Commit ac72464b authored by Alexei Starovoitov's avatar Alexei Starovoitov
Browse files

Merge branch 'bpf-reset-register-id-for-bpf_end-value-tracking' 

Yazhou Tang says:

====================
bpf: Reset register ID for BPF_END value tracking

This patchset fixes a register's scalar ID issue for BPF_END operations
reported by Guillaume Laporte. Please see commit log of 1/2 for more details.

Changes v1 => v2:

1. Reset register ID inside scalar_byte_swap() conditionally. (Eduard)

v1: https://lore.kernel.org/bpf/20260303093956.395076-1-tangyazhou@zju.edu.cn/
====================

Link: https://patch.msgid.link/20260304083228.142016-1-tangyazhou@zju.edu.cn


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents 1f318b96 ea198974

kernel/bpf/verifier.c

+7 −0
Original line number Diff line number Diff line
@@ -15910,6 +15910,13 @@ static void scalar_byte_swap(struct bpf_reg_state *dst_reg, struct bpf_insn *ins 
	/* Apply bswap if alu64 or switch between big-endian and little-endian machines */

	bool need_bswap = alu64 || (to_le == is_big_endian);









	/*









	 * If the register is mutated, manually reset its scalar ID to break









	 * any existing ties and avoid incorrect bounds propagation.









	 */









	if (need_bswap || insn->imm == 16 || insn->imm == 32)









		dst_reg->id = 0;

















	if (need_bswap) {









		if (insn->imm == 16)









			dst_reg->var_off = tnum_bswap16(dst_reg->var_off);
































tools/testing/selftests/bpf/progs/verifier_bswap.c



+22
−0






























Original line number
Diff line number
Diff line







@@ -91,6 +91,28 @@ BSWAP_RANGE_TEST(le32_range, "le32", 0x3f00, 0x3f0000)







BSWAP_RANGE_TEST(le64_range, "le64", 0x3f00, 0x3f000000000000)









#endif



















SEC("socket")









__description("BSWAP, reset reg id")









__failure __msg("math between fp pointer and register with unbounded min value is not allowed")









__naked void bswap_reset_reg_id(void)









{









	asm volatile ("					\









	call %[bpf_ktime_get_ns];			\









	r1 = r0;					\









	r0 = be16 r0;					\









	if r0 != 1 goto l0_%=;				\









	r2 = r10;					\









	r2 += -512;					\









	r2 += r1;					\









	*(u8 *)(r2 + 0) = 0;				\









l0_%=:							\









	r0 = 0;						\









	exit;						\









"	:









	: __imm(bpf_ktime_get_ns)









	: __clobber_all);









}



















#else



















SEC("socket")