Function report

Linux Kernel

v5.5.9

Brick Technologies Co., Ltd

Source Code:kernel\bpf\verifier.c Create Date:2022-07-28 13:00:29
Last Modify:2022-05-19 20:02:10 Copyright©Brick
home page Tree
Annotation kernel can get tool activityDownload SCCTChinese

Name:Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.* Caller should also handle BPF_MOV case separately.* If we return -EACCES, caller may want to try again treating pointer as a* scalar

Proto:static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, const struct bpf_reg_state *off_reg)

Type:int

Parameter:

TypeParameterName
struct bpf_verifier_env *env
struct bpf_insn *insn
const struct bpf_reg_state *ptr_reg
const struct bpf_reg_state *off_reg
4567  vstate = current verifier state
4568  state = call stack tracking [curframe]
4569  regs = regs
4570  known = Returns true if @a is a known constant
4571  smin_val = minimum possible (s64)value , smax_val = maximum possible (s64)value , smin_ptr = minimum possible (s64)value , smax_ptr = maximum possible (s64)value
4573  umin_val = minimum possible (u64)value , umax_val = maximum possible (u64)value , umin_ptr = minimum possible (u64)value , umax_ptr = maximum possible (u64)value
4575  dst = dest register , src = source register
4576  opcode = alu/jmp fields ( opcode )
4579  dst_reg = regs[dst]
4581  If known && ( smin_val != smax_val || umin_val != umax_val ) || smin_val > smax_val || umin_val > umax_val Then
4586  Mark a register as having a completely unknown (scalar) value.
4587  Return 0
4590  If Instruction classes ( opcode ) != alu mode in double word width Then
4592  verbose(env, "R%d 32-bit pointer arithmetic prohibited\n", dst)
4595  Return -EACCES
4599  Case Ordering of fields matters. See states_equal() == points to map elem value or NULL
4600  verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n", dst, string representation of 'enum bpf_reg_type' [ Ordering of fields matters. See states_equal() ])
4602  Return -EACCES
4603  Case Ordering of fields matters. See states_equal() == g points to struct bpf_map
4604  Case Ordering of fields matters. See states_equal() == skb->data + headlen
4605  Case Ordering of fields matters. See states_equal() == g points to struct bpf_sock
4606  Case Ordering of fields matters. See states_equal() == g points to struct bpf_sock or NULL
4607  Case Ordering of fields matters. See states_equal() == g points to sock_common
4608  Case Ordering of fields matters. See states_equal() == g points to sock_common or NULL
4609  Case Ordering of fields matters. See states_equal() == g points to struct tcp_sock
4610  Case Ordering of fields matters. See states_equal() == g points to struct tcp_sock or NULL
4611  Case Ordering of fields matters. See states_equal() == g points to struct xdp_sock
4612  verbose(env, "R%d pointer arithmetic on %s prohibited\n", dst, string representation of 'enum bpf_reg_type' [ Ordering of fields matters. See states_equal() ])
4614  Return -EACCES
4615  Case Ordering of fields matters. See states_equal() == g points to map element value
4616  If Not allow_ptr_leaks && Not known && smin_val < 0 != smax_val < 0 Then
4617  verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", off_reg == dst_reg ? dst : src)
4619  Return -EACCES
4622  Default
4623  Break
4629  Ordering of fields matters. See states_equal() = Ordering of fields matters. See states_equal()
4630  For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi
4632  If Not check_reg_sane_offset(env, off_reg, Ordering of fields matters. See states_equal() ) || Not check_reg_sane_offset(env, ptr_reg, Ordering of fields matters. See states_equal() ) Then Return -EINVAL
4637  Case opcode == BPF_ADD
4638  ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0)
4639  If ret < 0 Then
4640  verbose(env, "R%d tried to add from different maps or paths\n", dst)
4641  Return ret
4646  If known && Fixed part of pointer offset, pointer types only + smin_val == Fixed part of pointer offset, pointer types only + smin_val Then
4667  If signed_add_overflows(smin_ptr, smin_val) || signed_add_overflows(smax_ptr, smax_val) Then
4671  Else
4675  If umin_ptr + umin_val < umin_ptr || umax_ptr + umax_val < umax_ptr Then
4679  Else
4683  For scalar types (SCALAR_VALUE), this represents our knowledge of * the actual value. * For pointer types, this represents the variable part of the offset * from the pointed-to object, and is shared with all bpf_reg_states * with the same id as us. = Add two tnums, return @a + @b
4684  Fixed part of pointer offset, pointer types only = Fixed part of pointer offset, pointer types only
4685  Max size from any of the above. = Max size from any of the above.
4686  If reg_is_pkt_pointer(ptr_reg) Then
4691  Break
4692  Case opcode == BPF_SUB
4693  ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0)
4694  If ret < 0 Then
4695  verbose(env, "R%d tried to sub from different maps or paths\n", dst)
4696  Return ret
4698  If dst_reg == off_reg Then
4700  verbose(env, "R%d tried to subtract pointer from scalar\n", dst)
4702  Return -EACCES
4708  If Ordering of fields matters. See states_equal() == g == frame_pointer + offset Then
4709  verbose(env, "R%d subtraction from stack pointer prohibited\n", dst)
4711  Return -EACCES
4713  If known && Fixed part of pointer offset, pointer types only - smin_val == Fixed part of pointer offset, pointer types only - smin_val Then
4729  If signed_sub_overflows(smin_ptr, smax_val) || signed_sub_overflows(smax_ptr, smin_val) Then
4734  Else
4738  If umin_ptr < umax_val Then
4742  Else
4747  For scalar types (SCALAR_VALUE), this represents our knowledge of * the actual value. * For pointer types, this represents the variable part of the offset * from the pointed-to object, and is shared with all bpf_reg_states * with the same id as us. = Subtract two tnums, return @a - @b
4748  Fixed part of pointer offset, pointer types only = Fixed part of pointer offset, pointer types only
4749  Max size from any of the above. = Max size from any of the above.
4750  If reg_is_pkt_pointer(ptr_reg) Then
4756  Break
4757  Case opcode == BPF_AND
4758  Case opcode == BPF_OR
4759  Case opcode == BPF_XOR
4761  verbose(env, "R%d bitwise operator %s on pointer prohibited\n", dst, bpf_alu_string[opcode >> 4])
4763  Return -EACCES
4764  Default
4766  verbose(env, "R%d pointer arithmetic with %s operator prohibited\n", dst, bpf_alu_string[opcode >> 4])
4768  Return -EACCES
4771  If Not check_reg_sane_offset(env, dst_reg, Ordering of fields matters. See states_equal() ) Then Return -EINVAL
4774  Attempts to improve min/max values based on var_off information
4775  Uses signed min/max values to inform unsigned, and vice-versa
4776  Attempts to improve var_off based on unsigned min/max information
4781  If Not allow_ptr_leaks Then
4782  If Ordering of fields matters. See states_equal() == g points to map element value && heck read/write into a map element with possible variable offset Then
4784  verbose(env, "R%d pointer arithmetic of map value goes out of range, prohibited for !root\n", dst)
4786  Return -EACCES
4787  Else if Ordering of fields matters. See states_equal() == g == frame_pointer + offset && check_stack_access(env, dst_reg, Fixed part of pointer offset, pointer types only + value, 1) Then
4790  verbose(env, "R%d stack pointer arithmetic goes out of range, prohibited for !root\n", dst)
4792  Return -EACCES
4796  Return 0
Caller
NameDescribe
adjust_reg_min_max_valsHandles ALU ops other than BPF_END, BPF_NEG and BPF_MOV: computes new min/max* and var_off.