On Thu, 2026-06-11 at 19:11 +0900, Woojin Ji wrote: > mark_reg_stack_read() currently treats a variable-offset stack read as > known-zero only when every byte in the read range has STACK_ZERO type. > This loses precision for stack bytes that are represented as STACK_SPILL > but come from a spilled scalar const zero. > > Fixed-offset stack reads already preserve such partial reads from a > spilled scalar zero as const zero. Variable-offset stack writes also keep > a spilled scalar zero intact when a zero write overlaps it. The read side > is therefore inconsistent and can reject otherwise valid programs: a byte > read from a spilled zero becomes an unknown u8 and may then make a > stack access through that value appear out of bounds. > > Treat STACK_SPILL bytes backed by a spilled scalar const zero as zero > bytes in mark_reg_stack_read(). When such a spilled scalar is used to > prove the destination register is const zero, mark every contributing > source stack slot precise before state pruning can use an explored > zero-spill path for a later non-zero spill path. > > This has to be done eagerly for variable-offset loads. Fixed-offset stack > fills can record one source stack slot in the jump history and propagate > destination precision back to that slot later, but a variable-offset load > may source bytes from multiple stack slots. Seed precision backtracking > with every zero-spill slot that contributes to the const-zero > classification instead. > > Add verifier selftests for both sides: accepted programs that read a byte > through a variable stack offset from spilled zero scalars, including a > multi-slot range, and a rejected program that would be accepted unsafely > by a naive implementation that promotes spilled zero bytes to const zero > without tracking the source spilled slot precisely. Use > BPF_F_TEST_STATE_FREQ for the rejected test so it does not depend on the > current verifier checkpoint heuristic thresholds. > > Tested: > ./test_progs -t verifier_var_off > > Assisted-by: opencode:gpt-5.5 > Signed-off-by: Woojin Ji <[email protected]> > ---
This patch does not apply cleanly to current bpf-next, and that's the branch it should target. Also note that tests should be split as a separate patch in the patch-set.
