2 files changed, 29 insertions, 2 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 66bec36ec1ec..47dcd3aa6e23 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1637,6 +1637,8 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
+                        src_reg_type = regs[insn->src_reg].type;
                        /* check that memory (src_reg + off) is readable,
                         * the state of dst_reg will be updated by this func
                         */
@@ -1646,9 +1648,12 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
-                        src_reg_type = regs[insn->src_reg].type;
+                        if (BPF_SIZE(insn->code) != BPF_W) {
+                                insn_idx++;
+                                continue;
+                        }
-                        if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) {
+                        if (insn->imm == 0) {
                                /* saw a valid insn
                                 * dst_reg = *(u32 *)(src_reg + off)
                                 * use reserved 'imm' field to mark this insn
diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c
index 9ab645698ffb..12f3780af73f 100644
--- a/samples/bpf/test_verifier.c
+++ b/samples/bpf/test_verifier.c
@@ -721,6 +721,28 @@ static struct bpf_test tests[] = {
                .errstr = "different pointers",
                .result = REJECT,
        },
+        {
+                "access skb fields bad4",
+                .insns = {
+                        BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
+                        BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
+                                    offsetof(struct __sk_buff, len)),
+                        BPF_MOV64_IMM(BPF_REG_0, 0),
+                        BPF_EXIT_INSN(),
+                        BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
+                        BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
+                        BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
+                        BPF_LD_MAP_FD(BPF_REG_1, 0),
+                        BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
+                        BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
+                        BPF_EXIT_INSN(),
+                        BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
+                        BPF_JMP_IMM(BPF_JA, 0, 0, -13),
+                },
+                .fixup = {7},
+                .errstr = "different pointers",
+                .result = REJECT,
+        },
 };
 static int probe_filter_length(struct bpf_insn *fp)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 66bec36ec1ec..47dcd3aa6e23 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c
@@ -1637,6 +1637,8 @@ static int do_check(struct verifier_env *env)
1637	if (err)	1637	if (err)
1638	return err;	1638	return err;
1639		1639
		1640	src_reg_type = regs[insn->src_reg].type;
		1641
1640	/* check that memory (src_reg + off) is readable,	1642	/* check that memory (src_reg + off) is readable,
1641	* the state of dst_reg will be updated by this func	1643	* the state of dst_reg will be updated by this func
1642	*/	1644	*/
@@ -1646,9 +1648,12 @@ static int do_check(struct verifier_env *env)
1646	if (err)	1648	if (err)
1647	return err;	1649	return err;
1648		1650
1649	src_reg_type = regs[insn->src_reg].type;	1651	if (BPF_SIZE(insn->code) != BPF_W) {
		1652	insn_idx++;
		1653	continue;
		1654	}
1650		1655
1651	if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) {	1656	if (insn->imm == 0) {
1652	/* saw a valid insn	1657	/* saw a valid insn
1653	* dst_reg = (u32 )(src_reg + off)	1658	* dst_reg = (u32 )(src_reg + off)
1654	* use reserved 'imm' field to mark this insn	1659	* use reserved 'imm' field to mark this insn


diff --git a/samples/bpf/test_verifier.c b/samples/bpf/test_verifier.c index 9ab645698ffb..12f3780af73f 100644 --- a/samples/bpf/test_verifier.c +++ b/samples/bpf/test_verifier.c
@@ -721,6 +721,28 @@ static struct bpf_test tests[] = {
721	.errstr = "different pointers",	721	.errstr = "different pointers",
722	.result = REJECT,	722	.result = REJECT,
723	},	723	},
		724	{
		725	"access skb fields bad4",
		726	.insns = {
		727	BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 3),
		728	BPF_LDX_MEM(BPF_W, BPF_REG_1, BPF_REG_1,
		729	offsetof(struct __sk_buff, len)),
		730	BPF_MOV64_IMM(BPF_REG_0, 0),
		731	BPF_EXIT_INSN(),
		732	BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
		733	BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
		734	BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
		735	BPF_LD_MAP_FD(BPF_REG_1, 0),
		736	BPF_RAW_INSN(BPF_JMP \| BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
		737	BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 1),
		738	BPF_EXIT_INSN(),
		739	BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
		740	BPF_JMP_IMM(BPF_JA, 0, 0, -13),
		741	},
		742	.fixup = {7},
		743	.errstr = "different pointers",
		744	.result = REJECT,
		745	},
724	};	746	};
725		747
726	static int probe_filter_length(struct bpf_insn *fp)	748	static int probe_filter_length(struct bpf_insn *fp)