On Fri, 2025-10-24 at 09:40 -0700, Alexei Starovoitov wrote:
On Fri, Oct 24, 2025 at 9:38 AM KaFai Wan kafai.wan@linux.dev wrote:
On Fri, 2025-10-24 at 09:21 -0700, Eduard Zingerman wrote:
On Sat, 2025-10-25 at 00:13 +0800, KaFai Wan wrote:
[...]
For non-scalar cases we only allow pointer comparison on pkt_ptr, this check is before is_branch_taken()
src_reg = ®s[insn->src_reg]; if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) && is_pointer_value(env, insn->src_reg)) { verbose(env, "R%d pointer comparison prohibited\n", insn->src_reg); return -EACCES; }
and in the end of check_cond_jmp_op() (after is_branch_taken()), we checked again
} else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg], this_branch, other_branch) && is_pointer_value(env, insn->dst_reg)) { verbose(env, "R%d pointer comparison prohibited\n", insn->dst_reg); return -EACCES; }
this time we check if it is valid comparison on pkt_ptr in try_match_pkt_pointers().
Currently we just allow 4 opcode (BPF_JGT, BPF_JLT, BPF_JGE, BPF_JLE) on pkt_ptr, and with conditions. But we bypass these prohibits in privileged mode (is_pointer_value() always return false in privileged mode).
So the logic skip these prohibits for pkt_ptr in unprivileged mode.
Well, yes, but do you really need to do forbid `if r0 > r0 goto ...` in unpriv?
Currently `if r0 > r0 goto ...` is forbid in unpriv, but we can allow it.
Let's not relax unpriv. We don't need new threads with researchers whether such things can be exploited.
Ok, I'll keep the logic for both scalar and non-scalar cases.