On Wed, Oct 16, 2024 at 6:49 AM Daniel Borkmann <daniel@xxxxxxxxxxxxx> wrote:
>
> print_reg_state() should not consider adding reg->off to reg->var_off.value
> when dumping scalars. Scalars can be produced with reg->off != 0 through
> BPF_ADD_CONST, and thus as-is this can skew the register log dump.
>
> Fixes: 98d7ca374ba4 ("bpf: Track delta between "linked" registers.")
> Reported-by: Nathaniel Theis <nathaniel.theis@xxxxxxxxxxxx>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> ---
> kernel/bpf/log.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
> index 5aebfc3051e3..4a858fdb6476 100644
> --- a/kernel/bpf/log.c
> +++ b/kernel/bpf/log.c
> @@ -688,8 +688,7 @@ static void print_reg_state(struct bpf_verifier_env *env,
> if (t == SCALAR_VALUE && reg->precise)
> verbose(env, "P");
> if (t == SCALAR_VALUE && tnum_is_const(reg->var_off)) {
> - /* reg->off should be 0 for SCALAR_VALUE */
> - verbose_snum(env, reg->var_off.value + reg->off);
> + verbose_snum(env, reg->var_off.value);
> return;
The original code was handling SCALAR_VALUE and PTR_TO_STACK cases, so
`+ reg->off` under assumption of reg->off being zero for SCALAR_VALUE
case made sense. Now this is a SCALAR_VALUE-only code path, so there
is no point in doing this.
Acked-by: Andrii Nakryiko <andrii@xxxxxxxxxx>
> }
>
> --
> 2.43.0
>
