linux/kernel/bpf
Alexei Starovoitov d91b28ed42 bpf: support decreasing order in direct packet access
when packet headers are accessed in 'decreasing' order (like TCP port
may be fetched before the program reads IP src) the llvm may generate
the following code:
[...]                // R7=pkt(id=0,off=22,r=70)
r2 = *(u32 *)(r7 +0) // good access
[...]
r7 += 40             // R7=pkt(id=0,off=62,r=70)
r8 = *(u32 *)(r7 +0) // good access
[...]
r1 = *(u32 *)(r7 -20) // this one will fail though it's within a safe range
                      // it's doing *(u32*)(skb->data + 42)
Fix verifier to recognize such code pattern

Alos turned out that 'off > range' condition is not a verifier bug.
It's a buggy program that may do something like:
if (ptr + 50 > data_end)
  return 0;
ptr += 60;
*(u32*)ptr;
in such case emit
"invalid access to packet, off=0 size=4, R1(id=0,off=60,r=50)" error message,
so all information is available for the program author to fix the program.

Fixes: 969bf05eb3 ("bpf: direct packet access")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-20 19:53:03 -04:00
..
arraymap.c bpf: check for reserved flag bits in array and stack maps 2016-03-08 15:28:31 -05:00
core.c bpf: rather use get_random_int for randomizations 2016-05-20 11:18:21 -07:00
hashtab.c bpf: pre-allocate hash map elements 2016-03-08 15:28:31 -05:00
helpers.c bpf: convert relevant helper args to ARG_PTR_TO_RAW_STACK 2016-04-14 21:40:41 -04:00
inode.c bpf: Use mount_nodev not mount_ns to mount the bpf filesystem 2016-05-20 19:45:40 -04:00
Makefile bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
percpu_freelist.c bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
percpu_freelist.h bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
stackmap.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-05-17 16:26:30 -07:00
syscall.c bpf: prepare bpf_int_jit_compile/bpf_prog_select_runtime apis 2016-05-16 13:49:32 -04:00
verifier.c bpf: support decreasing order in direct packet access 2016-05-20 19:53:03 -04:00