On Wed, Dec 13, 2023 at 10:28 PM Menglong Dong <menglong8.dong@xxxxxxxxx> wrote:
>
> We can derive some new information for BPF_JNE in regs_refine_cond_op().
> Take following code for example:
>
> /* The type of "a" is u16 */
> if (a > 0 && a < 100) {
> /* the range of the register for a is [0, 99], not [1, 99],
> * and will cause the following error:
> *
> * invalid zero-sized read
> *
> * as a can be 0.
> */
> bpf_skb_store_bytes(skb, xx, xx, a, 0);
> }
Please craft a selftest from above with inline asm
(C might not work as compiler might optimize it)
Also we call:
/* fallthrough (FALSE) branch */
regs_refine_cond_op(false_reg1, false_reg2,
rev_opcode(opcode), is_jmp32);
/* jump (TRUE) branch */
regs_refine_cond_op(true_reg1, true_reg2, opcode, is_jmp32);
so despite BPF_JNE is not handled explicitly it still should have
caught above due to rev_opcode() ?
