From: Maxim Mikityanskiy maxim@isovalent.com
See the details in the commit message (TL/DR: under CAP_BPF, the verifier can be fooled to think that a scalar is zero while in fact it's your predefined number.)
v1 and v2 were sent off-list.
v2 changes:
Added more tests, migrated them to inline asm, started using bpf_get_prandom_u32, switched to a more bulletproof dead branch check and modified the failing spill test scenarios so that an unauthorized access attempt is performed in both branches.
v3 changes:
Dropped an improvement not necessary for the fix, changed the Fixes tag.
Maxim Mikityanskiy (2): bpf: Fix verifier tracking scalars on spill selftests/bpf: Add test cases to assert proper ID tracking on spill
kernel/bpf/verifier.c | 7 + .../selftests/bpf/progs/verifier_spill_fill.c | 198 ++++++++++++++++++ 2 files changed, 205 insertions(+)