[PATCH kernel-4.19 10/13] Revert "bpf: refactor verifier min/max code for condition jump"

28 Sep 2021

From: He Fengqing hefengqing@huawei.com
hulk inclusion
category: bugfix
bugzilla: NA
CVE: CVE-2021-3444
-------------------------------------------------
This reverts commit b380417c4afb477a306e66252ddb56efde8928c8.
Signed-off-by: He Fengqing hefengqing@huawei.com
Reviewed-by: Kuohai Xu xukuohai@huawei.com
Signed-off-by: Yang Yingliang yangyingliang@huawei.com
---
 kernel/bpf/verifier.c | 172 ++++++++++++++++++------------------------
 1 file changed, 73 insertions(+), 99 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 163e20219231f..35595c51dedd1 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3922,13 +3922,9 @@ static void find_good_pkt_pointers(struct bpf_verifier_state *vstate,
  */
 static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode)
 {
-	s64 sval;
-
    if (__is_pointer_value(false, reg))
    	return -1;
-	sval = (s64)val;
-
    switch (opcode) {
    case BPF_JEQ:
    	if (tnum_is_const(reg->var_off))
@@ -3945,9 +3941,9 @@ static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode)
    		return 0;
    	break;
    case BPF_JSGT:
-		if (reg->smin_value > sval)
+		if (reg->smin_value > (s64)val)
    		return 1;
-		else if (reg->smax_value < sval)
+		else if (reg->smax_value < (s64)val)
    		return 0;
    	break;
    case BPF_JLT:
@@ -3957,9 +3953,9 @@ static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode)
    		return 0;
    	break;
    case BPF_JSLT:
-		if (reg->smax_value < sval)
+		if (reg->smax_value < (s64)val)
    		return 1;
-		else if (reg->smin_value >= sval)
+		else if (reg->smin_value >= (s64)val)
    		return 0;
    	break;
    case BPF_JGE:
@@ -3969,9 +3965,9 @@ static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode)
    		return 0;
    	break;
    case BPF_JSGE:
-		if (reg->smin_value >= sval)
+		if (reg->smin_value >= (s64)val)
    		return 1;
-		else if (reg->smax_value < sval)
+		else if (reg->smax_value < (s64)val)
    		return 0;
    	break;
    case BPF_JLE:
@@ -3981,9 +3977,9 @@ static int is_branch_taken(struct bpf_reg_state *reg, u64 val, u8 opcode)
    		return 0;
    	break;
    case BPF_JSLE:
-		if (reg->smax_value <= sval)
+		if (reg->smax_value <= (s64)val)
    		return 1;
-		else if (reg->smin_value > sval)
+		else if (reg->smin_value > (s64)val)
    		return 0;
    	break;
    }
@@ -4000,8 +3996,6 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
    		    struct bpf_reg_state *false_reg, u64 val,
    		    u8 opcode)
 {
-	s64 sval;
-
    /* If the dst_reg is a pointer, we can't learn anything about its
     * variable offset from the compare (unless src_reg were a pointer into
     * the same object, but we don't bother with that.
@@ -4011,62 +4005,51 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
    if (__is_pointer_value(false, false_reg))
    	return;
-	sval = (s64)val;
-
    switch (opcode) {
    case BPF_JEQ:
+		/* If this is false then we know nothing Jon Snow, but if it is
+		 * true then we know for sure.
+		 */
+		__mark_reg_known(true_reg, val);
+		break;
    case BPF_JNE:
-	{
-		struct bpf_reg_state *reg =
-			opcode == BPF_JEQ ? true_reg : false_reg;
-		/* For BPF_JEQ, if this is false we know nothing Jon Snow, but
-		 * if it is true we know the value for sure. Likewise for
-		 * BPF_JNE.
+		/* If this is true we know nothing Jon Snow, but if it is false
+		 * we know the value for sure;
    	 */
-		__mark_reg_known(reg, val);
+		__mark_reg_known(false_reg, val);
    	break;
-	}
-	case BPF_JGE:
    case BPF_JGT:
-	{
-		u64 false_umax = opcode == BPF_JGT ? val    : val - 1;
-		u64 true_umin = opcode == BPF_JGT ? val + 1 : val;
-
-		false_reg->umax_value = min(false_reg->umax_value, false_umax);
-		true_reg->umin_value = max(true_reg->umin_value, true_umin);
+		false_reg->umax_value = min(false_reg->umax_value, val);
+		true_reg->umin_value = max(true_reg->umin_value, val + 1);
    	break;
-	}
-	case BPF_JSGE:
    case BPF_JSGT:
-	{
-		s64 false_smax = opcode == BPF_JSGT ? sval    : sval - 1;
-		s64 true_smin = opcode == BPF_JSGT ? sval + 1 : sval;
-
-		false_reg->smax_value = min(false_reg->smax_value, false_smax);
-		true_reg->smin_value = max(true_reg->smin_value, true_smin);
+		false_reg->smax_value = min_t(s64, false_reg->smax_value, val);
+		true_reg->smin_value = max_t(s64, true_reg->smin_value, val + 1);
    	break;
-	}
-	case BPF_JLE:
    case BPF_JLT:
-	{
-		u64 false_umin = opcode == BPF_JLT ? val    : val + 1;
-		u64 true_umax = opcode == BPF_JLT ? val - 1 : val;
-
-		false_reg->umin_value = max(false_reg->umin_value, false_umin);
-		true_reg->umax_value = min(true_reg->umax_value, true_umax);
-
+		false_reg->umin_value = max(false_reg->umin_value, val);
+		true_reg->umax_value = min(true_reg->umax_value, val - 1);
    	break;
-	}
-	case BPF_JSLE:
    case BPF_JSLT:
-	{
-		s64 false_smin = opcode == BPF_JSLT ? sval    : sval + 1;
-		s64 true_smax = opcode == BPF_JSLT ? sval - 1 : sval;
-
-		false_reg->smin_value = max(false_reg->smin_value, false_smin);
-		true_reg->smax_value = min(true_reg->smax_value, true_smax);
+		false_reg->smin_value = max_t(s64, false_reg->smin_value, val);
+		true_reg->smax_value = min_t(s64, true_reg->smax_value, val - 1);
+		break;
+	case BPF_JGE:
+		false_reg->umax_value = min(false_reg->umax_value, val - 1);
+		true_reg->umin_value = max(true_reg->umin_value, val);
+		break;
+	case BPF_JSGE:
+		false_reg->smax_value = min_t(s64, false_reg->smax_value, val - 1);
+		true_reg->smin_value = max_t(s64, true_reg->smin_value, val);
+		break;
+	case BPF_JLE:
+		false_reg->umin_value = max(false_reg->umin_value, val + 1);
+		true_reg->umax_value = min(true_reg->umax_value, val);
+		break;
+	case BPF_JSLE:
+		false_reg->smin_value = max_t(s64, false_reg->smin_value, val + 1);
+		true_reg->smax_value = min_t(s64, true_reg->smax_value, val);
    	break;
-	}
    default:
    	break;
    }
@@ -4091,63 +4074,54 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
    			struct bpf_reg_state *false_reg, u64 val,
    			u8 opcode)
 {
-	s64 sval;
-
    if (__is_pointer_value(false, false_reg))
    	return;
-	sval = (s64)val;
-
    switch (opcode) {
    case BPF_JEQ:
+		/* If this is false then we know nothing Jon Snow, but if it is
+		 * true then we know for sure.
+		 */
+		__mark_reg_known(true_reg, val);
+		break;
    case BPF_JNE:
-	{
-		struct bpf_reg_state *reg =
-			opcode == BPF_JEQ ? true_reg : false_reg;
-
-		__mark_reg_known(reg, val);
+		/* If this is true we know nothing Jon Snow, but if it is false
+		 * we know the value for sure;
+		 */
+		__mark_reg_known(false_reg, val);
    	break;
-	}
-	case BPF_JGE:
    case BPF_JGT:
-	{
-		u64 false_umin = opcode == BPF_JGT ? val    : val + 1;
-		u64 true_umax = opcode == BPF_JGT ? val - 1 : val;
-
-		false_reg->umin_value = max(false_reg->umin_value, false_umin);
-		true_reg->umax_value = min(true_reg->umax_value, true_umax);
+		true_reg->umax_value = min(true_reg->umax_value, val - 1);
+		false_reg->umin_value = max(false_reg->umin_value, val);
    	break;
-	}
-	case BPF_JSGE:
    case BPF_JSGT:
-	{
-		s64 false_smin = opcode == BPF_JSGT ? sval    : sval + 1;
-		s64 true_smax = opcode == BPF_JSGT ? sval - 1 : sval;
-
-		false_reg->smin_value = max(false_reg->smin_value, false_smin);
-		true_reg->smax_value = min(true_reg->smax_value, true_smax);
+		true_reg->smax_value = min_t(s64, true_reg->smax_value, val - 1);
+		false_reg->smin_value = max_t(s64, false_reg->smin_value, val);
    	break;
-	}
-	case BPF_JLE:
    case BPF_JLT:
-	{
-		u64 false_umax = opcode == BPF_JLT ? val    : val - 1;
-		u64 true_umin = opcode == BPF_JLT ? val + 1 : val;
-
-		false_reg->umax_value = min(false_reg->umax_value, false_umax);
-		true_reg->umin_value = max(true_reg->umin_value, true_umin);
+		true_reg->umin_value = max(true_reg->umin_value, val + 1);
+		false_reg->umax_value = min(false_reg->umax_value, val);
    	break;
-	}
-	case BPF_JSLE:
    case BPF_JSLT:
-	{
-		s64 false_smax = opcode == BPF_JSLT ? sval    : sval - 1;
-		s64 true_smin = opcode == BPF_JSLT ? sval + 1 : sval;
-
-		false_reg->smax_value = min(false_reg->smax_value, false_smax);
-		true_reg->smin_value = max(true_reg->smin_value, true_smin);
+		true_reg->smin_value = max_t(s64, true_reg->smin_value, val + 1);
+		false_reg->smax_value = min_t(s64, false_reg->smax_value, val);
+		break;
+	case BPF_JGE:
+		true_reg->umax_value = min(true_reg->umax_value, val);
+		false_reg->umin_value = max(false_reg->umin_value, val + 1);
+		break;
+	case BPF_JSGE:
+		true_reg->smax_value = min_t(s64, true_reg->smax_value, val);
+		false_reg->smin_value = max_t(s64, false_reg->smin_value, val + 1);
+		break;
+	case BPF_JLE:
+		true_reg->umin_value = max(true_reg->umin_value, val);
+		false_reg->umax_value = min(false_reg->umax_value, val - 1);
+		break;
+	case BPF_JSLE:
+		true_reg->smin_value = max_t(s64, true_reg->smin_value, val);
+		false_reg->smax_value = min_t(s64, false_reg->smax_value, val - 1);
    	break;
-	}
    default:
    	break;
    }
-- 
2.25.1

    

2024

2023

2022

2021

2020

2019

[PATCH kernel-4.19 10/13] Revert "bpf: refactor verifier min/max code for condition jump"