kevin/linux
1
Fork 0
Code
731733c623
linux/kernel/bpf
History
Yonghong Song bed2eb964c bpf: Fix a kernel verifier crash in stacksafe() 
Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:

    if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;

The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.

To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

Fixes: 2793a8b015 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Daniel Hodges <hodgesd@meta.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2024-08-12 18:09:48 -07:00
..
preload
arena.c bpf: Fix remap of arena. 2024-06-18 17:19:46 +02:00
arraymap.c bpf: Do not walk twice the map on free 2024-04-30 16:28:33 +02:00
bloom_filter.c
bpf_cgrp_storage.c
bpf_inode_storage.c
bpf_iter.c
bpf_local_storage.c bpf: fix order of args in call to bpf_map_kvcalloc 2024-07-10 15:31:19 -07:00
bpf_lru_list.c
bpf_lru_list.h
bpf_lsm.c bpf: Add security_file_post_open() LSM hook to sleepable_lsm_hooks 2024-06-21 19:55:57 +02:00
bpf_struct_ops.c bpf: Use precise image size for struct_ops trampoline 2024-07-01 17:10:46 +02:00
bpf_task_storage.c
btf.c bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o 2024-07-12 17:02:26 +02:00
cgroup_iter.c
cgroup.c
core.c bpf-next-for-netdev 2024-07-09 17:01:46 +02:00
cpumap.c net: Move flush list retrieval to where it is used. 2024-07-02 15:26:57 +02:00
cpumask.c bpf: Allow invoking kfuncs from BPF_PROG_TYPE_SYSCALL progs 2024-04-05 10:56:09 -07:00
crypto.c bpf: crypto: make state and IV dynptr nullable 2024-06-13 16:33:04 -07:00
devmap.c bpf-next-for-netdev 2024-07-09 17:01:46 +02:00
disasm.c
disasm.h
dispatcher.c
hashtab.c bpf: Do not walk twice the hash map on free 2024-04-30 16:28:46 +02:00
helpers.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2024-07-11 12:58:13 -07:00
inode.c
Kconfig bpf: remove CONFIG_BPF_JIT dependency on CONFIG_MODULES of 2024-05-14 00:36:29 -07:00
link_iter.c
local_storage.c
log.c bpf: remove redeclaration of new_n in bpf_verifier_vlog 2024-06-20 19:50:26 -07:00
lpm_trie.c
Makefile libbpf,bpf: Share BTF relocate-related code with kernel 2024-06-21 14:45:07 -07:00
map_in_map.c bpf: save extended inner map info for percpu array maps as well 2024-05-15 09:34:54 -07:00
map_in_map.h
map_iter.c
memalloc.c mm: remove CONFIG_MEMCG_KMEM 2024-07-10 12:14:54 -07:00
mmap_unlock_work.h
mprog.c
net_namespace.c
offload.c
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c
reuseport_array.c
ringbuf.c bpf: Fix overrunning reservations in ringbuf 2024-06-21 13:04:21 -07:00
stackmap.c
syscall.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
sysfs_btf.c btf: Avoid weak external references 2024-04-16 16:35:13 +02:00
task_iter.c bpf: Remove unnecessary loop in task_file_seq_get_next() 2024-07-08 16:23:19 +02:00
tcx.c
tnum.c
token.c
trampoline.c Networking changes for 6.10. 2024-05-14 19:42:24 -07:00
verifier.c bpf: Fix a kernel verifier crash in stacksafe() 2024-08-12 18:09:48 -07:00