bpf: Fix regsafe() for pointers to packet

In case rold->reg->range == BEYOND_PKT_END && rcur->reg->range == N
regsafe() may return true which may lead to current state with
valid packet range not being explored. Fix the bug.

Fixes: 6d94e741a8ff ("bpf: Support for pointers beyond pkt_end.")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Amery Hung <ameryhung@gmail.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/bpf/20260331204228.26726-1-alexei.starovoitov@gmail.com

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f108c01ff6d02ca83ad38fa3031ffd83099e2494..a3388cb8fcbdf9c29591e72031cc9e66d483376d 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -19915,8 +19915,13 @@ static bool regsafe(struct bpf_verifier_env *env, struct bpf_reg_state *rold,
                 * since someone could have accessed through (ptr - k), or
                 * even done ptr -= k in a register, to get a safe access.
                 */
-               if (rold->range > rcur->range)
+               if (rold->range < 0 || rcur->range < 0) {
+                       /* special case for [BEYOND|AT]_PKT_END */
+                       if (rold->range != rcur->range)
+                               return false;
+               } else if (rold->range > rcur->range) {
                        return false;
+               }
                /* If the offsets don't match, we can't trust our alignment;
                 * nor can we be sure that we won't fall out of range.
                 */