tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

bpf, verifier: reject xadd on flow key memory

We should not enable xadd operation for flow key memory if not
needed there anyway. There is no such issue as described in the
commit f37a8cb84cce ("bpf: reject stores into ctx via st and xadd")
since there's no context rewriter for flow keys today, but it
also shouldn't become part of the user facing behavior to allow
for it. After patch:

0: (79) r7 = *(u64 *)(r1 +144)
1: (b7) r3 = 4096
2: (db) lock *(u64 *)(r7 +0) += r3
BPF_XADD stores into R7 flow_keys is not allowed

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Daniel Borkmann and committed by
Alexei Starovoitov 4b5defde 2a159c6f

+10 -1
+10 -1
kernel/bpf/verifier.c
··· 1553 1553 return type_is_pkt_pointer(reg->type); 1554 1554 } 1555 1555 1556 + static bool is_flow_key_reg(struct bpf_verifier_env *env, int regno) 1557 + { 1558 + const struct bpf_reg_state *reg = reg_state(env, regno); 1559 + 1560 + /* Separate to is_ctx_reg() since we still want to allow BPF_ST here. */ 1561 + return reg->type == PTR_TO_FLOW_KEYS; 1562 + } 1563 + 1556 1564 static int check_pkt_ptr_alignment(struct bpf_verifier_env *env, 1557 1565 const struct bpf_reg_state *reg, 1558 1566 int off, int size, bool strict) ··· 1969 1961 } 1970 1962 1971 1963 if (is_ctx_reg(env, insn->dst_reg) || 1972 - is_pkt_reg(env, insn->dst_reg)) { 1964 + is_pkt_reg(env, insn->dst_reg) || 1965 + is_flow_key_reg(env, insn->dst_reg)) { 1973 1966 verbose(env, "BPF_XADD stores into R%d %s is not allowed\n", 1974 1967 insn->dst_reg, 1975 1968 reg_type_str[reg_state(env, insn->dst_reg)->type]);