vbpf / prevail / 22261606104

push

github

Fix two verifier soundness bugs found by pentest (#1028)

* Fix two verifier soundness bugs found by pentest

1. Stale shared_region_size after map_lookup fallthrough: when the map
   type/fd is ambiguous, the fallthrough path set T_SHARED without
   havocing shared_region_size, letting a stale value from a prior
   lookup persist. This allowed OOB reads on map values. Fix:
   Extract assign_shared_map_value to deduplicate the 4-line shared
   pointer setup (assign_valid_ptr, shared_offset, shared_region_size,
   assign_type). Flatten the nested if-pyramid in resolve_map_lookup
   into early returns. 

2. Stale r1-r5 after BPF-to-BPF call return: the Exit handler for
   subprogram returns restored callee-saved registers (r6-r9) and r10
   but never scratched caller-saved registers (r1-r5). A caller could
   then use stale pointer values in r1-r5 that the callee may have
   invalidated. Fix: call scratch_caller_saved_registers() in Exit.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Elazar Gershuni <elazarg@gmail.com>

---------

Signed-off-by: Elazar Gershuni <elazarg@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

22 of 23 new or added lines in 1 file covered. (95.65%)

11753 of 13355 relevant lines covered (88.0%)

3252928.86 hits per line