bpf: Fix regsafe() for pointers to packet

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N
regsafe() may return true which may lead to current state with
valid packet range not being explored. Fix the bug.

Fixes: 6d94e741a8ff ("bpf: Support for pointers beyond pkt_end.")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20260331204228.26726-1-alexei.starovoitov@gmail.com

authored by

Alexei Starovoitov and committed by

Andrii Nakryiko 2 months ago a8502a79 dbf00d8d

+6 -1

1 changed file

expand all

kernel

bpf

verifier.c

+6 -1

kernel/bpf/verifier.c

··· 19915 19915 * since someone could have accessed through (ptr - k), or 19916 19916 * even done ptr -= k in a register, to get a safe access. 19917 19917 */ 19918 - if (rold->range > rcur->range) 19918 + if (rold->range < 0 || rcur->range < 0) { 19919 + /* special case for [BEYOND|AT]_PKT_END */ 19920 + if (rold->range != rcur->range) 19921 + return false; 19922 + } else if (rold->range > rcur->range) { 19919 19923 return false; 19924 + } 19920 19925 /* If the offsets don't match, we can't trust our alignment; 19921 19926 * nor can we be sure that we won't fall out of range. 19922 19927 */

Configure Feed

Configure Feed