For now, the reg bounds is not handled for BPF_JNE case, which can cause
the failure of following case:
/* The type of "a" is u32 */
if (a > 0 && a < 100) {
/* the range of the register for a is [0, 99], not [1, 99],
* and will cause the following error:
*
* invalid zero-sized read
*
* as a can be 0.
*/
bpf_skb_store_bytes(skb, xx, xx, a, 0);
}
In the code above, "a > 0" will be compiled to "if a == 0 goto xxx". In
the TRUE branch, the dst_reg will be marked as known to 0. However, in the
fallthrough(FALSE) branch, the dst_reg will not be handled, which makes
the [min, max] for a is [0, 99], not [1, 99].
In the 1st patch, we reduce the range of the dst reg if the src reg is a
const and is exactly the edge of the dst reg For BPF_JNE.
In the 2nd patch, we just activate the test case for this logic in
range_cond(), which is committed by Andrii in the
commit 8863238993e2 ("selftests/bpf: BPF register range bounds tester").
In the 3rd patch, we convert the case above to a testcase and add it to
verifier_bounds.c.
Changes since v3:
- do some adjustment to the crafted cases that we added in the 2nd patch
- add the 3rd patch
Changes since v2:
- fix a typo in the subject of the 1st patch
- add some comments to the 1st patch, as Eduard advised
- add some cases to the "crafted_cases"
Changes since v1:
- simplify the code in the 1st patch
- introduce the 2nd patch for the testing
Menglong Dong (3):
bpf: make the verifier tracks the "not equal" for regs
selftests/bpf: activate the OP_NE login in range_cond()
selftests/bpf: add testcase to verifier_bounds.c for JMP_NE
kernel/bpf/verifier.c | 38 ++++++++++++++++++-
.../selftests/bpf/prog_tests/reg_bounds.c | 20 +++++++---
.../selftests/bpf/progs/verifier_bounds.c | 27 +++++++++++++
3 files changed, 78 insertions(+), 7 deletions(-)
--
2.39.2
