diff options
| author | Josef Bacik <jbacik@fb.com> | 2016-11-29 12:27:09 -0500 |
|---|---|---|
| committer | Michael Bestas <mkbestas@lineageos.org> | 2022-04-19 00:50:43 +0300 |
| commit | 26c8d31fd8965ed30d4bcd25afbee6fa8c58efef (patch) | |
| tree | c38c826102c3fedfa9cd9deffeb36ba2d4f36ec1 /include/linux/debugobjects.h | |
| parent | f7c1642847036680697ab92eb3eb00b5ef271bfc (diff) | |
bpf: fix states equal logic for varlen access
If we have a branch that looks something like this
int foo = map->value;
if (condition) {
foo += blah;
} else {
foo = bar;
}
map->array[foo] = baz;
We will incorrectly assume that the !condition branch is equal to the condition
branch as the register for foo will be UNKNOWN_VALUE in both cases. We need to
adjust this logic to only do this if we didn't do a varlen access after we
processed the !condition branch, otherwise we have different ranges and need to
check the other branch as well.
Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
Diffstat (limited to 'include/linux/debugobjects.h')
0 files changed, 0 insertions, 0 deletions