From: Daniel Borkmann <daniel@iogearbox.net>

Date: Fri, 5 Feb 2021 17:20:14 +0100

Subject: bpf: Fix verifier jsgt branch analysis on max bound

Patch-mainline: v5.11

Git-commit: ee114dd64c0071500345439fc79dd5e0f9d106ed

References: bsc#1155518

Fix incorrect is_branch{32,64}_taken() analysis for the jsgt case. The return

code for both will tell the caller whether a given conditional jump is taken

or not, e.g. 1 means branch will be taken [for the involved registers] and the

goto target will be executed, 0 means branch will not be taken and instead we

fall-through to the next insn, and last but not least a -1 denotes that it is

not known at verification time whether a branch will be taken or not. Now while

the jsgt has the branch-taken case correct with reg->s32_min_value > sval, the

branch-not-taken case is off-by-one when testing for reg->s32_max_value < sval

since the branch will also be taken for reg->s32_max_value == sval. The jgt

branch analysis, for example, gets this right.

Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")

Fixes: 4f7b3e82589e ("bpf: improve verifier branch analysis")

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

Reviewed-by: John Fastabend <john.fastabend@gmail.com>

Acked-by: Alexei Starovoitov <ast@kernel.org>

Acked-by: Gary Lin <glin@suse.com>

NOTE from Gary:

  * This patch is modified for SLE15-SP2 only. Since 3f50f132d840 is not merged,

    the diff for is_branch32_taken() is omitted.

---

 kernel/bpf/verifier.c |    2 +-

 1 file changed, 1 insertion(+), 1 deletion(-)

--- a/kernel/bpf/verifier.c

+++ b/kernel/bpf/verifier.c

@@ -5499,7 +5499,7 @@ static int is_branch_taken(struct bpf_re

 	case BPF_JSGT:

 		if (reg->smin_value > sval)

 			return 1;

-		else if (reg->smax_value < sval)

+		else if (reg->smax_value <= sval)

 			return 0;

 		break;

 	case BPF_JLT: