In both process_ktpr_func and kptr_get handling for kfuncs, we expect
PTR_TO_MAP_VALUE with a constant var_off and optionally fixed off, which
in turn points to the kptr in the map value. We know that if we find
such offset in the kptr_off_tab it will be < value_size.
Hence, we skip checking the memory region access. Once establishing that
it is a kptr we also don't need to check whether the map value pointer
touches any other special fields for [ptr, ptr+8) region we are about to
access.
Finally, for check_map_access_type, we already ensure that neither
BPF_F_RDONLY_PROG and BPF_F_WRONLY_PROG flags can be set for the map
containing kptrs. Hence, checking that is also not required.
Encode all these implicit assumptions as comments where such checks are
made, so that any future changes to these take the kptr related
invariants into consideration, and avoid introducing bugs accidently.
All this information was also clarified in the commit adding kptr
support, 61df10c7799e ("bpf: Allow storing unreferenced kptr in map").
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
---
kernel/bpf/verifier.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b7bf68f3b2ec..0c19a98c748d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5196,6 +5196,11 @@ static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
return check_mem_region_access(env, regno, reg->off, access_size,
reg->map_ptr->key_size, false);
case PTR_TO_MAP_VALUE:
+ /* process_kptr_func and kptr_get assume only map_access_type
+ * and special field access is checked for PTR_TO_MAP_VALUE,
+ * apart from verifying memory region access, hence they must be
+ * revisited when that assumption changes here.
+ */
if (check_map_access_type(env, regno, reg->off, access_size,
meta && meta->raw_mode ? BPF_WRITE :
BPF_READ))
--
2.34.1
