Skip to content

32 bit range overflow#11298

Closed
eddyz87 wants to merge 2 commits intokernel-patches:bpf-next_basefrom
eddyz87:32-bit-range-overflow
Closed

32 bit range overflow#11298
eddyz87 wants to merge 2 commits intokernel-patches:bpf-next_basefrom
eddyz87:32-bit-range-overflow

Conversation

@eddyz87
Copy link
Copy Markdown
Collaborator

@eddyz87 eddyz87 commented Mar 5, 2026

No description provided.

eddyz87 added 2 commits March 5, 2026 02:45
@eddyz87
bpf: refine u32/s32 bounds when ranges cross min/max boundary
eca3b1b 
Same as in __reg64_deduce_bounds(), refine s32/u32 ranges
in __reg32_deduce_bounds() in the following situations:

0                                                   U32_MAX
|  [xxxxxxxxxxxxxx u32 range xxxxxxxxxxxxxx]              |
|----------------------------|----------------------------|
|xxxxx s32 range xxxxxxxxx]                       [xxxxxxx|
0                     S32_MAX S32_MIN                    -1

0                                                   U32_MAX
|              [xxxxxxxxxxxxxx u32 range xxxxxxxxxxxxxx]  |
|----------------------------|----------------------------|
|xxxxxxxxx]                       [xxxxxxxxxxxx s32 range |
0                     S32_MAX S32_MIN                    -1

This helps for e.g. consider the following program:

   call %[bpf_get_prandom_u32];
   w0 &= 0xffffffff;
   if w0 < 0x3 goto 1f;    // on fall-through u32 range [3..U32_MAX]
   if w0 s> 0x1 goto 1f;   // on fall-through s32 range [S32_MIN..1]
   if w0 s< 0x0 goto 1f;   // range can be narrowed to  [S32_MIN..-1]
   r10 = 0;
1: ...;

The reg_bounds.c selftest is updated to incorporate identical logic,
refinement based on non-overflowing range halves:

  ((x ∩ [0, smax]) ∩ (y ∩ [0, smax])) ∪
  ((x ∩ [smin,-1]) ∩ (y ∩ [smin,-1]))

Reported-by: Andrea Righi <arighi@nvidia.com>
Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
Closes: https://lore.kernel.org/bpf/aakqucg4vcujVwif@gpd4/T/
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
@eddyz87
selftests/bpf: test refining u32/s32 bounds when ranges cross min/max…
b958ea6 
… boundary

Two test cases for signed/unsigned 32-bit bounds refinement
when s32 range crosses the sign boundary:
- s32 range [S32_MIN..1] overlapping with u32 range [3..U32_MAX],
  s32 range tail before sign boundary overlaps with u32 range.
- s32 range [-3..5] overlapping with u32 range [0..S32_MIN+3],
  s32 range head after the sign boundary overlaps with u32 range.

This covers both branches added in the __reg32_deduce_bounds().

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
@kernel-patches-daemon-bpf kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch 9 times, most recently from 4b0d910 to 15b24d7 Compare March 11, 2026 18:16
@kernel-patches-daemon-bpf
Copy link
Copy Markdown

kernel-patches-daemon-bpf Bot commented Mar 12, 2026

Automatically cleaning up stale PR; feel free to reopen if needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eddyz87