From: Frank van der Linden <fllinden@amazon.com>
To: <stable@vger.kernel.org>
Cc: <bpf@vger.kernel.org>, <ast@kernel.org>, <daniel@iogearbox.net>,
<yhs@fb.com>, <john.fastabend@gmail.com>, <samjonas@amazon.com>
Subject: [PATCH 4.14 09/15] bpf: Move sanitize_val_alu out of op switch
Date: Sat, 1 May 2021 04:30:08 +0000 [thread overview]
Message-ID: <20210501043014.33300-10-fllinden@amazon.com> (raw)
In-Reply-To: <20210501043014.33300-1-fllinden@amazon.com>
From: Daniel Borkmann <daniel@iogearbox.net>
Upstream commit f528819334881fd622fdadeddb3f7edaed8b7c9b
Add a small sanitize_needed() helper function and move sanitize_val_alu()
out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu()
as well out of its opcode switch so this helps to streamline both.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[fllinden@amazon.com: backported to 4.14]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
---
kernel/bpf/verifier.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 55ac2ab5eabc..db6b08058c19 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2110,6 +2110,11 @@ static int sanitize_val_alu(struct bpf_verifier_env *env,
return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
}
+static bool sanitize_needed(u8 opcode)
+{
+ return opcode == BPF_ADD || opcode == BPF_SUB;
+}
+
static int sanitize_ptr_alu(struct bpf_verifier_env *env,
struct bpf_insn *insn,
const struct bpf_reg_state *ptr_reg,
@@ -2510,11 +2515,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
return 0;
}
- switch (opcode) {
- case BPF_ADD:
+ if (sanitize_needed(opcode)) {
ret = sanitize_val_alu(env, insn);
if (ret < 0)
return sanitize_err(env, insn, ret, NULL, NULL);
+ }
+
+ switch (opcode) {
+ case BPF_ADD:
if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
signed_add_overflows(dst_reg->smax_value, smax_val)) {
dst_reg->smin_value = S64_MIN;
@@ -2534,9 +2542,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
break;
case BPF_SUB:
- ret = sanitize_val_alu(env, insn);
- if (ret < 0)
- return sanitize_err(env, insn, ret, NULL, NULL);
if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
signed_sub_overflows(dst_reg->smax_value, smin_val)) {
/* Overflow possible, we know nothing */
--
2.23.3
next prev parent reply other threads:[~2021-05-01 4:31 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-01 4:29 [PATCH 4.14 00/15] fix backports, add CVE-2021-29155 fixes Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 01/15] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 02/15] bpf: fix up selftests after backports were fixed Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 03/15] bpf, selftests: Fix up some test_verifier cases for unprivileged Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 04/15] bpf: Move off_reg into sanitize_ptr_alu Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 05/15] bpf: Ensure off_reg has no mixed signed bounds for all types Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 06/15] bpf: Rework ptr_limit into alu_limit and add common error path Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 07/15] bpf: Improve verifier error messages for users Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 08/15] bpf: Refactor and streamline bounds check into helper Frank van der Linden
2021-05-01 4:30 ` Frank van der Linden [this message]
2021-05-01 4:30 ` [PATCH 4.14 10/15] bpf: Tighten speculative pointer arithmetic mask Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 11/15] bpf: Update selftests to reflect new error states Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 12/15] bpf: do not allow root to mangle valid pointers Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 13/15] bpf/verifier: disallow pointer subtraction Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 14/15] selftests/bpf: fix test_align Frank van der Linden
2021-05-01 4:30 ` [PATCH 4.14 15/15] selftests/bpf: make 'dubious pointer arithmetic' test useful Frank van der Linden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210501043014.33300-10-fllinden@amazon.com \
--to=fllinden@amazon.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=john.fastabend@gmail.com \
--cc=samjonas@amazon.com \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).