Git Repo - linux.git/commit

author	Yonghong Song <[email protected]>
	Mon, 12 Aug 2024 21:48:47 +0000 (14:48 -0700)
committer	Alexei Starovoitov <[email protected]>
	Tue, 13 Aug 2024 01:09:48 +0000 (18:09 -0700)
commit	bed2eb964c70b780fb55925892a74f26cb590b25
tree	6b3b06cd087a165a9985ba6a859f43b7684291f7	tree \| snapshot
parent	fdad456cbcca739bae1849549c7a999857c56f88	commit \| diff

bpf: Fix a kernel verifier crash in stacksafe()

Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:

    if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;

The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.

To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <[email protected]>
Reported-by: Daniel Hodges <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
Signed-off-by: Yonghong Song <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>