In find_equal_scalars(), it should not copy the reg->subreg_def, otherwise a bug will occur when the program flag has BPF_F_TEST_RND_HI32.
Reported-by: Lonial Con <kongln9170@xxxxxxxxx>
Signed-off-by: Lonial Con <kongln9170@xxxxxxxxx>
---
kernel/bpf/verifier.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d852009..1e01b7f 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15101,7 +15101,9 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate,
continue;
if ((!(reg->id & BPF_ADD_CONST) && !(known_reg->id & BPF_ADD_CONST)) ||
reg->off == known_reg->off) {
+ s32 subreg_def = reg->subreg_def;
copy_register_state(reg, known_reg);
+ reg->subreg_def = subreg_def;
} else {
s32 saved_off = reg->off;
@@ -15109,7 +15111,9 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate,
__mark_reg_known(&fake_reg, (s32)reg->off - (s32)known_reg->off);
/* reg = known_reg; reg += delta */
+ s32 subreg_def = reg->subreg_def;
copy_register_state(reg, known_reg);
+ reg->subreg_def = subreg_def;
/*
* Must preserve off, id and add_const flag,
* otherwise another find_equal_scalars() will be incorrect.
--
2.7.4
