From: Josef Bacik <jba...@fb.com>
Date: Tue, 29 Nov 2016 12:27:09 -0500
> If we have a branch that looks something like this
>
> int foo = map->value;
> if (condition) {
> foo += blah;
> } else {
> foo = bar;
> }
> map->array[foo] = baz;
>
> We will incorrectly assume that the !condition branch is equal to the
> condition
> branch as the register for foo will be UNKNOWN_VALUE in both cases. We need
> to
> adjust this logic to only do this if we didn't do a varlen access after we
> processed the !condition branch, otherwise we have different ranges and need
> to
> check the other branch as well.
>
> Fixes: 484611357c19 ("bpf: allow access into map value arrays")
> Reported-by: Jann Horn <ja...@google.com>
> Signed-off-by: Josef Bacik <jba...@fb.com>
> ---
> v1->v2:
> - renamed and moved varlen_map_access variable.
> - dropped the extra () in the second if statement.
> - added the Fixes and Reported-by tag.
Applied, thanks.
