[...]
> >
> > Ack. Still, if you don't mind entertaining me further, two more questions:
> >
> > 1. What do you make of the code in check_mem_size_reg() [1] where we do
> >
> > if (reg->umin_value == 0) {
> > err = check_helper_mem_access(env, regno - 1, 0,
> > zero_size_allowed,
> > meta);
> >
> > followed by
> >
> > err = check_helper_mem_access(env, regno - 1,
> > reg->umax_value,
> > zero_size_allowed, meta);
> >
> > [1] https://github.com/torvalds/linux/blob/bee0e7762ad2c6025b9f5245c040fcc36ef2bde8/kernel/bpf/verifier.c#L7486-L7489
> >
> > What's the point of the first check_helper_mem_access() call - the
> > zero-sized one
> > (given that we also have the second, broader, check)? Could it be
> > simply replaced by a
> >
> > if (reg->umin_value == 0 && !zero_sized_allowed)
> > err = no_bueno;
> >
>
> Maybe Kumar (cc'ed) can chime in as well, but I suspect that's exactly
> this, and kind of similar to the min_off/max_off discussion we had. So
> yes, I suspect the above simple and straightforward check would be
> much more meaningful and targeted.
I plan on trying this in a bit; sounds like you're encouraging it.
>
> I gotta say that the reg->smin_value < 0 check is confusing, though,
> I'm not sure why we are mixing smin and umin/umax in this change...
When you say "in this change", you mean in the existing code, yeah? I'm not
familiar enough with the smin/umin tracking to tell if `reg->smin_value >= 0`
(the condition that the function tests first) implies that
`reg->smin_value == reg->umin_value` (i.e. the fact that we're currently mixing
smin/umin in check_mem_size_reg() is confusing, but benign). Is that true? If
so, are you saying that check_mem_size_reg() should exclusively use smin/smax?
[...]
