Commit c3b9faac authored by Eduard Zingerman's avatar Eduard Zingerman Committed by Andrii Nakryiko
Browse files

bpf: avoid jump misprediction for PTR_TO_MEM | PTR_UNTRUSTED 



Commit f2362a57 ("bpf: allow void* cast using bpf_rdonly_cast()")
added a notion of PTR_TO_MEM | MEM_RDONLY | PTR_UNTRUSTED type.
This simultaneously introduced a bug in jump prediction logic for
situations like below:

  p = bpf_rdonly_cast(..., 0);
  if (p) a(); else b();

Here verifier would wrongly predict that else branch cannot be taken.
This happens because:
- Function reg_not_null() assumes that PTR_TO_MEM w/o PTR_MAYBE_NULL
  flag cannot be zero.
- The call to bpf_rdonly_cast() returns a rdonly_untrusted_mem value
  w/o PTR_MAYBE_NULL flag.

Tracking of PTR_MAYBE_NULL flag for untrusted PTR_TO_MEM does not make
sense, as the main purpose of the flag is to catch null pointer access
errors. Such errors are not possible on load of PTR_UNTRUSTED values
and verifier makes sure that PTR_UNTRUSTED can't be passed to helpers
or kfuncs.

Hence, modify reg_not_null() to assume that nullness of untrusted
PTR_TO_MEM is not known.

Fixes: f2362a57 ("bpf: allow void* cast using bpf_rdonly_cast()")
Suggested-by: default avatarAlexei Starovoitov <alexei.starovoitov@gmail.com>
Signed-off-by: default avatarEduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20250702073620.897517-1-eddyz87@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
parent 07ee18a0

kernel/bpf/verifier.c

+1 −1
Original line number Diff line number Diff line
@@ -410,7 +410,7 @@ static bool reg_not_null(const struct bpf_reg_state *reg) 
		type == PTR_TO_MAP_KEY ||

		type == PTR_TO_SOCK_COMMON ||

		(type == PTR_TO_BTF_ID && is_trusted_reg(reg)) ||

		type == PTR_TO_MEM ||

		(type == PTR_TO_MEM && !(reg->type & PTR_UNTRUSTED)) ||

		type == CONST_PTR_TO_MAP;

}