diff options
| author | Yonghong Song <yonghong.song@linux.dev> | 2026-05-16 01:50:40 +0300 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2026-05-17 03:46:16 +0300 |
| commit | 4286f5deee14b26a9f0447b566d4c7cb7e2e2702 (patch) | |
| tree | 53ae605bc4f2d5d9a85c9e437ec716ebbd3c0577 /include/linux | |
| parent | c8993263ffd3831c96f258ca76e59303122a47bb (diff) | |
| download | linux-4286f5deee14b26a9f0447b566d4c7cb7e2e2702.tar.xz | |
bpf: Validate outgoing stack args when btf_prepare_func_args fails
btf_prepare_func_args() sets sub->arg_cnt before validating arg types.
If validation fails (e.g. unsupported pointer type in a static subprog),
check_outgoing_stack_args() is skipped because btf_check_func_arg_match()
returns early. For static subprogs, check_func_call() ignores non-EFAULT
errors and proceeds with the call.
This causes the callee to read stack arg slots that the caller never
stored or not initialized, potentially dereferencing NULL caller->stack_arg_regs
or getting no-initialized value.
To fix the issue, when btf_prepare_func_args() fails and the subprog expects
stack args, call check_outgoing_stack_args() to verify the caller initialized
the slots. Return -EFAULT on failure so the error is not ignored.
Fixes: 3ab5bd317ee2 ("bpf: Set sub->arg_cnt earlier in btf_prepare_func_args()")
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20260515225040.821515-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'include/linux')
0 files changed, 0 insertions, 0 deletions