Commit 82995598 authored by David Vernet's avatar David Vernet Committed by Daniel Borkmann
Browse files

bpf: Fix verifier log for async callback return values 



The verifier, as part of check_return_code(), verifies that async
callbacks such as from e.g. timers, will return 0. It does this by
correctly checking that R0->var_off is in tnum_const(0), which
effectively checks that it's in a range of 0. If this condition fails,
however, it prints an error message which says that the value should
have been in (0x0; 0x1). This results in possibly confusing output such
as the following in which an async callback returns 1:

  At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x1)

The fix is easy -- we should just pass the tnum_const(0) as the correct
range to verbose_invalid_scalar(), which will then print the following:

  At async callback the register R0 has value (0x1; 0x0) should have been in (0x0; 0x0)

Fixes: bfc6bb74 ("bpf: Implement verifier support for validation of async callbacks.")
Signed-off-by: default avatarDavid Vernet <void@manifault.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20231009161414.235829-1-void@manifault.com
parent a12bbb3c

kernel/bpf/verifier.c

+3 −3
Original line number Diff line number Diff line
@@ -14479,7 +14479,7 @@ static int check_return_code(struct bpf_verifier_env *env) 
	struct tnum enforce_attach_type_range = tnum_unknown;

	const struct bpf_prog *prog = env->prog;

	struct bpf_reg_state *reg;

	struct tnum range = tnum_range(0, 1);

	struct tnum range = tnum_range(0, 1), const_0 = tnum_const(0);

	enum bpf_prog_type prog_type = resolve_prog_type(env->prog);

	int err;

	struct bpf_func_state *frame = env->cur_state->frame[0];
@@ -14527,8 +14527,8 @@ static int check_return_code(struct bpf_verifier_env *env) 
			return -EINVAL;

		}









		if (!tnum_in(tnum_const(0), reg->var_off)) {









			verbose_invalid_scalar(env, reg, &range, "async callback", "R0");









		if (!tnum_in(const_0, reg->var_off)) {









			verbose_invalid_scalar(env, reg, &const_0, "async callback", "R0");









			return -EINVAL;









		}









		return 0;