On Thu, Aug 17, 2023 at 12:10 AM Yafang Shao <laoar.shao@xxxxxxxxx> wrote:
> >
> > Yonghong already pointed out upthread that
> > comparison of two packet pointers is not a pointer leak.
> > See this code:
> > } else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg],
> > this_branch, other_branch) &&
> > is_pointer_value(env, insn->dst_reg)) {
> > verbose(env, "R%d pointer comparison prohibited\n",
> > insn->dst_reg);
> > return -EACCES;
> > }
> >
> > It's not clear why it doesn't address your case.
>
> It can address the issue.
> It seems we should do the code change below.
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 0b9da95..c66dc61 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -13819,6 +13819,18 @@ static int check_cond_jmp_op(struct
> bpf_verifier_env *env,
> return -EINVAL;
> }
>
> + other_branch = push_stack(env, *insn_idx + insn->off + 1, *insn_idx,
> + false);
Yeah. something like that.
except we must do push_stack() only after is_branch_taken() didn't succeed.
