On 10/20/2017 05:34 PM, Daniel Borkmann wrote: > During review I noticed that the current logic for direct packet > access marking in check_cond_jmp_op() has an off by one for the > upper right range border when marking in find_good_pkt_pointers() > with BPF_JLT and BPF_JLE. It's not really harmful given access > up to pkt_end is always safe, but we should nevertheless correct > the range marking before it becomes ABI. If pkt_data' denotes a > pkt_data derived pointer (pkt_data + X), then for pkt_data' < pkt_end > in the true branch as well as for pkt_end <= pkt_data' in the false > branch we mark the range with X although it should really be X - 1 > in these cases. For example, X could be pkt_end - pkt_data, then > when testing for pkt_data' < pkt_end the verifier simulation cannot > deduce that a byte load of pkt_data' - 1 would succeed in this > branch. > > Fixes: b4e432f1000a ("bpf: enable BPF_J{LT, LE, SLT, SLE} opcodes in > verifier") > Signed-off-by: Daniel Borkmann <dan...@iogearbox.net> > Acked-by: Alexei Starovoitov <a...@kernel.org> > ---
Acked-by: John Fastabend <john.fastab...@gmail.com>