diff options
| author | Josef Bacik <jbacik@fb.com> | 2016-11-29 12:27:09 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-11-30 14:50:52 -0500 |
| commit | e2d2afe15ed452f91797a80dbc0a17838ba03ed4 (patch) | |
| tree | 44cb85851f4f9aebe00a6405197e4766bed2cf83 /kernel/bounds.c | |
| parent | 0fcba2894c6b370ebf4b49099d20ff6333a430f7 (diff) | |
| download | linux-e2d2afe15ed452f91797a80dbc0a17838ba03ed4.tar.bz2 | |
bpf: fix states equal logic for varlen access
If we have a branch that looks something like this
int foo = map->value;
if (condition) {
foo += blah;
} else {
foo = bar;
}
map->array[foo] = baz;
We will incorrectly assume that the !condition branch is equal to the condition
branch as the register for foo will be UNKNOWN_VALUE in both cases. We need to
adjust this logic to only do this if we didn't do a varlen access after we
processed the !condition branch, otherwise we have different ranges and need to
check the other branch as well.
Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/bounds.c')
0 files changed, 0 insertions, 0 deletions