diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2018-10-31 19:05:53 -0400 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2018-10-31 19:53:17 -0400 |
| commit | 4d31f30148cea6e97e42616231eed55295117fe7 (patch) | |
| tree | 75b922a4d276ff5c53fe51680af54113f7b4f48e /kernel/bpf | |
| parent | 0962590e553331db2cc0aef2dc35c57f6300dbbe (diff) | |
bpf: don't set id on after map lookup with ptr_to_map_val return
In the verifier there is no such semantics where registers with
PTR_TO_MAP_VALUE type have an id assigned to them. This is only
used in PTR_TO_MAP_VALUE_OR_NULL and later on nullified once the
test against NULL has been pattern matched and type transformed
into PTR_TO_MAP_VALUE.
Fixes: 3e6a4b3e0289 ("bpf/verifier: introduce BPF_PTR_TO_MAP_VALUE")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Roman Gushchin <guro@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'kernel/bpf')
| -rw-r--r-- | kernel/bpf/verifier.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 774fa40a32ae..1971ca325fb4 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c | |||
| @@ -2852,10 +2852,6 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn | |||
| 2852 | regs[BPF_REG_0].type = NOT_INIT; | 2852 | regs[BPF_REG_0].type = NOT_INIT; |
| 2853 | } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL || | 2853 | } else if (fn->ret_type == RET_PTR_TO_MAP_VALUE_OR_NULL || |
| 2854 | fn->ret_type == RET_PTR_TO_MAP_VALUE) { | 2854 | fn->ret_type == RET_PTR_TO_MAP_VALUE) { |
| 2855 | if (fn->ret_type == RET_PTR_TO_MAP_VALUE) | ||
| 2856 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE; | ||
| 2857 | else | ||
| 2858 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; | ||
| 2859 | /* There is no offset yet applied, variable or fixed */ | 2855 | /* There is no offset yet applied, variable or fixed */ |
| 2860 | mark_reg_known_zero(env, regs, BPF_REG_0); | 2856 | mark_reg_known_zero(env, regs, BPF_REG_0); |
| 2861 | /* remember map_ptr, so that check_map_access() | 2857 | /* remember map_ptr, so that check_map_access() |
| @@ -2868,7 +2864,12 @@ static int check_helper_call(struct bpf_verifier_env *env, int func_id, int insn | |||
| 2868 | return -EINVAL; | 2864 | return -EINVAL; |
| 2869 | } | 2865 | } |
| 2870 | regs[BPF_REG_0].map_ptr = meta.map_ptr; | 2866 | regs[BPF_REG_0].map_ptr = meta.map_ptr; |
| 2871 | regs[BPF_REG_0].id = ++env->id_gen; | 2867 | if (fn->ret_type == RET_PTR_TO_MAP_VALUE) { |
| 2868 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE; | ||
| 2869 | } else { | ||
| 2870 | regs[BPF_REG_0].type = PTR_TO_MAP_VALUE_OR_NULL; | ||
| 2871 | regs[BPF_REG_0].id = ++env->id_gen; | ||
| 2872 | } | ||
| 2872 | } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) { | 2873 | } else if (fn->ret_type == RET_PTR_TO_SOCKET_OR_NULL) { |
| 2873 | int id = acquire_reference_state(env, insn_idx); | 2874 | int id = acquire_reference_state(env, insn_idx); |
| 2874 | if (id < 0) | 2875 | if (id < 0) |