In case of a null check on a pointer inside a subprog, we should mark all
registers with this pointer as either safe or unknown, in both the current
and previous frames. Currently, only spilled registers and registers in
the current frame are marked. This first patch also marks registers in
previous frames.
A good reproducer looks as follow:
1: ptr = bpf_map_lookup_elem(map, &key);
2: ret = subprog(ptr) {
3: return ptr != NULL;
4: }
5: if (ret)
6: value = *ptr;
With the above, the verifier will complain on line 6 because it sees ptr
as map_value_or_null despite the null check in subprog 1. The second
patch implements the above as a new test case.
Note that this patch fixes another resulting bug when using
bpf_sk_release():
1: sk = bpf_sk_lookup_tcp();
2: subprog(sk) {
3: if (sk)
4: bpf_sk_release(sk, 0);
5: }
6: if (!sk)
7: return 0;
8: return sk;
In the above, mark_ptr_or_null_regs will warn on line 6 because it will
try to free the reference state, even though it was already freed on
line 3.
Paul Chaignon (2):
bpf: mark registers as safe or unknown in all frames
selftests/bpf: test case for pointer null check in subprog
kernel/bpf/verifier.c | 6 ++---
tools/testing/selftests/bpf/verifier/calls.c | 25 ++++++++++++++++++++
2 files changed, 28 insertions(+), 3 deletions(-)
--
2.17.1
