Commit a8502a79 authored Mar 31, 2026 by Alexei Starovoitov Committed by Andrii Nakryiko Mar 31, 2026

bpf: Fix regsafe() for pointers to packet



In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N
regsafe() may return true which may lead to current state with
valid packet range not being explored. Fix the bug.

Fixes: 6d94e741 ("bpf: Support for pointers beyond pkt_end.")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20260331204228.26726-1-alexei.starovoitov@gmail.com

parent dbf00d8d

kernel/bpf/verifier.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -19915,8 +19915,13 @@ static bool regsafe(struct bpf_verifier_env env, struct bpf_reg_state rold,
		* since someone could have accessed through (ptr - k), or
		* even done ptr -= k in a register, to get a safe access.
		*/
		if (rold->range > rcur->range)
		if (rold->range < 0 \|\| rcur->range < 0) {
		/* special case for [BEYOND\|AT]_PKT_END */
		if (rold->range != rcur->range)
		return false;
		} else if (rold->range > rcur->range) {
		return false;
		}
		/* If the offsets don't match, we can't trust our alignment;
		* nor can we be sure that we won't fall out of range.
		*/