• Daniel Borkmann's avatar
    bpf: fix off by one for range markings with L{T, E} patterns · fb2a311a
    Daniel Borkmann authored
    During review I noticed that the current logic for direct packet
    access marking in check_cond_jmp_op() has an off by one for the
    upper right range border when marking in find_good_pkt_pointers()
    with BPF_JLT and BPF_JLE. It's not really harmful given access
    up to pkt_end is always safe, but we should nevertheless correct
    the range marking before it becomes ABI. If pkt_data' denotes a
    pkt_data derived pointer (pkt_data + X), then for pkt_data' < pkt_end
    in the true branch as well as for pkt_end <= pkt_data' in the false
    branch we mark the range with X although it should really be X - 1
    in these cases. For example, X could be pkt_end - pkt_data, then
    when testing for pkt_data' < pkt_end the verifier simulation cannot
    deduce that a byte load of pkt_data' - 1 would succeed in this
    branch.
    
    Fixes: b4e432f1 ("bpf: enable BPF_J{LT, LE, SLT, SLE} opcodes in verifier")
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    fb2a311a
verifier.c 130 KB