I can reproduce this on 4.19.0-3-amd64 both with, and without the JIT enabled.
Dumping the "root" and "non-root" programs with bpftool,
the subtraction instructions differ:
"non-root":
0: (85) call bpf_ktime_get_ns#74944
1: (bf) r7 = r0
2: (85) call bpf_ktime_get_ns#74944
3: (bf) r6 =
ue is not
allowed"
check_alu_op() now uses check_reg_arg(DST_OP_NO_MARK), and MOVs
that need to mark the dst register (MOVIMM, MOV32) do so.
Added a test case for MOV64 dst == src, and dst != src.
Signed-off-by: Arthur Fabre
---
v2: Add mov64 tests, always use DST_OP_NO_MARK
On Mon, Jul 30, 2018 at 10:10 AM, Daniel Borkmann wrote:
> On 07/30/2018 09:44 AM, Arthur Fabre wrote:
>> On Sun, Jul 29, 2018 at 4:59 PM, Alexei Starovoitov
>> wrote:
>>> On Thu, Jul 26, 2018 at 1:08 AM, Arthur Fabre wrote:
>>>> When check_alu_op() han
On Sun, Jul 29, 2018 at 4:59 PM, Alexei Starovoitov
wrote:
> On Thu, Jul 26, 2018 at 1:08 AM, Arthur Fabre wrote:
>> When check_alu_op() handles a BPF_MOV between two registers,
>> it calls check_reg_arg() on the dst register, marking it as unbounded.
>> If the src and dst
On Fri, Jul 27, 2018 at 12:21 AM, Y Song wrote:
> The SMIN/UMIN still should be 0 since there is no negative here due to
> smaller width?
Yes that makes sense.
> We can do better than unbounded for dst register of mov32, which is
> the code already
> doing?
coerce_reg_to_size() will preserve th
nn
wrote:
> On 07/26/2018 12:08 AM, Arthur Fabre wrote:
> > When check_alu_op() handles a BPF_MOV between two registers,
> > it calls check_reg_arg() on the dst register, marking it as unbounded.
> > If the src and dst register are the same, this marks the src as
> > unbound
.
check_alu_op() now only marks the dst register as unbounded if it
different from the src register.
Signed-off-by: Arthur Fabre
---
kernel/bpf/verifier.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 63aaac52a265..ddfe3c544a80
