aboutsummaryrefslogtreecommitdiffstats
path: root/kernel/bpf
diff options
context:
space:
mode:
authorJosef Bacik <jbacik@fb.com>2016-09-28 10:54:32 -0400
committerDavid S. Miller <davem@davemloft.net>2016-09-29 01:35:35 -0400
commit484611357c19f9e19ef742ebef4505a07d243cc9 (patch)
tree34f14c2b2ac71d0bf0a53cab096960e7c91ae87f /kernel/bpf
parent7836667cec5e02ed2ae3eb09b88047b5b5f2343a (diff)
bpf: allow access into map value arrays
Suppose you have a map array value that is something like this struct foo { unsigned iter; int array[SOME_CONSTANT]; }; You can easily insert this into an array, but you cannot modify the contents of foo->array[] after the fact. This is because we have no way to verify we won't go off the end of the array at verification time. This patch provides a start for this work. We accomplish this by keeping track of a minimum and maximum value a register could be while we're checking the code. Then at the time we try to do an access into a MAP_VALUE we verify that the maximum offset into that region is a valid access into that memory region. So in practice, code such as this unsigned index = 0; if (foo->iter >= SOME_CONSTANT) foo->iter = index; else index = foo->iter++; foo->array[index] = bar; would be allowed, as we can verify that index will always be between 0 and SOME_CONSTANT-1. If you wish to use signed values you'll have to have an extra check to make sure the index isn't less than 0, or do something like index %= SOME_CONSTANT. Signed-off-by: Josef Bacik <jbacik@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/bpf')
-rw-r--r--kernel/bpf/verifier.c329
1 files changed, 311 insertions, 18 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7ada3152a556..99a7e5b388f2 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -182,6 +182,7 @@ static const char * const reg_type_str[] = {
182 [CONST_PTR_TO_MAP] = "map_ptr", 182 [CONST_PTR_TO_MAP] = "map_ptr",
183 [PTR_TO_MAP_VALUE] = "map_value", 183 [PTR_TO_MAP_VALUE] = "map_value",
184 [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null", 184 [PTR_TO_MAP_VALUE_OR_NULL] = "map_value_or_null",
185 [PTR_TO_MAP_VALUE_ADJ] = "map_value_adj",
185 [FRAME_PTR] = "fp", 186 [FRAME_PTR] = "fp",
186 [PTR_TO_STACK] = "fp", 187 [PTR_TO_STACK] = "fp",
187 [CONST_IMM] = "imm", 188 [CONST_IMM] = "imm",
@@ -209,10 +210,17 @@ static void print_verifier_state(struct bpf_verifier_state *state)
209 else if (t == UNKNOWN_VALUE && reg->imm) 210 else if (t == UNKNOWN_VALUE && reg->imm)
210 verbose("%lld", reg->imm); 211 verbose("%lld", reg->imm);
211 else if (t == CONST_PTR_TO_MAP || t == PTR_TO_MAP_VALUE || 212 else if (t == CONST_PTR_TO_MAP || t == PTR_TO_MAP_VALUE ||
212 t == PTR_TO_MAP_VALUE_OR_NULL) 213 t == PTR_TO_MAP_VALUE_OR_NULL ||
214 t == PTR_TO_MAP_VALUE_ADJ)
213 verbose("(ks=%d,vs=%d)", 215 verbose("(ks=%d,vs=%d)",
214 reg->map_ptr->key_size, 216 reg->map_ptr->key_size,
215 reg->map_ptr->value_size); 217 reg->map_ptr->value_size);
218 if (reg->min_value != BPF_REGISTER_MIN_RANGE)
219 verbose(",min_value=%llu",
220 (unsigned long long)reg->min_value);
221 if (reg->max_value != BPF_REGISTER_MAX_RANGE)
222 verbose(",max_value=%llu",
223 (unsigned long long)reg->max_value);
216 } 224 }
217 for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) { 225 for (i = 0; i < MAX_BPF_STACK; i += BPF_REG_SIZE) {
218 if (state->stack_slot_type[i] == STACK_SPILL) 226 if (state->stack_slot_type[i] == STACK_SPILL)
@@ -424,6 +432,8 @@ static void init_reg_state(struct bpf_reg_state *regs)
424 for (i = 0; i < MAX_BPF_REG; i++) { 432 for (i = 0; i < MAX_BPF_REG; i++) {
425 regs[i].type = NOT_INIT; 433 regs[i].type = NOT_INIT;
426 regs[i].imm = 0; 434 regs[i].imm = 0;
435 regs[i].min_value = BPF_REGISTER_MIN_RANGE;
436 regs[i].max_value = BPF_REGISTER_MAX_RANGE;
427 } 437 }
428 438
429 /* frame pointer */ 439 /* frame pointer */
@@ -440,6 +450,12 @@ static void mark_reg_unknown_value(struct bpf_reg_state *regs, u32 regno)
440 regs[regno].imm = 0; 450 regs[regno].imm = 0;
441} 451}
442 452
453static void reset_reg_range_values(struct bpf_reg_state *regs, u32 regno)
454{
455 regs[regno].min_value = BPF_REGISTER_MIN_RANGE;
456 regs[regno].max_value = BPF_REGISTER_MAX_RANGE;
457}
458
443enum reg_arg_type { 459enum reg_arg_type {
444 SRC_OP, /* register is used as source operand */ 460 SRC_OP, /* register is used as source operand */
445 DST_OP, /* register is used as destination operand */ 461 DST_OP, /* register is used as destination operand */
@@ -665,7 +681,7 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
665static int check_ptr_alignment(struct bpf_verifier_env *env, 681static int check_ptr_alignment(struct bpf_verifier_env *env,
666 struct bpf_reg_state *reg, int off, int size) 682 struct bpf_reg_state *reg, int off, int size)
667{ 683{
668 if (reg->type != PTR_TO_PACKET) { 684 if (reg->type != PTR_TO_PACKET && reg->type != PTR_TO_MAP_VALUE_ADJ) {
669 if (off % size != 0) { 685 if (off % size != 0) {
670 verbose("misaligned access off %d size %d\n", 686 verbose("misaligned access off %d size %d\n",
671 off, size); 687 off, size);
@@ -675,16 +691,6 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
675 } 691 }
676 } 692 }
677 693
678 switch (env->prog->type) {
679 case BPF_PROG_TYPE_SCHED_CLS:
680 case BPF_PROG_TYPE_SCHED_ACT:
681 case BPF_PROG_TYPE_XDP:
682 break;
683 default:
684 verbose("verifier is misconfigured\n");
685 return -EACCES;
686 }
687
688 if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS)) 694 if (IS_ENABLED(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS))
689 /* misaligned access to packet is ok on x86,arm,arm64 */ 695 /* misaligned access to packet is ok on x86,arm,arm64 */
690 return 0; 696 return 0;
@@ -695,7 +701,8 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
695 } 701 }
696 702
697 /* skb->data is NET_IP_ALIGN-ed */ 703 /* skb->data is NET_IP_ALIGN-ed */
698 if ((NET_IP_ALIGN + reg->off + off) % size != 0) { 704 if (reg->type == PTR_TO_PACKET &&
705 (NET_IP_ALIGN + reg->off + off) % size != 0) {
699 verbose("misaligned packet access off %d+%d+%d size %d\n", 706 verbose("misaligned packet access off %d+%d+%d size %d\n",
700 NET_IP_ALIGN, reg->off, off, size); 707 NET_IP_ALIGN, reg->off, off, size);
701 return -EACCES; 708 return -EACCES;
@@ -728,12 +735,52 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off,
728 if (err) 735 if (err)
729 return err; 736 return err;
730 737
731 if (reg->type == PTR_TO_MAP_VALUE) { 738 if (reg->type == PTR_TO_MAP_VALUE ||
739 reg->type == PTR_TO_MAP_VALUE_ADJ) {
732 if (t == BPF_WRITE && value_regno >= 0 && 740 if (t == BPF_WRITE && value_regno >= 0 &&
733 is_pointer_value(env, value_regno)) { 741 is_pointer_value(env, value_regno)) {
734 verbose("R%d leaks addr into map\n", value_regno); 742 verbose("R%d leaks addr into map\n", value_regno);
735 return -EACCES; 743 return -EACCES;
736 } 744 }
745
746 /* If we adjusted the register to this map value at all then we
747 * need to change off and size to min_value and max_value
748 * respectively to make sure our theoretical access will be
749 * safe.
750 */
751 if (reg->type == PTR_TO_MAP_VALUE_ADJ) {
752 if (log_level)
753 print_verifier_state(state);
754 env->varlen_map_value_access = true;
755 /* The minimum value is only important with signed
756 * comparisons where we can't assume the floor of a
757 * value is 0. If we are using signed variables for our
758 * index'es we need to make sure that whatever we use
759 * will have a set floor within our range.
760 */
761 if ((s64)reg->min_value < 0) {
762 verbose("R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
763 regno);
764 return -EACCES;
765 }
766 err = check_map_access(env, regno, reg->min_value + off,
767 size);
768 if (err) {
769 verbose("R%d min value is outside of the array range\n",
770 regno);
771 return err;
772 }
773
774 /* If we haven't set a max value then we need to bail
775 * since we can't be sure we won't do bad things.
776 */
777 if (reg->max_value == BPF_REGISTER_MAX_RANGE) {
778 verbose("R%d unbounded memory access, make sure to bounds check any array access into a map\n",
779 regno);
780 return -EACCES;
781 }
782 off += reg->max_value;
783 }
737 err = check_map_access(env, regno, off, size); 784 err = check_map_access(env, regno, off, size);
738 if (!err && t == BPF_READ && value_regno >= 0) 785 if (!err && t == BPF_READ && value_regno >= 0)
739 mark_reg_unknown_value(state->regs, value_regno); 786 mark_reg_unknown_value(state->regs, value_regno);
@@ -1195,6 +1242,7 @@ static int check_call(struct bpf_verifier_env *env, int func_id)
1195 regs[BPF_REG_0].type = NOT_INIT; 1242 regs[BPF_REG_0].type = NOT_INIT;
1196 } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) { 1243 } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL) {
1197 regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; 1244 regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL;
1245 regs[BPF_REG_0].max_value = regs[BPF_REG_0].min_value = 0;
1198 /* remember map_ptr, so that check_map_access() 1246 /* remember map_ptr, so that check_map_access()
1199 * can check 'value_size' boundary of memory access 1247 * can check 'value_size' boundary of memory access
1200 * to map element returned from bpf_map_lookup_elem() 1248 * to map element returned from bpf_map_lookup_elem()
@@ -1416,6 +1464,106 @@ static int evaluate_reg_imm_alu(struct bpf_verifier_env *env,
1416 return 0; 1464 return 0;
1417} 1465}
1418 1466
1467static void check_reg_overflow(struct bpf_reg_state *reg)
1468{
1469 if (reg->max_value > BPF_REGISTER_MAX_RANGE)
1470 reg->max_value = BPF_REGISTER_MAX_RANGE;
1471 if ((s64)reg->min_value < BPF_REGISTER_MIN_RANGE)
1472 reg->min_value = BPF_REGISTER_MIN_RANGE;
1473}
1474
1475static void adjust_reg_min_max_vals(struct bpf_verifier_env *env,
1476 struct bpf_insn *insn)
1477{
1478 struct bpf_reg_state *regs = env->cur_state.regs, *dst_reg;
1479 u64 min_val = BPF_REGISTER_MIN_RANGE, max_val = BPF_REGISTER_MAX_RANGE;
1480 bool min_set = false, max_set = false;
1481 u8 opcode = BPF_OP(insn->code);
1482
1483 dst_reg = &regs[insn->dst_reg];
1484 if (BPF_SRC(insn->code) == BPF_X) {
1485 check_reg_overflow(&regs[insn->src_reg]);
1486 min_val = regs[insn->src_reg].min_value;
1487 max_val = regs[insn->src_reg].max_value;
1488
1489 /* If the source register is a random pointer then the
1490 * min_value/max_value values represent the range of the known
1491 * accesses into that value, not the actual min/max value of the
1492 * register itself. In this case we have to reset the reg range
1493 * values so we know it is not safe to look at.
1494 */
1495 if (regs[insn->src_reg].type != CONST_IMM &&
1496 regs[insn->src_reg].type != UNKNOWN_VALUE) {
1497 min_val = BPF_REGISTER_MIN_RANGE;
1498 max_val = BPF_REGISTER_MAX_RANGE;
1499 }
1500 } else if (insn->imm < BPF_REGISTER_MAX_RANGE &&
1501 (s64)insn->imm > BPF_REGISTER_MIN_RANGE) {
1502 min_val = max_val = insn->imm;
1503 min_set = max_set = true;
1504 }
1505
1506 /* We don't know anything about what was done to this register, mark it
1507 * as unknown.
1508 */
1509 if (min_val == BPF_REGISTER_MIN_RANGE &&
1510 max_val == BPF_REGISTER_MAX_RANGE) {
1511 reset_reg_range_values(regs, insn->dst_reg);
1512 return;
1513 }
1514
1515 switch (opcode) {
1516 case BPF_ADD:
1517 dst_reg->min_value += min_val;
1518 dst_reg->max_value += max_val;
1519 break;
1520 case BPF_SUB:
1521 dst_reg->min_value -= min_val;
1522 dst_reg->max_value -= max_val;
1523 break;
1524 case BPF_MUL:
1525 dst_reg->min_value *= min_val;
1526 dst_reg->max_value *= max_val;
1527 break;
1528 case BPF_AND:
1529 /* & is special since it could end up with 0 bits set. */
1530 dst_reg->min_value &= min_val;
1531 dst_reg->max_value = max_val;
1532 break;
1533 case BPF_LSH:
1534 /* Gotta have special overflow logic here, if we're shifting
1535 * more than MAX_RANGE then just assume we have an invalid
1536 * range.
1537 */
1538 if (min_val > ilog2(BPF_REGISTER_MAX_RANGE))
1539 dst_reg->min_value = BPF_REGISTER_MIN_RANGE;
1540 else
1541 dst_reg->min_value <<= min_val;
1542
1543 if (max_val > ilog2(BPF_REGISTER_MAX_RANGE))
1544 dst_reg->max_value = BPF_REGISTER_MAX_RANGE;
1545 else
1546 dst_reg->max_value <<= max_val;
1547 break;
1548 case BPF_RSH:
1549 dst_reg->min_value >>= min_val;
1550 dst_reg->max_value >>= max_val;
1551 break;
1552 case BPF_MOD:
1553 /* % is special since it is an unsigned modulus, so the floor
1554 * will always be 0.
1555 */
1556 dst_reg->min_value = 0;
1557 dst_reg->max_value = max_val - 1;
1558 break;
1559 default:
1560 reset_reg_range_values(regs, insn->dst_reg);
1561 break;
1562 }
1563
1564 check_reg_overflow(dst_reg);
1565}
1566
1419/* check validity of 32-bit and 64-bit arithmetic operations */ 1567/* check validity of 32-bit and 64-bit arithmetic operations */
1420static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) 1568static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1421{ 1569{
@@ -1479,6 +1627,11 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1479 if (err) 1627 if (err)
1480 return err; 1628 return err;
1481 1629
1630 /* we are setting our register to something new, we need to
1631 * reset its range values.
1632 */
1633 reset_reg_range_values(regs, insn->dst_reg);
1634
1482 if (BPF_SRC(insn->code) == BPF_X) { 1635 if (BPF_SRC(insn->code) == BPF_X) {
1483 if (BPF_CLASS(insn->code) == BPF_ALU64) { 1636 if (BPF_CLASS(insn->code) == BPF_ALU64) {
1484 /* case: R1 = R2 1637 /* case: R1 = R2
@@ -1500,6 +1653,8 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1500 */ 1653 */
1501 regs[insn->dst_reg].type = CONST_IMM; 1654 regs[insn->dst_reg].type = CONST_IMM;
1502 regs[insn->dst_reg].imm = insn->imm; 1655 regs[insn->dst_reg].imm = insn->imm;
1656 regs[insn->dst_reg].max_value = insn->imm;
1657 regs[insn->dst_reg].min_value = insn->imm;
1503 } 1658 }
1504 1659
1505 } else if (opcode > BPF_END) { 1660 } else if (opcode > BPF_END) {
@@ -1552,6 +1707,9 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1552 1707
1553 dst_reg = &regs[insn->dst_reg]; 1708 dst_reg = &regs[insn->dst_reg];
1554 1709
1710 /* first we want to adjust our ranges. */
1711 adjust_reg_min_max_vals(env, insn);
1712
1555 /* pattern match 'bpf_add Rx, imm' instruction */ 1713 /* pattern match 'bpf_add Rx, imm' instruction */
1556 if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 && 1714 if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 &&
1557 dst_reg->type == FRAME_PTR && BPF_SRC(insn->code) == BPF_K) { 1715 dst_reg->type == FRAME_PTR && BPF_SRC(insn->code) == BPF_K) {
@@ -1586,8 +1744,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
1586 return -EACCES; 1744 return -EACCES;
1587 } 1745 }
1588 1746
1589 /* mark dest operand */ 1747 /* If we did pointer math on a map value then just set it to our
1590 mark_reg_unknown_value(regs, insn->dst_reg); 1748 * PTR_TO_MAP_VALUE_ADJ type so we can deal with any stores or
1749 * loads to this register appropriately, otherwise just mark the
1750 * register as unknown.
1751 */
1752 if (env->allow_ptr_leaks &&
1753 (dst_reg->type == PTR_TO_MAP_VALUE ||
1754 dst_reg->type == PTR_TO_MAP_VALUE_ADJ))
1755 dst_reg->type = PTR_TO_MAP_VALUE_ADJ;
1756 else
1757 mark_reg_unknown_value(regs, insn->dst_reg);
1591 } 1758 }
1592 1759
1593 return 0; 1760 return 0;
@@ -1642,6 +1809,104 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *state,
1642 } 1809 }
1643} 1810}
1644 1811
1812/* Adjusts the register min/max values in the case that the dst_reg is the
1813 * variable register that we are working on, and src_reg is a constant or we're
1814 * simply doing a BPF_K check.
1815 */
1816static void reg_set_min_max(struct bpf_reg_state *true_reg,
1817 struct bpf_reg_state *false_reg, u64 val,
1818 u8 opcode)
1819{
1820 switch (opcode) {
1821 case BPF_JEQ:
1822 /* If this is false then we know nothing Jon Snow, but if it is
1823 * true then we know for sure.
1824 */
1825 true_reg->max_value = true_reg->min_value = val;
1826 break;
1827 case BPF_JNE:
1828 /* If this is true we know nothing Jon Snow, but if it is false
1829 * we know the value for sure;
1830 */
1831 false_reg->max_value = false_reg->min_value = val;
1832 break;
1833 case BPF_JGT:
1834 /* Unsigned comparison, the minimum value is 0. */
1835 false_reg->min_value = 0;
1836 case BPF_JSGT:
1837 /* If this is false then we know the maximum val is val,
1838 * otherwise we know the min val is val+1.
1839 */
1840 false_reg->max_value = val;
1841 true_reg->min_value = val + 1;
1842 break;
1843 case BPF_JGE:
1844 /* Unsigned comparison, the minimum value is 0. */
1845 false_reg->min_value = 0;
1846 case BPF_JSGE:
1847 /* If this is false then we know the maximum value is val - 1,
1848 * otherwise we know the mimimum value is val.
1849 */
1850 false_reg->max_value = val - 1;
1851 true_reg->min_value = val;
1852 break;
1853 default:
1854 break;
1855 }
1856
1857 check_reg_overflow(false_reg);
1858 check_reg_overflow(true_reg);
1859}
1860
1861/* Same as above, but for the case that dst_reg is a CONST_IMM reg and src_reg
1862 * is the variable reg.
1863 */
1864static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
1865 struct bpf_reg_state *false_reg, u64 val,
1866 u8 opcode)
1867{
1868 switch (opcode) {
1869 case BPF_JEQ:
1870 /* If this is false then we know nothing Jon Snow, but if it is
1871 * true then we know for sure.
1872 */
1873 true_reg->max_value = true_reg->min_value = val;
1874 break;
1875 case BPF_JNE:
1876 /* If this is true we know nothing Jon Snow, but if it is false
1877 * we know the value for sure;
1878 */
1879 false_reg->max_value = false_reg->min_value = val;
1880 break;
1881 case BPF_JGT:
1882 /* Unsigned comparison, the minimum value is 0. */
1883 true_reg->min_value = 0;
1884 case BPF_JSGT:
1885 /*
1886 * If this is false, then the val is <= the register, if it is
1887 * true the register <= to the val.
1888 */
1889 false_reg->min_value = val;
1890 true_reg->max_value = val - 1;
1891 break;
1892 case BPF_JGE:
1893 /* Unsigned comparison, the minimum value is 0. */
1894 true_reg->min_value = 0;
1895 case BPF_JSGE:
1896 /* If this is false then constant < register, if it is true then
1897 * the register < constant.
1898 */
1899 false_reg->min_value = val + 1;
1900 true_reg->max_value = val;
1901 break;
1902 default:
1903 break;
1904 }
1905
1906 check_reg_overflow(false_reg);
1907 check_reg_overflow(true_reg);
1908}
1909
1645static int check_cond_jmp_op(struct bpf_verifier_env *env, 1910static int check_cond_jmp_op(struct bpf_verifier_env *env,
1646 struct bpf_insn *insn, int *insn_idx) 1911 struct bpf_insn *insn, int *insn_idx)
1647{ 1912{
@@ -1708,6 +1973,23 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
1708 if (!other_branch) 1973 if (!other_branch)
1709 return -EFAULT; 1974 return -EFAULT;
1710 1975
1976 /* detect if we are comparing against a constant value so we can adjust
1977 * our min/max values for our dst register.
1978 */
1979 if (BPF_SRC(insn->code) == BPF_X) {
1980 if (regs[insn->src_reg].type == CONST_IMM)
1981 reg_set_min_max(&other_branch->regs[insn->dst_reg],
1982 dst_reg, regs[insn->src_reg].imm,
1983 opcode);
1984 else if (dst_reg->type == CONST_IMM)
1985 reg_set_min_max_inv(&other_branch->regs[insn->src_reg],
1986 &regs[insn->src_reg], dst_reg->imm,
1987 opcode);
1988 } else {
1989 reg_set_min_max(&other_branch->regs[insn->dst_reg],
1990 dst_reg, insn->imm, opcode);
1991 }
1992
1711 /* detect if R == 0 where R is returned from bpf_map_lookup_elem() */ 1993 /* detect if R == 0 where R is returned from bpf_map_lookup_elem() */
1712 if (BPF_SRC(insn->code) == BPF_K && 1994 if (BPF_SRC(insn->code) == BPF_K &&
1713 insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) && 1995 insn->imm == 0 && (opcode == BPF_JEQ || opcode == BPF_JNE) &&
@@ -2144,7 +2426,8 @@ static bool compare_ptrs_to_packet(struct bpf_reg_state *old,
2144 * whereas register type in current state is meaningful, it means that 2426 * whereas register type in current state is meaningful, it means that
2145 * the current state will reach 'bpf_exit' instruction safely 2427 * the current state will reach 'bpf_exit' instruction safely
2146 */ 2428 */
2147static bool states_equal(struct bpf_verifier_state *old, 2429static bool states_equal(struct bpf_verifier_env *env,
2430 struct bpf_verifier_state *old,
2148 struct bpf_verifier_state *cur) 2431 struct bpf_verifier_state *cur)
2149{ 2432{
2150 struct bpf_reg_state *rold, *rcur; 2433 struct bpf_reg_state *rold, *rcur;
@@ -2157,6 +2440,13 @@ static bool states_equal(struct bpf_verifier_state *old,
2157 if (memcmp(rold, rcur, sizeof(*rold)) == 0) 2440 if (memcmp(rold, rcur, sizeof(*rold)) == 0)
2158 continue; 2441 continue;
2159 2442
2443 /* If the ranges were not the same, but everything else was and
2444 * we didn't do a variable access into a map then we are a-ok.
2445 */
2446 if (!env->varlen_map_value_access &&
2447 rold->type == rcur->type && rold->imm == rcur->imm)
2448 continue;
2449
2160 if (rold->type == NOT_INIT || 2450 if (rold->type == NOT_INIT ||
2161 (rold->type == UNKNOWN_VALUE && rcur->type != NOT_INIT)) 2451 (rold->type == UNKNOWN_VALUE && rcur->type != NOT_INIT))
2162 continue; 2452 continue;
@@ -2213,7 +2503,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
2213 return 0; 2503 return 0;
2214 2504
2215 while (sl != STATE_LIST_MARK) { 2505 while (sl != STATE_LIST_MARK) {
2216 if (states_equal(&sl->state, &env->cur_state)) 2506 if (states_equal(env, &sl->state, &env->cur_state))
2217 /* reached equivalent register/stack state, 2507 /* reached equivalent register/stack state,
2218 * prune the search 2508 * prune the search
2219 */ 2509 */
@@ -2259,6 +2549,7 @@ static int do_check(struct bpf_verifier_env *env)
2259 2549
2260 init_reg_state(regs); 2550 init_reg_state(regs);
2261 insn_idx = 0; 2551 insn_idx = 0;
2552 env->varlen_map_value_access = false;
2262 for (;;) { 2553 for (;;) {
2263 struct bpf_insn *insn; 2554 struct bpf_insn *insn;
2264 u8 class; 2555 u8 class;
@@ -2339,6 +2630,7 @@ static int do_check(struct bpf_verifier_env *env)
2339 if (err) 2630 if (err)
2340 return err; 2631 return err;
2341 2632
2633 reset_reg_range_values(regs, insn->dst_reg);
2342 if (BPF_SIZE(insn->code) != BPF_W && 2634 if (BPF_SIZE(insn->code) != BPF_W &&
2343 BPF_SIZE(insn->code) != BPF_DW) { 2635 BPF_SIZE(insn->code) != BPF_DW) {
2344 insn_idx++; 2636 insn_idx++;
@@ -2509,6 +2801,7 @@ process_bpf_exit:
2509 verbose("invalid BPF_LD mode\n"); 2801 verbose("invalid BPF_LD mode\n");
2510 return -EINVAL; 2802 return -EINVAL;
2511 } 2803 }
2804 reset_reg_range_values(regs, insn->dst_reg);
2512 } else { 2805 } else {
2513 verbose("unknown insn class %d\n", class); 2806 verbose("unknown insn class %d\n", class);
2514 return -EINVAL; 2807 return -EINVAL;
generated by cgit v1.2.2 (git 2.25.0) at 2025-08-29 08:56:55 -0400