bpf: Use correct permission flag for mixed signed bounds arithmetic

BugLink: https://bugs.launchpad.net/bugs/1926999
[ Upstream commit 9601148392520e2e134936e76788fc2a6371e7be ]

We forbid adding unknown scalars with mixed signed bounds due to the
spectre v1 masking mitigation. Hence this also needs bypass_spec_v1
flag instead of allow_ptr_leaks.

Fixes: 2c78ee898d8f ("bpf: Implement CAP_BPF")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Stefan Bader <stefan.bader@canonical.com>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 4814a7e9afc3f85ee2fa701367a1ebc2ecf3194c..092f44351f1f827df55ed7aac58c1fc9bb894076 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5578,7 +5578,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
                        dst, reg_type_str[ptr_reg->type]);
                return -EACCES;
        case PTR_TO_MAP_VALUE:
-               if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
+               if (!env->env->bypass_spec_v1 && !known && (smin_val < 0) != (smax_val < 0)) {
                        verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
                                off_reg == dst_reg ? dst : src);
                        return -EACCES;