• Alexei Starovoitov's avatar
    bpf: do not allow root to mangle valid pointers · 82abbf8d
    Alexei Starovoitov authored
    Do not allow root to convert valid pointers into unknown scalars.
    In particular disallow:
     ptr &= reg
     ptr <<= reg
     ptr += ptr
    and explicitly allow:
     ptr -= ptr
    since pkt_end - pkt == length
    
    1.
    This minimizes amount of address leaks root can do.
    In the future may need to further tighten the leaks with kptr_restrict.
    
    2.
    If program has such pointer math it's likely a user mistake and
    when verifier complains about it right away instead of many instructions
    later on invalid memory access it's easier for users to fix their progs.
    
    3.
    when register holding a pointer cannot change to scalar it allows JITs to
    optimize better. Like 32-bit archs could use single register for pointers
    instead of a pair required to hold 64-bit scalars.
    
    4.
    reduces architecture dependent behavior. Since code:
    r1 = r10;
    r1 &= 0xff;
    if (r1 ...)
    will behave differently arm64 vs x64 and offloaded vs native.
    
    A significant chunk of ptr mangling was allowed by
    commit f1174f77 ("bpf/verifier: rework value tracking")
    yet some of it was allowed even earlier.
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    82abbf8d
verifier.c 136 KB