]> git.baikalelectronics.ru Git - kernel.git/commitdiff
bpf: Simplify alu_limit masking for pointer arithmetic
authorPiotr Krysiuk <piotras@gmail.com>
Tue, 16 Mar 2021 07:26:25 +0000 (08:26 +0100)
committerDaniel Borkmann <daniel@iogearbox.net>
Wed, 17 Mar 2021 18:13:22 +0000 (19:13 +0100)
Instead of having the mov32 with aux->alu_limit - 1 immediate, move this
operation to retrieve_ptr_limit() instead to simplify the logic and to
allow for subsequent sanity boundary checks inside retrieve_ptr_limit().
This avoids in future that at the time of the verifier masking rewrite
we'd run into an underflow which would not sign extend due to the nature
of mov32 instruction.

Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
kernel/bpf/verifier.c

index 56c63658b702cb7fd4ef8785c6bab47469b4a804..d16722a99b61db43339b8c1cc30bd43a9764597e 100644 (file)
@@ -5870,16 +5870,16 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
                 */
                off = ptr_reg->off + ptr_reg->var_off.value;
                if (mask_to_left)
-                       *ptr_limit = MAX_BPF_STACK + off + 1;
+                       *ptr_limit = MAX_BPF_STACK + off;
                else
-                       *ptr_limit = -off;
+                       *ptr_limit = -off - 1;
                return 0;
        case PTR_TO_MAP_VALUE:
                if (mask_to_left) {
-                       *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1;
+                       *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
                } else {
                        off = ptr_reg->smin_value + ptr_reg->off;
-                       *ptr_limit = ptr_reg->map_ptr->value_size - off;
+                       *ptr_limit = ptr_reg->map_ptr->value_size - off - 1;
                }
                return 0;
        default:
@@ -11668,7 +11668,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env)
                        off_reg = issrc ? insn->src_reg : insn->dst_reg;
                        if (isneg)
                                *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
-                       *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
+                       *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);
                        *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
                        *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
                        *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);