diff options
| author |   Paul Chaignon <paul.chaignon@orange.com> | 2019-04-24 21:50:42 +0200 |
|---|---|---|
| committer |   Alexei Starovoitov <ast@kernel.org> | 2019-04-25 17:20:06 -0700 |
| commit | c6a9efa1d8353d8960d152e7d469d952b01495c0 (patch) | |
| tree | 88dc631e10dac5a41a7510e7ea64c6b6769de7f7 /tools/testing/selftests/bpf/verifier/calls.c | |
| parent | libbpf: add binary to gitignore (diff) | |
| download | linux-dev-c6a9efa1d8353d8960d152e7d469d952b01495c0.tar.xz linux-dev-c6a9efa1d8353d8960d152e7d469d952b01495c0.zip | |
bpf: mark registers in all frames after pkt/null checks
In case of a null check on a pointer inside a subprog, we should mark all
registers with this pointer as either safe or unknown, in both the current
and previous frames. Currently, only spilled registers and registers in
the current frame are marked. Packet bound checks in subprogs have the
same issue. This patch fixes it to mark registers in previous frames as
well.
A good reproducer for null checks looks as follow:
1: ptr = bpf_map_lookup_elem(map, &key);
2: ret = subprog(ptr) {
3: return ptr != NULL;
4: }
5: if (ret)
6: value = *ptr;
With the above, the verifier will complain on line 6 because it sees ptr
as map_value_or_null despite the null check in subprog 1.
Note that this patch fixes another resulting bug when using
bpf_sk_release():
1: sk = bpf_sk_lookup_tcp(...);
2: subprog(sk) {
3: if (sk)
4: bpf_sk_release(sk);
5: }
6: if (!sk)
7: return 0;
8: return 1;
In the above, mark_ptr_or_null_regs will warn on line 6 because it will
try to free the reference state, even though it was already freed on
line 3.
Fixes: f4d7e40a5b71 ("bpf: introduce function calls (verification)")
Signed-off-by: Paul Chaignon <paul.chaignon@orange.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'tools/testing/selftests/bpf/verifier/calls.c')
0 files changed, 0 insertions, 0 deletions