diff options
| author |   Daniel Borkmann <daniel@iogearbox.net> | 2019-01-06 00:54:37 +0100 |
|---|---|---|
| committer |   Alexei Starovoitov <ast@kernel.org> | 2019-01-05 21:32:38 -0800 |
| commit | d3bd7413e0ca40b60cf60d4003246d067cafdeda (patch) | |
| tree | 921fb6e1b153c75a832e52659b7b9166b9174bec /include/linux/bpf_verifier.h | |
| parent | Merge branch 'udpv6_sendmsg-addr_any-fix' (diff) | |
| download | linux-dev-d3bd7413e0ca40b60cf60d4003246d067cafdeda.tar.xz linux-dev-d3bd7413e0ca40b60cf60d4003246d067cafdeda.zip | |
bpf: fix sanitation of alu op with pointer / scalar type from different paths
While 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer
arithmetic") took care of rejecting alu op on pointer when e.g. pointer
came from two different map values with different map properties such as
value size, Jann reported that a case was not covered yet when a given
alu op is used in both "ptr_reg += reg" and "numeric_reg += reg" from
different branches where we would incorrectly try to sanitize based
on the pointer's limit. Catch this corner case and reject the program
instead.
Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'include/linux/bpf_verifier.h')
| -rw-r--r-- | include/linux/bpf_verifier.h | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 27b74947cd2b..573cca00a0e6 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -172,6 +172,7 @@ struct bpf_verifier_state_list { #define BPF_ALU_SANITIZE_SRC 1U #define BPF_ALU_SANITIZE_DST 2U #define BPF_ALU_NEG_VALUE (1U << 2) +#define BPF_ALU_NON_POINTER (1U << 3) #define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \ BPF_ALU_SANITIZE_DST) |