Re: [PATCH bpf-next 1/2] bpf: Skip bounds adjustment for conditional jumps on same register

[Eduard Zingerman]

On Sat, 2025-10-25 at 00:13 +0800, KaFai Wan wrote:

[...]

> For non-scalar cases we only allow pointer comparison on pkt_ptr, this check 
> is before
> is_branch_taken()
> 
>       src_reg = &regs[insn->src_reg];
>       if (!(reg_is_pkt_pointer_any(dst_reg) && 
> reg_is_pkt_pointer_any(src_reg)) &&
>           is_pointer_value(env, insn->src_reg)) {
>               verbose(env, "R%d pointer comparison prohibited\n",
>                       insn->src_reg);
>               return -EACCES;
>       } 
> 
> and in the end of check_cond_jmp_op() (after is_branch_taken()), we checked 
> again
> 
>       } else if (!try_match_pkt_pointers(insn, dst_reg, &regs[insn->src_reg],
>                                          this_branch, other_branch) &&
>                  is_pointer_value(env, insn->dst_reg)) {
>               verbose(env, "R%d pointer comparison prohibited\n",
>                       insn->dst_reg);
>               return -EACCES;
>       }
> 
> this time we check if it is valid comparison on pkt_ptr in 
> try_match_pkt_pointers(). 
> 
> Currently we just allow 4 opcode (BPF_JGT, BPF_JLT, BPF_JGE, BPF_JLE) on 
> pkt_ptr, and with
> conditions. But we bypass these prohibits in privileged mode 
> (is_pointer_value() always 
> return false in privileged mode).
> 
> So the logic skip these prohibits for pkt_ptr in unprivileged mode.

Well, yes, but do you really need to do forbid `if r0 > r0 goto ...` in unpriv?