bpf: Fix print_reg_state's constant scalar dump

borkmann · anakryiko · commit 3e9e708757ca · 2024-10-17T11:06:34.000-07:00
print_reg_state() should not consider adding reg->off to reg->var_off.value when dumping scalars. Scalars can be produced with reg->off != 0 through BPF_ADD_CONST, and thus as-is this can skew the register log dump. Fixes: 98d7ca3 ("bpf: Track delta between "linked" registers.") Reported-by: Nathaniel Theis <nathaniel.theis@nccgroup.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20241016134913.32249-2-daniel@iogearbox.net
diff --git a/kernel/bpf/log.c b/kernel/bpf/log.c
@@ -688,8 +688,7 @@ static void print_reg_state(struct bpf_verifier_env *env,
 	if (t == SCALAR_VALUE && reg->precise)
 		verbose(env, "P");
 	if (t == SCALAR_VALUE && tnum_is_const(reg->var_off)) {
-		/* reg->off should be 0 for SCALAR_VALUE */
-		verbose_snum(env, reg->var_off.value + reg->off);
+		verbose_snum(env, reg->var_off.value);
 		return;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -688,8 +688,7 @@ static void print_reg_state(struct bpf_verifier_env *env,`
`688`	`688`	`if (t == SCALAR_VALUE && reg->precise)`
`689`	`689`	`verbose(env, "P");`
`690`	`690`	`if (t == SCALAR_VALUE && tnum_is_const(reg->var_off)) {`
`691`		`- /* reg->off should be 0 for SCALAR_VALUE */`
`692`		`- verbose_snum(env, reg->var_off.value + reg->off);`
	`691`	`+ verbose_snum(env, reg->var_off.value);`
`693`	`692`	`return;`
`694`	`693`	`}`
`695`	`694`