Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 524471df authored by Piotr Krysiuk's avatar Piotr Krysiuk Committed by Greg Kroah-Hartman
Browse files

bpf: Simplify alu_limit masking for pointer arithmetic 



commit b5871dca250cd391885218b99cc015aca1a51aea upstream.

Instead of having the mov32 with aux->alu_limit - 1 immediate, move this
operation to retrieve_ptr_limit() instead to simplify the logic and to
allow for subsequent sanity boundary checks inside retrieve_ptr_limit().
This avoids in future that at the time of the verifier masking rewrite
we'd run into an underflow which would not sign extend due to the nature
of mov32 instruction.

Signed-off-by: default avatarPiotr Krysiuk <piotras@gmail.com>
Co-developed-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 2da05407

kernel/bpf/verifier.c

+5 −5
Original line number Diff line number Diff line
@@ -4277,16 +4277,16 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, 
		 */

		off = ptr_reg->off + ptr_reg->var_off.value;

		if (mask_to_left)

			*ptr_limit = MAX_BPF_STACK + off + 1;

			*ptr_limit = MAX_BPF_STACK + off;

		else

			*ptr_limit = -off;

			*ptr_limit = -off - 1;

		return 0;

	case PTR_TO_MAP_VALUE:

		if (mask_to_left) {

			*ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1;

			*ptr_limit = ptr_reg->umax_value + ptr_reg->off;

		} else {

			off = ptr_reg->smin_value + ptr_reg->off;

			*ptr_limit = ptr_reg->map_ptr->value_size - off;

			*ptr_limit = ptr_reg->map_ptr->value_size - off - 1;

		}

		return 0;

	default:
@@ -9081,7 +9081,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) 
			off_reg = issrc ? insn->src_reg : insn->dst_reg;

			if (isneg)

				*patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);

			*patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);

			*patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);

			*patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);

			*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);

			*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);