vbpf / prevail / 26718371384

86%

push

github

Forget the truncated result of ALU32 pointer arithmetic

A 32-bit (ALU32) ADD/SUB zero-extends its result into the 64-bit register, so
applied to a pointer it yields the low half of a (possibly kernel) address. Such
a value must not be usable as a pointer -- the upper half is gone, so following
it would dereference a corrupted address -- nor exposed as a scalar, since it
still carries address bits and returning or storing it would leak the address.
The type model has no representation for a tainted scalar of this kind.

At the shared truncation point for binary register operations, forget the
destination register whenever the 32-bit result is not provably a number. A
later dereference then fails as a non-pointer and a later store or return fails
as a non-number, so the value can be neither followed nor leaked. A genuine
scalar operand instead keeps its precise value, masked to 32 bits.

Same-region pointer subtraction (e.g. data_end - data) is a separate case: it
yields a scalar length and is already typed as a number before reaching this
point, so its result is kept.

Adds register-register ADD/SUB regression tests and a test that the truncated
result cannot be returned as a scalar.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Elazar Gershuni <elazarg@gmail.com>

3 of 3 new or added lines in 1 file covered. (100.0%)

8999 of 10419 relevant lines covered (86.37%)

6412983.65 hits per line