On 11/29/2016 06:27 PM, Josef Bacik wrote:
If we have a branch that looks something like thisint foo = map->value; if (condition) { foo += blah; } else { foo = bar; } map->array[foo] = baz; We will incorrectly assume that the !condition branch is equal to the condition branch as the register for foo will be UNKNOWN_VALUE in both cases. We need to adjust this logic to only do this if we didn't do a varlen access after we processed the !condition branch, otherwise we have different ranges and need to check the other branch as well. Fixes: 484611357c19 ("bpf: allow access into map value arrays") Reported-by: Jann Horn <[email protected]> Signed-off-by: Josef Bacik <[email protected]>
Acked-by: Daniel Borkmann <[email protected]>
