Message ID | 20231130000406.480870-3-andrii@kernel.org (mailing list archive) |
---|---|
State | Superseded |
Delegated to: | BPF |
Headers | show |
Series | BPF verifier retval logic fixes | expand |
Context | Check | Description |
---|---|---|
bpf/vmtest-bpf-next-PR | fail | merge-conflict |
netdev/tree_selection | success | Clearly marked for bpf-next |
netdev/apply | fail | Patch does not apply to bpf-next |
On Wed, Nov 29, 2023 at 04:03:58PM -0800, Andrii Nakryiko wrote: > Given verifier checks actual value, r0 has to be precise, so we need to > propagate precision properly. r0 also has to be marked as read, > otherwise subsequent state comparisons will ignore such register as > unimportant and precision won't really help here. > > Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") > Acked-by: Eduard Zingerman <eddyz87@gmail.com> > Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 25b9d470957e..849fbf47b5f3 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -9590,6 +9590,13 @@ static int prepare_func_exit(struct bpf_verifier_env *env, int *insn_idx) verbose(env, "R0 not a scalar value\n"); return -EACCES; } + + /* we are going to rely on register's precise value */ + err = mark_reg_read(env, r0, r0->parent, REG_LIVE_READ64); + err = err ?: mark_chain_precision(env, BPF_REG_0); + if (err) + return err; + if (!tnum_in(range, r0->var_off)) { verbose_invalid_scalar(env, r0, &range, "callback return", "R0"); return -EINVAL;