bpf: improve verifier packet range checks
authorAlexei Starovoitov <ast@fb.com>
Fri, 24 Mar 2017 22:57:33 +0000 (15:57 -0700)
committerDavid S. Miller <davem@davemloft.net>
Sat, 25 Mar 2017 03:51:28 +0000 (20:51 -0700)
commitb1977682a3858b5584ffea7cfb7bd863f68db18d
treef255d32b2a4e2b72811b36bbd04b27ef9fd2a947
parent43a6684519ab0a6c52024b5e25322476cabad893
bpf: improve verifier packet range checks

llvm can optimize the 'if (ptr > data_end)' checks to be in the order
slightly different than the original C code which will confuse verifier.
Like:
if (ptr + 16 > data_end)
  return TC_ACT_SHOT;
// may be followed by
if (ptr + 14 > data_end)
  return TC_ACT_SHOT;
while llvm can see that 'ptr' is valid for all 16 bytes,
the verifier could not.
Fix verifier logic to account for such case and add a test.

Reported-by: Huapeng Zhou <hzhou@fb.com>
Fixes: 969bf05eb3ce ("bpf: direct packet access")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
kernel/bpf/verifier.c
tools/testing/selftests/bpf/test_verifier.c