/* types of values stored in eBPF registers *//* Pointer types represent: * pointer * pointer + imm * pointer + (u16) var * pointer + (u16) var + imm * if (range > 0) then [ptr, ptr + range - off) is safe to access * if (id > 0) means that some 'var' was added * if (off > 0) means that 'imm' was added */enum bpf_reg_type {    NOT_INIT = 0,         /* nothing was written into register */    SCALAR_VALUE,         /* reg doesn't contain a valid pointer */    PTR_TO_CTX,           /* reg points to bpf_context */    CONST_PTR_TO_MAP,     /* reg points to struct bpf_map */    PTR_TO_MAP_VALUE,     /* reg points to map element value */    PTR_TO_MAP_VALUE_OR_NULL,  /* points to map elem value or NULL */    PTR_TO_STACK,         /* reg == frame_pointer + offset */    PTR_TO_PACKET_META,   /* skb->data - meta_len */    PTR_TO_PACKET,        /* reg points to skb->data */    PTR_TO_PACKET_END,    /* skb->data + headlen */    PTR_TO_FLOW_KEYS,     /* reg points to bpf_flow_keys */    PTR_TO_SOCKET,        /* reg points to struct bpf_sock */    PTR_TO_SOCKET_OR_NULL,      /* reg points to struct bpf_sock or NULL */    PTR_TO_SOCK_COMMON,   /* reg points to sock_common */    PTR_TO_SOCK_COMMON_OR_NULL, /* reg points to sock_common or NULL */    PTR_TO_TCP_SOCK,      /* reg points to struct tcp_sock */    PTR_TO_TCP_SOCK_OR_NULL,    /* reg points to struct tcp_sock or NULL */    PTR_TO_TP_BUFFER,     /* reg points to a writable raw tp's buffer */    PTR_TO_XDP_SOCK,      /* reg points to struct xdp_sock */    /* PTR_TO_BTF_ID points to a kernel struct that does not need     * to be null checked by the BPF program. This does not imply the     * pointer is _not_ null and in practice this can easily be a null     * pointer when reading pointer chains. The assumption is program     * context will handle null pointer dereference typically via fault     * handling. The verifier must keep this in mind and can make no     * assumptions about null or non-null when doing branch analysis.     * Further, when passed into helpers the helpers can not, without     * additional context, assume the value is non-null.     */    PTR_TO_BTF_ID,    /* PTR_TO_BTF_ID_OR_NULL points to a kernel struct that has not     * been checked for null. Used primarily to inform the verifier     * an explicit null check is required for this struct.     */    PTR_TO_BTF_ID_OR_NULL,    PTR_TO_MEM,           /* reg points to valid memory region */    PTR_TO_MEM_OR_NULL,   /* reg points to valid memory region or NULL */    PTR_TO_RDONLY_BUF,    /* reg points to a readonly buffer */    PTR_TO_RDONLY_BUF_OR_NULL,  /* reg points to a readonly buffer or NULL */    PTR_TO_RDWR_BUF,      /* reg points to a read/write buffer */    PTR_TO_RDWR_BUF_OR_NULL,    /* reg points to a read/write buffer or NULL */    PTR_TO_PERCPU_BTF_ID,       /* reg points to a percpu kernel variable */};

/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. * Caller should also handle BPF_MOV case separately. * If we return -EACCES, caller may want to try again treating pointer as a * scalar.  So we only emit a diagnostic if !env->allow_ptr_leaks. */static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,                   struct bpf_insn *insn,                   const struct bpf_reg_state *ptr_reg,                   const struct bpf_reg_state *off_reg){...    switch (ptr_reg->type) {    case PTR_TO_MAP_VALUE_OR_NULL:        verbose(env, "R%d pointer arithmetic on %s prohibited, null-check it first\n",            dst, reg_type_str[ptr_reg->type]);        return -EACCES;    case CONST_PTR_TO_MAP:        /* smin_val represents the known value */        if (known && smin_val == 0 && opcode == BPF_ADD)            break;        fallthrough;    case PTR_TO_PACKET_END:    case PTR_TO_SOCKET:    case PTR_TO_SOCKET_OR_NULL:    case PTR_TO_SOCK_COMMON:    case PTR_TO_SOCK_COMMON_OR_NULL:    case PTR_TO_TCP_SOCK:    case PTR_TO_TCP_SOCK_OR_NULL:    case PTR_TO_XDP_SOCK:        verbose(env, "R%d pointer arithmetic on %s prohibited\n",            dst, reg_type_str[ptr_reg->type]);        return -EACCES;    default:        break;    }...    return 0;}

[1] Advisory: https://www.openwall.com/lists/oss-security/2022/01/13/1[2] Exploit Overview: https://www.openwall.com/lists/oss-security/2022/01/18/2[3] Patch: []()[4] Source: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/tree/kernel/bpf/verifier.c?h=v5.10.83