Skip to content

K
Kernel

openeuler / Kernel
大约 2 年 前同步成功

通知 8
Star 0
Fork 0
K
Kernel
提交 2cdbc339 编写于 作者: D Daniel Borkmann 提交者: Yang Yingliang
浏览文件
操作

bpf: Move sanitize_val_alu out of op switch 

mainline inclusion
from mainline-v5.12-rc8
commit f5288193
category: bugfix
bugzilla: NA
CVE: CVE-2021-29155

--------------------------------

Add a small sanitize_needed() helper function and move sanitize_val_alu()
out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu()
as well out of its opcode switch so this helps to streamline both.
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Reviewed-by: NJohn Fastabend <john.fastabend@gmail.com>
Acked-by: NAlexei Starovoitov <ast@kernel.org>
Conflicts:
  kernel/bpf/verifier.c
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
Reviewed-by: NKuohai Xu <xukuohai@huawei.com>
Reviewed-by: NXiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: NYang Yingliang <yangyingliang@huawei.com>
上级 aae9f312
显示空白变更内容
内联 并排
Showing with 10 addition and 5 deletion
kernel/bpf/verifier.c
浏览文件 @ 2cdbc339
...@@ -2815,6 +2815,11 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, ...@@ -2815,6 +2815,11 @@ static int sanitize_val_alu(struct bpf_verifier_env *env,
return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0);
} }
static bool sanitize_needed(u8 opcode)
{
return opcode == BPF_ADD || opcode == BPF_SUB;
}
static int sanitize_ptr_alu(struct bpf_verifier_env *env, static int sanitize_ptr_alu(struct bpf_verifier_env *env,
struct bpf_insn *insn, struct bpf_insn *insn,
const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *ptr_reg,
...@@ -3238,11 +3243,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, ...@@ -3238,11 +3243,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
return 0; return 0;
} }
switch (opcode) { if (sanitize_needed(opcode)) {
case BPF_ADD:
ret = sanitize_val_alu(env, insn); ret = sanitize_val_alu(env, insn);
if (ret < 0) if (ret < 0)
return sanitize_err(env, insn, ret, NULL, NULL); return sanitize_err(env, insn, ret, NULL, NULL);
}
switch (opcode) {
case BPF_ADD:
if (signed_add_overflows(dst_reg->smin_value, smin_val) || if (signed_add_overflows(dst_reg->smin_value, smin_val) ||
signed_add_overflows(dst_reg->smax_value, smax_val)) { signed_add_overflows(dst_reg->smax_value, smax_val)) {
dst_reg->smin_value = S64_MIN; dst_reg->smin_value = S64_MIN;
...@@ -3262,9 +3270,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, ...@@ -3262,9 +3270,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off);
break; break;
case BPF_SUB: case BPF_SUB:
ret = sanitize_val_alu(env, insn);
if (ret < 0)
return sanitize_err(env, insn, ret, NULL, NULL);
if (signed_sub_overflows(dst_reg->smin_value, smax_val) || if (signed_sub_overflows(dst_reg->smin_value, smax_val) ||
signed_sub_overflows(dst_reg->smax_value, smin_val)) { signed_sub_overflows(dst_reg->smax_value, smin_val)) {
/* Overflow possible, we know nothing */ /* Overflow possible, we know nothing */
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册