On Mon, Feb 03, 2025 at 10:45:35AM -0800, Eduard Zingerman wrote:
> On Sat, 2025-02-01 at 12:58 -0700, Daniel Xu wrote:
> > Previously, we were trying to extract constant map keys for all
> > bpf_map_lookup_elem(), regardless of map type. This is an issue if the
> > map has a u64 key and the value is very high, as it can be interpreted
> > as a negative signed value. This in turn is treated as an error value by
> > check_func_arg() which causes a valid program to be incorrectly
> > rejected.
> >
> > Fix by only extracting constant map keys for relevant maps. See next
> > commit for an example via selftest.
> >
> > Reported-by: Marc Hartmayer <mhartmay@xxxxxxxxxxxxx>
> > Reported-by: Ilya Leoshkevich <iii@xxxxxxxxxxxxx>
> > Tested-by: Marc Hartmayer <mhartmay@xxxxxxxxxxxxx>
> > Signed-off-by: Daniel Xu <dxu@xxxxxxxxx>
>
> Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
>
> Nit:
> would be good if commit message said something along the lines:
> ... the fix works because nullness elision is only allowed for
> {PERCPU_}ARRAY maps, and keys for these are within u32 range ...
Ack. I can respin if necessary. Otherwise, here's the edited commit msg:
bpf: verifier: Do not extract constant map keys for irrelevant maps
Previously, we were trying to extract constant map keys for all
bpf_map_lookup_elem(), regardless of map type. This is an issue if the
map has a u64 key and the value is very high, as it can be interpreted
as a negative signed value. This in turn is treated as an error value by
check_func_arg() which causes a valid program to be incorrectly
rejected.
Fix by only extracting constant map keys for relevant maps. This fix
works because nullness elision is only allowed for {PERCPU_}ARRAY maps,
and keys for these are within u32 range. See next commit for an example
via selftest.
Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
Reported-by: Marc Hartmayer <mhartmay@xxxxxxxxxxxxx>
Reported-by: Ilya Leoshkevich <iii@xxxxxxxxxxxxx>
Tested-by: Marc Hartmayer <mhartmay@xxxxxxxxxxxxx>
