summaryrefslogtreecommitdiff
path: root/kernel
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@fb.com>2016-05-19 18:17:13 -0700
committerMichael Bestas <mkbestas@lineageos.org>2022-04-19 00:50:18 +0300
commitc1829863f55fef6222777ecc7f3c4a696be4e3cd (patch)
treeb00e885be333f6546d74cdf8e2e9e64730e868dd /kernel
parent7e34e620d8eae44693e3061b9bedf2211632898d (diff)
bpf: support decreasing order in direct packet access
when packet headers are accessed in 'decreasing' order (like TCP port may be fetched before the program reads IP src) the llvm may generate the following code: [...] // R7=pkt(id=0,off=22,r=70) r2 = *(u32 *)(r7 +0) // good access [...] r7 += 40 // R7=pkt(id=0,off=62,r=70) r8 = *(u32 *)(r7 +0) // good access [...] r1 = *(u32 *)(r7 -20) // this one will fail though it's within a safe range // it's doing *(u32*)(skb->data + 42) Fix verifier to recognize such code pattern Alos turned out that 'off > range' condition is not a verifier bug. It's a buggy program that may do something like: if (ptr + 50 > data_end) return 0; ptr += 60; *(u32*)ptr; in such case emit "invalid access to packet, off=0 size=4, R1(id=0,off=60,r=50)" error message, so all information is available for the program author to fix the program. Fixes: 969bf05eb3ce ("bpf: direct packet access") Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/bpf/verifier.c12
1 files changed, 4 insertions, 8 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a08d66215245..d54e34874579 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -683,15 +683,11 @@ static int check_packet_access(struct verifier_env *env, u32 regno, int off,
{
struct reg_state *regs = env->cur_state.regs;
struct reg_state *reg = &regs[regno];
- int linear_size = (int) reg->range - (int) reg->off;
- if (linear_size < 0 || linear_size >= MAX_PACKET_OFF) {
- verbose("verifier bug\n");
- return -EFAULT;
- }
- if (off < 0 || off + size > linear_size) {
- verbose("invalid access to packet, off=%d size=%d, allowed=%d\n",
- off, size, linear_size);
+ off += reg->off;
+ if (off < 0 || off + size > reg->range) {
+ verbose("invalid access to packet, off=%d size=%d, R%d(id=%d,off=%d,r=%d)\n",
+ off, size, regno, reg->id, reg->off, reg->range);
return -EACCES;
}
return 0;
generated by cgit v1.2.3 (git 2.25.1) at 2026-02-12 21:03:20 +0000