[...] > > Andrei, thanks for the quick fix! But with this fix, I suspect the > max_off would be incorrect when access_size is zero. We probably > should do something like this: > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 2a9d521b64f4..70d5201f7d08 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -6556,10 +6556,9 @@ static int check_stack_access_within_bounds( > return -EACCES; > } > min_off = reg->smin_value + off; > + max_off = reg->smax_value + off; > if (access_size > 0) > - max_off = reg->smax_value + off + access_size - 1; > - else > - max_off = min_off; > + max_off += access_size - 1; > } > > err = check_stack_slot_within_bounds(env, min_off, state, type); > Indeed, thanks. Resent. I would love to add a few words about what the intention and exact semantics of checking a zero-sized access are, if anyone can explain it. I'm wondering if it'd be better to massage the code such that the smallest access to verify has size 1.
