From: Maxim Mikityanskiy <maxim@xxxxxxxxxxxxx> See the details in the commit message (TL/DR: under CAP_BPF, the verifier can be fooled to think that a scalar is zero while in fact it's your predefined number.) v1 and v2 were sent off-list. v2 changes: Added more tests, migrated them to inline asm, started using bpf_get_prandom_u32, switched to a more bulletproof dead branch check and modified the failing spill test scenarios so that an unauthorized access attempt is performed in both branches. v3 changes: Dropped an improvement not necessary for the fix, changed the Fixes tag. Maxim Mikityanskiy (2): bpf: Fix verifier tracking scalars on spill selftests/bpf: Add test cases to assert proper ID tracking on spill kernel/bpf/verifier.c | 7 + .../selftests/bpf/progs/verifier_spill_fill.c | 198 ++++++++++++++++++ 2 files changed, 205 insertions(+) -- 2.40.1
