diff options
| author | Alexei Starovoitov <ast@kernel.org> | 2026-03-10 21:46:31 +0300 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2026-03-10 21:46:41 +0300 |
| commit | ac72464b10d5975639dedaccf0c372ef670f6abc (patch) | |
| tree | 415d069e0d969278640f7ad13bfd394836c569c8 | |
| parent | 1f318b96cc84d7c2ab792fcc0bfd42a7ca890681 (diff) | |
| parent | ea1989746b77c3f63bce43af247e1de29ed6bf4a (diff) | |
| download | linux-ac72464b10d5975639dedaccf0c372ef670f6abc.tar.xz | |
Merge branch 'bpf-reset-register-id-for-bpf_end-value-tracking'
Yazhou Tang says:
====================
bpf: Reset register ID for BPF_END value tracking
This patchset fixes a register's scalar ID issue for BPF_END operations
reported by Guillaume Laporte. Please see commit log of 1/2 for more details.
Changes v1 => v2:
1. Reset register ID inside scalar_byte_swap() conditionally. (Eduard)
v1: https://lore.kernel.org/bpf/20260303093956.395076-1-tangyazhou@zju.edu.cn/
====================
Link: https://patch.msgid.link/20260304083228.142016-1-tangyazhou@zju.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
| -rw-r--r-- | kernel/bpf/verifier.c | 7 | ||||
| -rw-r--r-- | tools/testing/selftests/bpf/progs/verifier_bswap.c | 22 |
2 files changed, 29 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 159b25f8269d..df22bfc572e2 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -15910,6 +15910,13 @@ static void scalar_byte_swap(struct bpf_reg_state *dst_reg, struct bpf_insn *ins /* Apply bswap if alu64 or switch between big-endian and little-endian machines */ bool need_bswap = alu64 || (to_le == is_big_endian); + /* + * If the register is mutated, manually reset its scalar ID to break + * any existing ties and avoid incorrect bounds propagation. + */ + if (need_bswap || insn->imm == 16 || insn->imm == 32) + dst_reg->id = 0; + if (need_bswap) { if (insn->imm == 16) dst_reg->var_off = tnum_bswap16(dst_reg->var_off); diff --git a/tools/testing/selftests/bpf/progs/verifier_bswap.c b/tools/testing/selftests/bpf/progs/verifier_bswap.c index 4b779deee767..cffaf36192bc 100644 --- a/tools/testing/selftests/bpf/progs/verifier_bswap.c +++ b/tools/testing/selftests/bpf/progs/verifier_bswap.c @@ -91,6 +91,28 @@ BSWAP_RANGE_TEST(le32_range, "le32", 0x3f00, 0x3f0000) BSWAP_RANGE_TEST(le64_range, "le64", 0x3f00, 0x3f000000000000) #endif +SEC("socket") +__description("BSWAP, reset reg id") +__failure __msg("math between fp pointer and register with unbounded min value is not allowed") +__naked void bswap_reset_reg_id(void) +{ + asm volatile (" \ + call %[bpf_ktime_get_ns]; \ + r1 = r0; \ + r0 = be16 r0; \ + if r0 != 1 goto l0_%=; \ + r2 = r10; \ + r2 += -512; \ + r2 += r1; \ + *(u8 *)(r2 + 0) = 0; \ +l0_%=: \ + r0 = 0; \ + exit; \ +" : + : __imm(bpf_ktime_get_ns) + : __clobber_all); +} + #else SEC("socket") |