On Fri, Oct 24, 2025 at 9:38 AM KaFai Wan kafai.wan@linux.dev wrote:
On Fri, 2025-10-24 at 09:21 -0700, Eduard Zingerman wrote:
On Sat, 2025-10-25 at 00:13 +0800, KaFai Wan wrote:
[...]
For non-scalar cases we only allow pointer comparison on pkt_ptr, this check is before is_branch_taken()
src_reg = ®s[insn->src_reg]; if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) && is_pointer_value(env, insn->src_reg)) { verbose(env, "R%d pointer comparison prohibited\n", insn->src_reg); return -EACCES; }and in the end of check_cond_jmp_op() (after is_branch_taken()), we checked again
} else if (!try_match_pkt_pointers(insn, dst_reg, ®s[insn->src_reg], this_branch, other_branch) && is_pointer_value(env, insn->dst_reg)) { verbose(env, "R%d pointer comparison prohibited\n", insn->dst_reg); return -EACCES; }this time we check if it is valid comparison on pkt_ptr in try_match_pkt_pointers().
Currently we just allow 4 opcode (BPF_JGT, BPF_JLT, BPF_JGE, BPF_JLE) on pkt_ptr, and with conditions. But we bypass these prohibits in privileged mode (is_pointer_value() always return false in privileged mode).
So the logic skip these prohibits for pkt_ptr in unprivileged mode.
Well, yes, but do you really need to do forbid `if r0 > r0 goto ...` in unpriv?
Currently `if r0 > r0 goto ...` is forbid in unpriv, but we can allow it.
Let's not relax unpriv. We don't need new threads with researchers whether such things can be exploited.