• Alexei Starovoitov's avatar
    bpf: fix branch pruning logic · c131187d
    Alexei Starovoitov authored
    when the verifier detects that register contains a runtime constant
    and it's compared with another constant it will prune exploration
    of the branch that is guaranteed not to be taken at runtime.
    This is all correct, but malicious program may be constructed
    in such a way that it always has a constant comparison and
    the other branch is never taken under any conditions.
    In this case such path through the program will not be explored
    by the verifier. It won't be taken at run-time either, but since
    all instructions are JITed the malicious program may cause JITs
    to complain about using reserved fields, etc.
    To fix the issue we have to track the instructions explored by
    the verifier and sanitize instructions that are dead at run time
    with NOPs. We cannot reject such dead code, since llvm generates
    it for valid C code, since it doesn't do as much data flow
    analysis as the verifier does.
    
    Fixes: 17a52670 ("bpf: verifier (add verifier core)")
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    c131187d
verifier.c 135 KB