check_mem_access

Name:heck whether memory at (regno + off) is accessible for t = (read | write)* if t==write, value_regno is a register which value is stored into memory* if t==read, value_regno is a register which will receive the value from memory* if t==write &&

Proto:static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regno, int off, int bpf_size, enum bpf_access_type t, int value_regno, bool strict_alignment_once)

Type:int

Parameter:

Type	Parameter	Name
struct bpf_verifier_env *	env
int	insn_idx
u32	regno
int	off
int	bpf_size
enum bpf_access_type	t
int	value_regno
bool	strict_alignment_once

2906

regs = cur_regs(env)

2907

reg = regs + regno

2909

err = 0

2911

size = bpf_size_to_bytes(bpf_size)

2912

If size < 0 Then Return size

2916

err = check_ptr_alignment(env, reg, off, size, strict_alignment_once)

2917

If err Then Return err

2921

off += Fixed part of pointer offset, pointer types only

2923

If Ordering of fields matters. See states_equal() == g points to map element value Then

2924

If t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno) Then

2926

verbose(env, "R%d leaks addr into map\n", value_regno)

2927

Return -EACCES

2929

err = check_map_access_type(env, regno, off, size, t)

2930

If err Then Return err

2932

err = heck read/write into a map element with possible variable offset

2933

If Not err && t == BPF_READ && value_regno >= 0 Then

2934

map = valid when type == CONST_PTR_TO_MAP | PTR_TO_MAP_VALUE | * PTR_TO_MAP_VALUE_OR_NULL

2937

If Returns true if @a is a known constant && bpf_map_is_rdonly(map) && map_direct_value_addr Then

2940

map_off = off + value

2941

val = 0

2943

err = bpf_map_direct_read(map, map_off, size, & val)

2945

If err Then Return err

2948

Ordering of fields matters. See states_equal() = g doesn't contain a valid pointer

2949

Mark the unknown part of a register (variable offset or scalar value) as* known to have the value @imm.

2950

Else

2951

mark_reg_unknown(env, regs, value_regno)

2954

Else if Ordering of fields matters. See states_equal() == g points to bpf_context Then

2955

reg_type = g doesn't contain a valid pointer

2956

btf_id = 0

2958

If t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno) Then

2960

verbose(env, "R%d leaks addr into ctx\n", value_regno)

2961

Return -EACCES

2964

err = check_ctx_reg(env, reg, regno)

2965

If err < 0 Then Return err

2968

err = heck access to 'struct bpf_context' fields. Supports fixed offsets only

2969

If err Then verbose_linfo(env, insn_idx, "; ")

2971

If Not err && t == BPF_READ && value_regno >= 0 Then

2976

If reg_type == g doesn't contain a valid pointer Then

2977

mark_reg_unknown(env, regs, value_regno)

2978

Else

2979

mark_reg_known_zero(env, regs, value_regno)

2981

If reg_type_may_be_null(reg_type) Then For PTR_TO_PACKET, used to find other pointers with the same variable * offset, so they can share range knowledge. * For PTR_TO_MAP_VALUE_OR_NULL this is used to share which map value we * came from, when one is tested for != NULL. * For PTR_TO_SOCKET thi = ++used to generate unique reg IDs

2988

Tracks subreg definition. The stored value is the insn_idx of the * writing insn. This is safe because subreg_def is used before any insn * patching which only happens after main verification finished. = DEF_NOT_SUBREG

2989

If reg_type == g points to kernel struct Then for PTR_TO_BTF_ID = btf_id

2992

Ordering of fields matters. See states_equal() = reg_type

2995

Else if Ordering of fields matters. See states_equal() == g == frame_pointer + offset Then

2996

off += value

2997

err = check_stack_access(env, reg, off, size)

2998

If err Then Return err

3001

state = func(env, reg)

3002

err = update_stack_depth(env, state, off)

3003

If err Then Return err

3006

If t == BPF_WRITE Then err = heck_stack_read/write functions track spill/fill of registers,* stack boundary and alignment are checked in check_mem_access()

3009

Else err = check_stack_read(env, state, off, size, value_regno)

3012

Else if reg_is_pkt_pointer(reg) Then

3013

If t == BPF_WRITE && Not may_access_direct_pkt_data(env, NULL, t) Then

3014

verbose(env, "cannot write into packet\n")

3015

Return -EACCES

3017

If t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno) Then

3019

verbose(env, "R%d leaks addr into packet\n", value_regno)

3021

Return -EACCES

3023

err = check_packet_access(env, regno, off, size, false)

3024

If Not err && t == BPF_READ && value_regno >= 0 Then mark_reg_unknown(env, regs, value_regno)

3026

Else if Ordering of fields matters. See states_equal() == g points to bpf_flow_keys Then

3027

If t == BPF_WRITE && value_regno >= 0 && is_pointer_value(env, value_regno) Then

3029

verbose(env, "R%d leaks addr into flow keys\n", value_regno)

3031

Return -EACCES

3034

err = check_flow_keys_access(env, off, size)

3035

If Not err && t == BPF_READ && value_regno >= 0 Then mark_reg_unknown(env, regs, value_regno)

3037

Else if type_is_sk_pointer( Ordering of fields matters. See states_equal() ) Then

3038

If t == BPF_WRITE Then

3039

verbose(env, "R%d cannot write into %s\n", regno, string representation of 'enum bpf_reg_type' [ Ordering of fields matters. See states_equal() ])

3041

Return -EACCES

3043

err = check_sock_access(env, insn_idx, regno, off, size, t)

3044

If Not err && value_regno >= 0 Then mark_reg_unknown(env, regs, value_regno)

3046

Else if Ordering of fields matters. See states_equal() == g points to a writable raw tp's buffer Then

3047

err = check_tp_buffer_access(env, reg, regno, off, size)

3048

If Not err && t == BPF_READ && value_regno >= 0 Then mark_reg_unknown(env, regs, value_regno)

3050

Else if Ordering of fields matters. See states_equal() == g points to kernel struct Then

3051

err = check_ptr_to_btf_access(env, regs, regno, off, size, t, value_regno)

3053

Else

3054

verbose(env, "R%d invalid mem access '%s'\n", regno, string representation of 'enum bpf_reg_type' [ Ordering of fields matters. See states_equal() ])

3056

Return -EACCES

3059

If Not err && size < size of eBPF register in bytes && value_regno >= 0 && t == BPF_READ && Ordering of fields matters. See states_equal() == g doesn't contain a valid pointer Then

3062

runcate register to smaller size (in bytes)* must be called with size < BPF_REG_SIZE

3064

Return err

**Caller**
Name	Describe
check_xadd
check_helper_call
do_check

Source code conversion tool public plug-in interface	X
Support c/c++/esqlc/java Oracle/Informix/Mysql Plug-in can realize: logical Report Code generation and batch code conversion