From: Eric Biggers <ebiggers@kernel.org>
To: Alexei Starovoitov <alexei.starovoitov@gmail.com>
Cc: Kees Cook <keescook@chromium.org>, Yonghong Song <yhs@fb.com>,
Dmitry Vyukov <dvyukov@google.com>,
Kurt Manucredo <fuzzybritches0@gmail.com>,
syzbot+bed360704c521841c85d@syzkaller.appspotmail.com,
Andrii Nakryiko <andrii@kernel.org>,
Alexei Starovoitov <ast@kernel.org>, bpf <bpf@vger.kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
"David S. Miller" <davem@davemloft.net>,
Jesper Dangaard Brouer <hawk@kernel.org>,
John Fastabend <john.fastabend@gmail.com>,
Martin KaFai Lau <kafai@fb.com>, KP Singh <kpsingh@kernel.org>,
Jakub Kicinski <kuba@kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Song Liu <songliubraving@fb.com>,
syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
nathan@kernel.org, Nick Desaulniers <ndesaulniers@google.com>,
Clang-Built-Linux ML <clang-built-linux@googlegroups.com>,
linux-kernel-mentees@lists.linuxfoundation.org,
Shuah Khan <skhan@linuxfoundation.org>,
Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Kernel Hardening <kernel-hardening@lists.openwall.com>,
kasan-dev <kasan-dev@googlegroups.com>
Subject: Re: [PATCH v4] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run
Date: Thu, 10 Jun 2021 13:00:44 -0700 [thread overview]
Message-ID: <YMJvbGEz0xu9JU9D@gmail.com> (raw)
In-Reply-To: <CAADnVQKMwKYgthoQV4RmGpZm9Hm-=wH3DoaNqs=UZRmJKefwGw@mail.gmail.com>
On Thu, Jun 10, 2021 at 10:52:37AM -0700, Alexei Starovoitov wrote:
> On Thu, Jun 10, 2021 at 10:06 AM Kees Cook <keescook@chromium.org> wrote:
> >
> > > > I guess the main question: what should happen if a bpf program writer
> > > > does _not_ use compiler nor check_shl_overflow()?
> >
> > I think the BPF runtime needs to make such actions defined, instead of
> > doing a blind shift. It needs to check the size of the shift explicitly
> > when handling the shift instruction.
>
> Such ideas were brought up in the past and rejected.
> We're not going to sacrifice performance to make behavior a bit more
> 'defined'. CPUs are doing it deterministically.
What CPUs do is not the whole story. The compiler can assume that the shift
amount is less than the width and use that assumption in other places, resulting
in other things being miscompiled.
Couldn't you just AND the shift amounts with the width minus 1? That would make
the shifts defined, and the compiler would optimize out the AND on any CPU that
interprets the shift amounts modulo the width anyway (e.g., x86).
- Eric
next prev parent reply other threads:[~2021-06-10 20:01 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <000000000000c2987605be907e41@google.com>
[not found] ` <20210602212726.7-1-fuzzybritches0@gmail.com>
[not found] ` <YLhd8BL3HGItbXmx@kroah.com>
[not found] ` <87609-531187-curtm@phaethon>
[not found] ` <6a392b66-6f26-4532-d25f-6b09770ce366@fb.com>
[not found] ` <CAADnVQKexxZQw0yK_7rmFOdaYabaFpi2EmF6RGs5bXvFHtUQaA@mail.gmail.com>
2021-06-07 7:38 ` [PATCH v4] bpf: core: fix shift-out-of-bounds in ___bpf_prog_run Dmitry Vyukov
2021-06-09 18:20 ` Kees Cook
2021-06-09 23:40 ` Yonghong Song
2021-06-10 5:32 ` Dmitry Vyukov
2021-06-10 6:06 ` Yonghong Song
2021-06-10 17:06 ` Kees Cook
2021-06-10 17:52 ` Alexei Starovoitov
2021-06-10 20:00 ` Eric Biggers [this message]
2021-06-15 16:42 ` [PATCH v5] " Kurt Manucredo
2021-06-15 18:51 ` Edward Cree
2021-06-15 19:33 ` Eric Biggers
2021-06-15 21:08 ` Daniel Borkmann
2021-06-15 21:32 ` Eric Biggers
2021-06-15 21:38 ` Eric Biggers
2021-06-15 21:54 ` Daniel Borkmann
2021-06-15 22:07 ` Eric Biggers
2021-06-15 22:31 ` Kurt Manucredo
2021-06-17 10:09 ` Daniel Borkmann
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YMJvbGEz0xu9JU9D@gmail.com \
--to=ebiggers@kernel.org \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clang-built-linux@googlegroups.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=fuzzybritches0@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=hawk@kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kasan-dev@googlegroups.com \
--cc=keescook@chromium.org \
--cc=kernel-hardening@lists.openwall.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nathan@kernel.org \
--cc=ndesaulniers@google.com \
--cc=netdev@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=songliubraving@fb.com \
--cc=syzbot+bed360704c521841c85d@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).