Commit 32bf08a6257b9c7380dcd040af3c0858eee3ef05
Committed by
David S. Miller
David S. Miller
1 parent
78fd1d0ab0
Exists in
ti-lsk-linux-4.1.y
and in
10 other branches
bpf: fix bug in eBPF verifier
while comparing for verifier state equivalency the comparison was missing a check for uninitialized register. Make sure it does so and add a testcase. Fixes: f1bca824dabb ("bpf: add search pruning optimization to verifier") Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 2 changed files with 13 additions and 1 deletions Side-by-side Diff
kernel/bpf/verifier.c
| ... | ... | @@ -1409,7 +1409,8 @@ |
| 1409 | 1409 | if (memcmp(&old->regs[i], &cur->regs[i], |
| 1410 | 1410 | sizeof(old->regs[0])) != 0) { |
| 1411 | 1411 | if (old->regs[i].type == NOT_INIT || |
| 1412 | - old->regs[i].type == UNKNOWN_VALUE) | |
| 1412 | + (old->regs[i].type == UNKNOWN_VALUE && | |
| 1413 | + cur->regs[i].type != NOT_INIT)) | |
| 1413 | 1414 | continue; |
| 1414 | 1415 | return false; |
| 1415 | 1416 | } |
samples/bpf/test_verifier.c
| ... | ... | @@ -209,6 +209,17 @@ |
| 209 | 209 | .result = REJECT, |
| 210 | 210 | }, |
| 211 | 211 | { |
| 212 | + "program doesn't init R0 before exit in all branches", | |
| 213 | + .insns = { | |
| 214 | + BPF_JMP_IMM(BPF_JGE, BPF_REG_1, 0, 2), | |
| 215 | + BPF_MOV64_IMM(BPF_REG_0, 1), | |
| 216 | + BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2), | |
| 217 | + BPF_EXIT_INSN(), | |
| 218 | + }, | |
| 219 | + .errstr = "R0 !read_ok", | |
| 220 | + .result = REJECT, | |
| 221 | + }, | |
| 222 | + { | |
| 212 | 223 | "stack out of bounds", |
| 213 | 224 | .insns = { |
| 214 | 225 | BPF_ST_MEM(BPF_DW, BPF_REG_10, 8, 0), |