]> Git Repo - linux.git/commit
bpf: Fix a kernel verifier crash in stacksafe()
authorYonghong Song <[email protected]>
Mon, 12 Aug 2024 21:48:47 +0000 (14:48 -0700)
committerAlexei Starovoitov <[email protected]>
Tue, 13 Aug 2024 01:09:48 +0000 (18:09 -0700)
commitbed2eb964c70b780fb55925892a74f26cb590b25
tree6b3b06cd087a165a9985ba6a859f43b7684291f7
parentfdad456cbcca739bae1849549c7a999857c56f88
bpf: Fix a kernel verifier crash in stacksafe()

Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:

    if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;

The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.

To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <[email protected]>
Reported-by: Daniel Hodges <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
Signed-off-by: Yonghong Song <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>
kernel/bpf/verifier.c
This page took 0.053773 seconds and 4 git commands to generate.