bpf: Fix mask direction swap upon off reg sign change
commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream.
Masking direction as indicated via mask_to_left is considered to be
calculated once and then used to derive pointer limits. Thus, this
needs to be placed into bpf_sanitize_info instead so we can pass it
to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
corner case where the off reg causes masking direction change which
then results in an incorrect final aux->alu_limit.
Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
Reported-by: Piotr Krysiuk <firstname.lastname@example.org>
Signed-off-by: Daniel Borkmann <email@example.com>
Reviewed-by: Piotr Krysiuk <firstname.lastname@example.org>
Acked-by: Alexei Starovoitov <email@example.com>
Signed-off-by: Greg Kroah-Hartman <firstname.lastname@example.org>
1 file changed