh=6r9PnezxbLXDIq83KU2LnWA9PaqcFFFBv5qWEl0cYl4=; b=eg6cbQVlutTmjkkDA3qf7d4uVcD0i5r19AKtt+6Jzhohwn4RKN1bLlF4dkm2WB/pIkXc lcQRXw/d9v8P7xllq7MRB4zMNcpIeoIEkc9A16Wq5NZIMeLlGqwPONVuA/YojpMs5dRm USkA08ixpn4lRRdIujiHqxG5trP+lz52big= Received: from mail.thefacebook.com ([199.201.64.23]) by mx0a-00082601.pphosted.com with ESMTP id 26qkrj8a2f-1 (version=TLSv1 cipher=ECDHE-RSA-AES256-SHA bits=256 verify=NOT); Mon, 14 Nov 2016 12:45:57 -0800 Received: from NAM03-CO1-obe.outbound.protection.outlook.com (192.168.54.28) by o365-in.thefacebook.com (192.168.16.19) with Microsoft SMTP Server (TLS) id 14.3.294.0; Mon, 14 Nov 2016 12:45:56 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fb.onmicrosoft.com; s=selector1-fb-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=tVvFOvYWCj8Kmv8wLeUPuvy5kR0TkXg0IJkdqrVxxYA=; b=P44yPPFWEr8fE+F2kNk/nywU/5SgZnIkhnaMQMmyYo6qgyjrW9SEMhCpEI8YzFCe7z7n0YoGG2caDl6IRyee4j5ajHnbJInXUidVOysTmTrfcnA4y9UjaGdNkauz6IEpqW+fs+r3EyNA0Fz8xUKRpfzH0QVUvsV+jvfVD34wVHE= Received: from localhost (2606:a000:4381:1201:6e88:14ff:fe1b:6164) by DM5PR15MB1323.namprd15.prod.outlook.com (10.173.210.13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.721.10; Mon, 14 Nov 2016 20:45:40 +0000 From: Josef Bacik To: , , , , Subject: [PATCH net][v2] bpf: fix range arithmetic for bpf map access Date: Mon, 14 Nov 2016 15:45:36 -0500 Message-ID: <1479156336-6211-1-git-send-email-jbacik@fb.com> X-Mailer: git-send-email 2.5.5 MIME-Version: 1.0 X-Originating-IP: [2606:a000:4381:1201:6e88:14ff:fe1b:6164] X-ClientProxiedBy: DM5PR10CA0009.namprd10.prod.outlook.com (10.172.33.19) To DM5PR15MB1323.namprd15.prod.outlook.com (10.173.210.13) X-Microsoft-Exchange-Diagnostics: 1; DM5PR15MB1323; 2:kmPrEfi6PifAF4MPpaLKKXcE2LwBlKYZmgbbw2dYPwhPkndAdGUR2To623aw6T1iDHVcZYfj0yO4Q9Uy8cZoiw6Isty4yAmXYl8ENMQosXTL7zuQrdlbxOOYxUSeYlZIRFwBmz7KhhX5TnSgETyuIQYLTCrxIBl9G/2F+JM2mYQ=; 3:Qssy0qnDvY/5ehtW3PiSz1KfvhM/Ly0yWcnojEBOe9rPHYEdI9AHB9w83jA196P7UvCKQGfpK/wGzy+G0+96S5EaOnstFoNJU4pc9Gm4e9mAHcns/fzI/wngLSNt+5D7HEz7T97UNU+FTUBIYXUfJ0vu0ggtWd+BR1iOy0fUtpc= X-MS-Office365-Filtering-Correlation-Id: 829fdc43-18d5-496a-e8cf-08d40ccf3208 X-Microsoft-Antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001); SRVR:DM5PR15MB1323; X-Microsoft-Exchange-Diagnostics: 1; DM5PR15MB1323; 25:hHChF95XDmI/tZRF1NFSVND5mG0F+p/FDyRXh7n/t6q0JPFQyjw40/7wILNpbQWzc+I8xSKBuj5sRt4Qywa2iYANGM+l2lY5XvESXYORj5gHHGGre7eko3NcRNJqgskmoTDhl+6Cx1FAdVJIgdd+TYwXaHHnmjxrU7oglapk9XkBjIqXRySE5Yii1gGZ4ihUgYuZo2529qwrKBJN5qp3PdyWKeQsKKIWbOnS1OqJfpFkuvitfP5HdS5iHR64N8lRpXPGvmDrLoBJ0Ef1CDD7CtVWairGsHkiokLIhr2l+1D2vRw+vnyiIwT5LZl+HYY+gpKUpSAcyUb6JJw+St3D1dDB9kfG1RQZNS/3eUSlwpcEZYsi6cDEepsp/70lcRisC26dQN0e3wMh0YqcNzIuSIpcPGSbW3J34bjKWBot2f3t70VylmUBxCufb3l4PtFmduDrSX4AYPQ8x+PKYaSLcypZd6+2vN7uuHIHHQLw73XBtthj0oOyP1HftJXqLfaGZ01Sy59XQhixPF7De5fTrGb5xww6bpulBXYdUpRBv9j08xRAOSFDQeHu80kEkPJr8BU7SaxStTgd3CmDYxgGmvyRvrPqsp8aM1PP278dH4ELUCWWLcHKLR4dIdVQ1UZuyHMsO26nTCBdbT5ttp5M9iC5WxBBxsuHGWTn4ieiQ0UUhsB9vtC3oo+gtaOJXoMRJ736D6e8L02KkkrZejbnwrx3v+VcGKj+Xn5o+lzjmeO9AsUAqqI44RvsNWMyDsX8 X-Microsoft-Exchange-Diagnostics: 1; DM5PR15MB1323; 31:Xu+4kKTx41pQsfqmsLOxryAPy8C5Zi0lXRofJWarXwFQdatyDHFgOokXmLvlhdSKrh/0y/SlqdZGetOSV6hwkjMafuedKC+3VP/9y11gES/ItgBRqlc952pshWpofPd2/jXcGRpasFjbEoMMn7CUugDgQWQh9cnz5FHyGgdnUafxJqHn5TL8wFSEtI0EAOpSZtHB8taJvXt/6sWhDDE9GQm7s0P4n0VY+HuX4YaFqN8aas2WjirCMpbyLKmKQDyHTUXFpnjlx3kXxa/Klpfc8A==; 20:2TJsy2Jl61XoKkW7WFAsX7KzevHtt+j00ZvkEBdWeI+g1HFo1UT2s59VlDhIoHpz995xLppgNWjGAbbEYwsRQ9Kr//MaN1TdDnthgs4Pitr+6jJFZ5gko4SM4VkNW4sv3tZ6HYFLxjcj0KKzshAH3bub6/Px+awBtg9EHUDoDvjSI5wILSkn0jI20ndVrUwh3ww9fhCVIw8Y9WCBHzKpwyuqCUp8L0w4Xodbe0BUYKf5slzrZD/bGBC7DiSvX2cu X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:(67672495146484)(211936372134217); X-Exchange-Antispam-Report-CFA-Test: BCL:0; PCL:0; RULEID:(6060326)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6061324); SRVR:DM5PR15MB1323; BCL:0; PCL:0; RULEID:; SRVR:DM5PR15MB1323; X-Microsoft-Exchange-Diagnostics: 1; DM5PR15MB1323; 4:8D60P9get6GLn6caz7ZKap59Dri6xF5Rpygsmo6Zy/sNew4eFHWptpDOkp98mMWZ2Ad4eMb+mjwgN4q05yi/QWNvU9rM/qe08KVkFZbjQUrK3SAtocVMrCz/iXjWZCYh5pLZ/PfwsaTel6u7WlcW5/KTy5NBi7OuK0HZVjjIpklx0KUfu1taBGmDM/eDjpDJ5lWwMk8HXJCsGBnN5Nt5JHtdJ2MMQEenw0do20RghzdteY4bxaQ/H7VC/EHQ+EDBH4YjbbpROXNqlPO9MujqH+wwvd5LL76p4gvfpzNR5r1eKxvccBZCLp7EH2csR6lpAWPfHteVxPhuL5S8SkIf+7Dq+07BLIYEAHoqlNfGHWonbzWuo/2Mi7LPfdsd4Jp24B2nmn4iOR1KYnCYqeATqIg0I0wKcZv/sx5uh0p8gqhfA5xhvDTZ55uZW+0RvpxUZNE41qgH9HFpdLeUplJPUoZFeIbcoP7Z/fEWqWBnHvNPx8ADTZ2TuQicb2x9mpcj X-Forefront-PRVS: 0126A32F74 X-Forefront-Antispam-Report: SFV:NSPM; SFS:(10019020)(4630300001)(6069001)(6009001)(7916002)(199003)(189002)(76506005)(7846002)(47776003)(50466002)(50986999)(7736002)(305945005)(36756003)(6666003)(105586002)(81156014)(33646002)(50226002)(68736007)(101416001)(48376002)(81166006)(106356001)(8676002)(5660300001)(6116002)(2906002)(92566002)(2201001)(5003940100001)(42186005)(77096005)(97736004)(86362001)(189998001)(5001770100001)(107886002)(2101003); DIR:OUT; SFP:1102; SCL:1; SRVR:DM5PR15MB1323; H:localhost; FPR:; SPF:None; PTR:InfoNoRecords; A:1; MX:1; LANG:en; Received-SPF: None (protection.outlook.com: fb.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?us-ascii?Q?1; DM5PR15MB1323; 23:tz0//OFAvT+Fzqzl7isHdoBU40eo3OWco4yBL6P1R?= =?us-ascii?Q?GCUQvsDvdvlfX34D8VS2efk9MZuUsk/jKCLPa5guWSPgapshQx+bJQz5MiZy?= =?us-ascii?Q?gZ7wUb1SiLwa6Pvrt9EjGmQhCfWd2/4ncl+4ehFYDbwBCw+kjjThT7+MXv4X?= =?us-ascii?Q?eo1HHBIs3BHHHXeR68VtZnwIbtZ0NcYCIRAuqQWJTKgCIya4vnXryeb3COTX?= =?us-ascii?Q?GIPn4RxdHlQUUfD5svYJB0BbLJNhCViw8/hBT/38ejHTwTypb4n8kfTlT2Nf?= =?us-ascii?Q?R9ws6MdPjfQudbHtoJOg0Fx76vs0tGzV1P4ZHJ6lnddQzQVFVWKGoToz3nXt?= =?us-ascii?Q?Bvep4UOhZEUUCuHe1URp4BZkdVf/Cwclp7Iod0D4rJHLoTuK1SHG8RqLZiXA?= =?us-ascii?Q?jyeGor6txp+XIj1AklF95EIS993ip4Whx3C+SEsFNte5x08pLjprq3/7Hvbe?= =?us-ascii?Q?COSsqCECCJYXoz0BS7UrWSnVFV/Y86WK2ZjHGfoiuaff1q/7xzmgRbbQTeKE?= =?us-ascii?Q?Wm9y7z8n6BLqQSuNZS7JYb7aTA3aR70n1DkQL+cEDTxOc2wrjeVwEU19ANgU?= =?us-ascii?Q?6IJ6DiLA0UfxZuoRKO+Lt8NtNMHZoJAZRVyWt/geO1bQqUZgxbjlndtUW5bV?= =?us-ascii?Q?7hD3azlW4fpMkXZ9O7x4t9/5yKSc6pmFvgJnbrCqE/HTslZwyWKCrsCp0SBl?= =?us-ascii?Q?x664rvu/qa6ZpgENOX9qx2JV5DLjMo/9DW7IKK30R8GjGb9KVg63C6PVP11h?= =?us-ascii?Q?zDPBrEcVzply6OQkS21tFMm2YY5UyH8z1Zfk+HDoknlfxLimREbMYTGIOJvh?= =?us-ascii?Q?hW9uozXh25hJRL6KqIa8RM7mXAWtZundtepWHXwuY8dFpStaTLubRHDKMTJU?= =?us-ascii?Q?5lNnfUWx7qQ1TsSjA5S4vnDyEFlwWvT0u+o4reMN6gyJ3pf7s0Q71gmOwSTd?= =?us-ascii?Q?y8qtOcLE1DnR8augpxs7hdyGHO4rBSOIlod0WIEGPI5KOuK1tDn0XeVn8dRS?= =?us-ascii?Q?Ief20ygJVBtk9/aSV/1OeTq?= X-Microsoft-Exchange-Diagnostics: 1; DM5PR15MB1323; 6:RRYA24B2UpRq+qYucRpwzN4TbqV4L9j1FE8V6hkepXHLO3TSs16FVs0x0jbcs2gx5Ffuh/JNfnGYpx7CFCCQ3HH0o8A0tSY0YTk2/cOH0g5zcrarZMsrSOjKFnOgwWT7tY0wxR+Wk8RvuiR8y7Pwe7E4j3BH8nx2teTpugWOBcW4e1ADe9BAvrOK11XSV3n8NJxhLWN6ZJC4o3uZqoBW8XVUmkLhRUoQNcBSTLlPpGh7cyabsIl/L3EbxWhaGcmGHrKKtiqZZqEfLQajpswQgpOAS4sCg7JUb9LeOSm6gaYcNlComLwJwgb8h/PIMpEqYrLQWfpBEVUvWCCUxUGUzVpH6H0z7kPHXVp+H1qQPw4=; 5:0rwUlwsl70/FzIP5zsbEqZjcldpHNCb3446hJY93G3qX02A7mpal/u0ilNW1K/9/ebppR8qWXpGBKW7aOf4CKmM0Ap24eEeo0/O3cn1biLfCOBcFkEf+0ts0G7KCK27PMpNxqbjva7u9eLhAjV2nrO26SlG0IPDmXku4lXSzLJk=; 24:PCKhvpy1Bx3ROsF2AHQsMvXYgBg9Kq+F3438tvu9lghaYw5g1lsdn1le4XJ7oV7hm5CKtExB8sbR4LOdi8Sljlm+CGFPccOS+3U/k57Z6dE= SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1; DM5PR15MB1323; 7:We3zoo6t+ob40OdEYePotrFAVxwgPCeB95J8Nz9pODCQzoNogEork3XFcZwXDCNP9m521M7nadrLk9JvPUmDxLJUSxXFFgzp+1ts/tLN1FwoLZ/H7rNYxF39isaYN5yT62bxx/1CO8m7/m0MeSWZU+TBY3D3INyQ6gxwM05ziRrsi4oYvlN/CANqOb7thIsINAeHfsninWNT8Cfj0fv4My3DbPl+M/4b9wtBRZlue2Utaf5XuvOI+DzyxppoWP02FgXsHM5nsMT5Ww6vbPh+VgqyVi9E5lJ37wG2BswkZK+wDjt9oarukaNWRdeB3fCY2IfVrW7GxJAQn5PGXqgJEcuNoibek6xA50shUjHGEhQ=; 20:iPTZwCrXt/y92ADJS1lS56UBhcCzq04Dk0X05kBReNaC5ggXnlz6g7/ZQBrP0DE5OcQD6aGnZBMrxbGHl7DsPHCtGFCvsCZh4eYwXU0ggPxgpIUIvIrU6dL2fpyXKOnDyyuvVhGlPUQ1Sah9Xvu2TqerSzvDwyBs3SyeX/jW+xE= X-MS-Exchange-CrossTenant-OriginalArrivalTime: 14 Nov 2016 20:45:40.0428 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR15MB1323 X-OriginatorOrg: fb.com X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2016-11-14_13:, , signatures=0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org I made some invalid assumptions with BPF_AND and BPF_MOD that could result in invalid accesses to bpf map entries. Fix this up by doing a few things 1) Kill BPF_MOD support. This doesn't actually get used by the compiler in real life and just adds extra complexity. 2) Fix the logic for BPF_AND, don't allow AND of negative numbers and set the minimum value to 0 for positive AND's. 3) Don't do operations on the ranges if they are set to the limits, as they are by definition undefined, and allowing arithmetic operations on those values could make them appear valid when they really aren't. This fixes the testcase provided by Jann as well as a few other theoretical problems. Reported-by: Jann Horn Signed-off-by: Josef Bacik Acked-by: Alexei Starovoitov --- V1->V2: - set the MIN_RANGE to -1 to essentially disable all negative values for the min value. - rebased onto net instead of net-next. include/linux/bpf_verifier.h | 5 ++-- kernel/bpf/verifier.c | 70 +++++++++++++++++++++++++++++--------------- 2 files changed, 50 insertions(+), 25 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 7035b99..6aaf425 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -14,7 +14,7 @@ * are obviously wrong for any sort of memory access. */ #define BPF_REGISTER_MAX_RANGE (1024 * 1024 * 1024) -#define BPF_REGISTER_MIN_RANGE -(1024 * 1024 * 1024) +#define BPF_REGISTER_MIN_RANGE -1 struct bpf_reg_state { enum bpf_reg_type type; @@ -22,7 +22,8 @@ struct bpf_reg_state { * Used to determine if any memory access using this register will * result in a bad access. */ - u64 min_value, max_value; + s64 min_value; + u64 max_value; union { /* valid when type == CONST_IMM | PTR_TO_STACK | UNKNOWN_VALUE */ s64 imm; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 99a7e5b..6a93615 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -216,8 +216,8 @@ static void print_verifier_state(struct bpf_verifier_state *state) reg->map_ptr->key_size, reg->map_ptr->value_size); if (reg->min_value != BPF_REGISTER_MIN_RANGE) - verbose(",min_value=%llu", - (unsigned long long)reg->min_value); + verbose(",min_value=%lld", + (long long)reg->min_value); if (reg->max_value != BPF_REGISTER_MAX_RANGE) verbose(",max_value=%llu", (unsigned long long)reg->max_value); @@ -758,7 +758,7 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off, * index'es we need to make sure that whatever we use * will have a set floor within our range. */ - if ((s64)reg->min_value < 0) { + if (reg->min_value < 0) { verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n", regno); return -EACCES; @@ -1468,7 +1468,8 @@ static void check_reg_overflow(struct bpf_reg_state *reg) { if (reg->max_value > BPF_REGISTER_MAX_RANGE) reg->max_value = BPF_REGISTER_MAX_RANGE; - if ((s64)reg->min_value < BPF_REGISTER_MIN_RANGE) + if (reg->min_value < BPF_REGISTER_MIN_RANGE || + reg->min_value > BPF_REGISTER_MAX_RANGE) reg->min_value = BPF_REGISTER_MIN_RANGE; } @@ -1476,7 +1477,8 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn) { struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg; - u64 min_val = BPF_REGISTER_MIN_RANGE, max_val = BPF_REGISTER_MAX_RANGE; + s64 min_val = BPF_REGISTER_MIN_RANGE; + u64 max_val = BPF_REGISTER_MAX_RANGE; bool min_set = false, max_set = false; u8 opcode = BPF_OP(insn->code); @@ -1512,22 +1514,43 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env, return; } + /* If one of our values was at the end of our ranges then we can't just + * do our normal operations to the register, we need to set the values + * to the min/max since they are undefined. + */ + if (min_val == BPF_REGISTER_MIN_RANGE) + dst_reg->min_value = BPF_REGISTER_MIN_RANGE; + if (max_val == BPF_REGISTER_MAX_RANGE) + dst_reg->max_value = BPF_REGISTER_MAX_RANGE; + switch (opcode) { case BPF_ADD: - dst_reg->min_value += min_val; - dst_reg->max_value += max_val; + if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) + dst_reg->min_value += min_val; + if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) + dst_reg->max_value += max_val; break; case BPF_SUB: - dst_reg->min_value -= min_val; - dst_reg->max_value -= max_val; + if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) + dst_reg->min_value -= min_val; + if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) + dst_reg->max_value -= max_val; break; case BPF_MUL: - dst_reg->min_value *= min_val; - dst_reg->max_value *= max_val; + if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) + dst_reg->min_value *= min_val; + if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) + dst_reg->max_value *= max_val; break; case BPF_AND: - /* & is special since it could end up with 0 bits set. */ - dst_reg->min_value &= min_val; + /* Disallow AND'ing of negative numbers, ain't nobody got time + * for that. Otherwise the minimum is 0 and the max is the max + * value we could AND against. + */ + if (min_val < 0) + dst_reg->min_value = BPF_REGISTER_MIN_RANGE; + else + dst_reg->min_value = 0; dst_reg->max_value = max_val; break; case BPF_LSH: @@ -1537,24 +1560,25 @@ static void adjust_reg_min_max_vals(struct bpf_verifier_env *env, */ if (min_val > ilog2(BPF_REGISTER_MAX_RANGE)) dst_reg->min_value = BPF_REGISTER_MIN_RANGE; - else + else if (dst_reg->min_value != BPF_REGISTER_MIN_RANGE) dst_reg->min_value <<= min_val; if (max_val > ilog2(BPF_REGISTER_MAX_RANGE)) dst_reg->max_value = BPF_REGISTER_MAX_RANGE; - else + else if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) dst_reg->max_value <<= max_val; break; case BPF_RSH: - dst_reg->min_value >>= min_val; - dst_reg->max_value >>= max_val; - break; - case BPF_MOD: - /* % is special since it is an unsigned modulus, so the floor - * will always be 0. + /* RSH by a negative number is undefined, and the BPF_RSH is an + * unsigned shift, so make the appropriate casts. */ - dst_reg->min_value = 0; - dst_reg->max_value = max_val - 1; + if (min_val < 0 || dst_reg->min_value < 0) + dst_reg->min_value = BPF_REGISTER_MIN_RANGE; + else + dst_reg->min_value = + (u64)(dst_reg->min_value) >> min_val; + if (dst_reg->max_value != BPF_REGISTER_MAX_RANGE) + dst_reg->max_value >>= max_val; break; default: reset_reg_range_values(regs, insn->dst_reg);