summaryrefslogtreecommitdiff
path: root/tools/testing/selftests/bpf/test_verifier.c
diff options
context:
space:
mode:
authorDaniel Borkmann <daniel@iogearbox.net>2017-10-21 02:34:21 +0200
committerDavid S. Miller <davem@davemloft.net>2017-10-22 00:56:09 +0100
commitfb2a311a31d3457fe8c3ee16f5609877e2ead9f7 (patch)
tree07c6622bd68796f908b44e1f0af8742682f04b49 /tools/testing/selftests/bpf/test_verifier.c
parent8695a5395661fbb4a4f26c97f801f3800ae4754e (diff)
bpf: fix off by one for range markings with L{T, E} patterns
During review I noticed that the current logic for direct packet access marking in check_cond_jmp_op() has an off by one for the upper right range border when marking in find_good_pkt_pointers() with BPF_JLT and BPF_JLE. It's not really harmful given access up to pkt_end is always safe, but we should nevertheless correct the range marking before it becomes ABI. If pkt_data' denotes a pkt_data derived pointer (pkt_data + X), then for pkt_data' < pkt_end in the true branch as well as for pkt_end <= pkt_data' in the false branch we mark the range with X although it should really be X - 1 in these cases. For example, X could be pkt_end - pkt_data, then when testing for pkt_data' < pkt_end the verifier simulation cannot deduce that a byte load of pkt_data' - 1 would succeed in this branch. Fixes: b4e432f1000a ("bpf: enable BPF_J{LT, LE, SLT, SLE} opcodes in verifier") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'tools/testing/selftests/bpf/test_verifier.c')
0 files changed, 0 insertions, 0 deletions