On Tue, Mar 23, 2021 at 7:23 PM Florent Revest <revest@xxxxxxxxxxxx> wrote:
>
> This type provides the guarantee that an argument is going to be a const
> pointer to somewhere in a read-only map value. It also checks that this
> pointer is followed by a zero character before the end of the map value.
>
> Signed-off-by: Florent Revest <revest@xxxxxxxxxxxx>
> ---
> include/linux/bpf.h | 1 +
> kernel/bpf/verifier.c | 38 ++++++++++++++++++++++++++++++++++++++
> 2 files changed, 39 insertions(+)
>
> diff --git a/include/linux/bpf.h b/include/linux/bpf.h
> index a25730eaa148..7b5319d75b3e 100644
> --- a/include/linux/bpf.h
> +++ b/include/linux/bpf.h
> @@ -308,6 +308,7 @@ enum bpf_arg_type {
> ARG_PTR_TO_PERCPU_BTF_ID, /* pointer to in-kernel percpu type */
> ARG_PTR_TO_FUNC, /* pointer to a bpf program function */
> ARG_PTR_TO_STACK_OR_NULL, /* pointer to stack or NULL */
> + ARG_PTR_TO_CONST_STR, /* pointer to a null terminated read-only string */
> __BPF_ARG_TYPE_MAX,
> };
>
[...]
> +
> + map_off = reg->off + reg->var_off.value;
> + err = map->ops->map_direct_value_addr(map, &map_addr, map_off);
> + if (err)
> + return err;
> +
> + str_ptr = (char *)(long)(map_addr);
> + if (!strnchr(str_ptr + map_off,
> + map->value_size - reg->off - map_off, 0))
you are double subtracting reg->off here. isn't map->value_size -
map_off what you want?
> + verbose(env, "string is not zero-terminated\n");
I'd prefer `return -EINVAL;`, but at least set err, otherwise what's the point?
> }
>
> return err;
> --
> 2.31.0.291.g576ba9dcdaf-goog
>
