|
|
@@ -175,6 +175,7 @@ struct bpf_verifier_stack_elem {
|
|
|
|
|
|
#define BPF_COMPLEXITY_LIMIT_INSNS 131072
|
|
|
#define BPF_COMPLEXITY_LIMIT_STACK 1024
|
|
|
+#define BPF_COMPLEXITY_LIMIT_STATES 64
|
|
|
|
|
|
#define BPF_MAP_PTR_UNPRIV 1UL
|
|
|
#define BPF_MAP_PTR_POISON ((void *)((0xeB9FUL << 1) + \
|
|
|
@@ -5047,7 +5048,7 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
|
|
|
struct bpf_verifier_state_list *new_sl;
|
|
|
struct bpf_verifier_state_list *sl;
|
|
|
struct bpf_verifier_state *cur = env->cur_state, *new;
|
|
|
- int i, j, err;
|
|
|
+ int i, j, err, states_cnt = 0;
|
|
|
|
|
|
sl = env->explored_states[insn_idx];
|
|
|
if (!sl)
|
|
|
@@ -5074,8 +5075,12 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
|
|
|
return 1;
|
|
|
}
|
|
|
sl = sl->next;
|
|
|
+ states_cnt++;
|
|
|
}
|
|
|
|
|
|
+ if (!env->allow_ptr_leaks && states_cnt > BPF_COMPLEXITY_LIMIT_STATES)
|
|
|
+ return 0;
|
|
|
+
|
|
|
/* there were no equivalent states, remember current one.
|
|
|
* technically the current state is not proven to be safe yet,
|
|
|
* but it will either reach outer most bpf_exit (which means it's safe)
|
Alexei Starovoitov