From: Maxim Mikityanskiy <maxim@xxxxxxxxxxxxx> See the details in the commit message (TL/DR: under CAP_BPF, the verifier can incorrectly conclude that a scalar is zero while in fact it can be crafted to a predefined number.) v1 and v2 were sent off-list. v2 changes: Added more tests, migrated them to inline asm, started using bpf_get_prandom_u32, switched to a more bulletproof dead branch check and modified the failing spill test scenarios so that an unauthorized access attempt is performed in both branches. v3 changes: Dropped an improvement not necessary for the fix, changed the Fixes tag. v4 changes: Dropped supposedly redundant tests, kept the ones that result in different verifier verdicts. Dropped the variable that is not yet useful in this patch. Rephrased the commit message with Daniel's suggestions. Maxim Mikityanskiy (2): bpf: Fix verifier id tracking of scalars on spill selftests/bpf: Add test cases to assert proper ID tracking on spill kernel/bpf/verifier.c | 3 + .../selftests/bpf/progs/verifier_spill_fill.c | 79 +++++++++++++++++++ 2 files changed, 82 insertions(+) -- 2.40.1
