angler-fishThe Vulnerability History Project

bpf/verifier: track signed and unsigned min/max values

      Allows us to, sometimes, combine information from a signed check of one
 bound and an unsigned check of the other.
We now track the full range of possible values, rather than restricting
 ourselves to [0, 1<<30) and considering anything beyond that as
 unknown.  While this is probably not necessary, it makes the code more
 straightforward and symmetrical between signed and unsigned bounds.

Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
by Iris the Bat 2017-08-07 14:26:36 UTC
commit b03c9f9fdc37dab81ea04d5dacdc5995d4c224c2
Linux Kernel VCC CVE-2017-16995 VCC CVE-2017-16996 VCC CVE-2017-17852 VCC CVE-2017-17853 VCC CVE-2017-17854 VCC CVE-2017-17855 VCC CVE-2018-18445 VCC CVE-2019-7308 VCC CVE-2021-4159 VCC ALU32 bounds check error CVE-2021-45402 VCC CVE-2022-0500
include/linux/bpf_verifier.h
+14 -9
include/linux/tnum.h
+2
kernel/bpf/tnum.c
+16
kernel/bpf/verifier.c
+429 -308
expand_less