Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 179d1c56 authored by Jann Horn's avatar Jann Horn Committed by Daniel Borkmann
Browse files

bpf: don't prune branches when a scalar is replaced with a pointer 



This could be made safe by passing through a reference to env and checking
for env->allow_ptr_leaks, but it would only work one way and is probably
not worth the hassle - not doing it will not directly lead to program
rejection.

Fixes: f1174f77 ("bpf/verifier: rework value tracking")
Signed-off-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent a5ec6ae1

kernel/bpf/verifier.c

+7 −8
Original line number Original line Diff line number Diff line
@@ -3467,15 +3467,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, 
			return range_within(rold, rcur) &&

			return range_within(rold, rcur) &&

			       tnum_in(rold->var_off, rcur->var_off);

			       tnum_in(rold->var_off, rcur->var_off);

		} else {

		} else {

			/* if we knew anything about the old value, we're not

			/* We're trying to use a pointer in place of a scalar.

			 * equal, because we can't know anything about the

			 * Even if the scalar was unbounded, this could lead to

			 * scalar value of the pointer in the new value.

			 * pointer leaks because scalars are allowed to leak

			 */

			 * while pointers are not. We could make this safe in

			return rold->umin_value == 0 &&

			 * special cases if root is calling us, but it's

			       rold->umax_value == U64_MAX &&

			 * probably not worth the hassle.

			       rold->smin_value == S64_MIN &&

			 */

			       rold->smax_value == S64_MAX &&

			return false;

			       tnum_is_unknown(rold->var_off);

		}

		}

	case PTR_TO_MAP_VALUE:

	case PTR_TO_MAP_VALUE:

		/* If the new min/max/var_off satisfy the old ones and

		/* If the new min/max/var_off satisfy the old ones and