diff options
| author | Jann Horn <jannh@google.com> | 2020-03-30 18:03:23 +0200 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2020-03-30 11:53:52 -0700 |
| commit | 604dca5e3af1db98bd123b7bfc02b017af99e3a0 (patch) | |
| tree | 1724820184cecbbbe7dba844bb9c22be48d1fd04 /kernel/bpf/lpm_trie.c | |
| parent | f2d67fec0b43edce8c416101cdc52e71145b5fef (diff) | |
bpf: Fix tnum constraints for 32-bit comparisons
The BPF verifier tried to track values based on 32-bit comparisons by
(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register
bounds after jmp32 instructions"). The idea is that after a check like
this:
if ((u32)r0 > 3)
exit
We can't meaningfully constrain the arithmetic-range-based tracking, but
we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003).
However, the implementation from 581738a681b6 didn't compute the tnum
constraint based on the fixed operand, but instead derives it from the
arithmetic-range-based tracking. This means that after the following
sequence of operations:
if (r0 >= 0x1'0000'0001)
exit
if ((u32)r0 > 7)
exit
The verifier assumed that the lower half of r0 is in the range (0, 0)
and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus
causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was
incorrect. Provide a fixed implementation.
Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net
Diffstat (limited to 'kernel/bpf/lpm_trie.c')
0 files changed, 0 insertions, 0 deletions