Commit e9147b44 authored by Kumar Kartikeya Dwivedi's avatar Kumar Kartikeya Dwivedi Committed by Daniel Borkmann
Browse files

bpf: Move check_ptr_off_reg before check_map_access 



Some functions in next patch want to use this function, and those
functions will be called by check_map_access, hence move it before
check_map_access.

Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarJoanne Koong <joannelkoong@gmail.com>
Link: https://lore.kernel.org/bpf/20220415160354.1050687-3-memxor@gmail.com
parent 42ba1308

kernel/bpf/verifier.c

+38 −38
Original line number Diff line number Diff line
@@ -3469,6 +3469,44 @@ static int check_mem_region_access(struct bpf_verifier_env *env, u32 regno, 
	return 0;

}



static int __check_ptr_off_reg(struct bpf_verifier_env *env,

			       const struct bpf_reg_state *reg, int regno,

			       bool fixed_off_ok)

{

	/* Access to this pointer-typed register or passing it to a helper

	 * is only allowed in its original, unmodified form.

	 */



	if (reg->off < 0) {

		verbose(env, "negative offset %s ptr R%d off=%d disallowed\n",

			reg_type_str(env, reg->type), regno, reg->off);

		return -EACCES;

	}



	if (!fixed_off_ok && reg->off) {

		verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",

			reg_type_str(env, reg->type), regno, reg->off);

		return -EACCES;

	}



	if (!tnum_is_const(reg->var_off) || reg->var_off.value) {

		char tn_buf[48];



		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

		verbose(env, "variable %s access var_off=%s disallowed\n",

			reg_type_str(env, reg->type), tn_buf);

		return -EACCES;

	}



	return 0;

}



int check_ptr_off_reg(struct bpf_verifier_env *env,

		      const struct bpf_reg_state *reg, int regno)

{

	return __check_ptr_off_reg(env, reg, regno, false);

}



/* check read/write into a map element with possible variable offset */

static int check_map_access(struct bpf_verifier_env *env, u32 regno,

			    int off, int size, bool zero_size_allowed)
@@ -3980,44 +4018,6 @@ static int get_callee_stack_depth(struct bpf_verifier_env *env, 
}

#endif



static int __check_ptr_off_reg(struct bpf_verifier_env *env,

			       const struct bpf_reg_state *reg, int regno,

			       bool fixed_off_ok)

{

	/* Access to this pointer-typed register or passing it to a helper

	 * is only allowed in its original, unmodified form.

	 */



	if (reg->off < 0) {

		verbose(env, "negative offset %s ptr R%d off=%d disallowed\n",

			reg_type_str(env, reg->type), regno, reg->off);

		return -EACCES;

	}



	if (!fixed_off_ok && reg->off) {

		verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",

			reg_type_str(env, reg->type), regno, reg->off);

		return -EACCES;

	}



	if (!tnum_is_const(reg->var_off) || reg->var_off.value) {

		char tn_buf[48];



		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

		verbose(env, "variable %s access var_off=%s disallowed\n",

			reg_type_str(env, reg->type), tn_buf);

		return -EACCES;

	}



	return 0;

}



int check_ptr_off_reg(struct bpf_verifier_env *env,

		      const struct bpf_reg_state *reg, int regno)

{

	return __check_ptr_off_reg(env, reg, regno, false);

}



static int __check_buffer_access(struct bpf_verifier_env *env,

				 const char *buf_info,

				 const struct bpf_reg_state *reg,