bpf, arm64: Fix address emission with tag-based KASAN enabled - kernel/linux.git

diff options

author	Peter Collingbourne <pcc@google.com>	2024-10-19 01:16:43 +0300
committer	Daniel Borkmann <daniel@iogearbox.net>	2024-10-21 10:45:19 +0300
commit	a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c (patch)
tree	5668871970319f32316371b04f4901a4de763629 /tools/perf/scripts/python/exported-sql-viewer.py
parent	42f7652d3eb527d03665b09edac47f85fb600924 (diff)
download	linux-a552e2ef5fd1a6c78267cd4ec5a9b49aa11bbb1c.tar.xz

bpf, arm64: Fix address emission with tag-based KASAN enabled

When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image struct on the stack is passed during the size calculation pass and an address on the heap is passed during code generation. This may cause a heap buffer overflow if the heap address is tagged because emit_a64_mov_i64() will emit longer code than it did during the size calculation pass. The same problem could occur without tag-based KASAN if one of the 16-bit words of the stack address happened to be all-ones during the size calculation pass. Fix the problem by assuming the worst case (4 instructions) when calculating the size of the bpf_tramp_image address emission. Fixes: 19d3c179a377 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG") Signed-off-by: Peter Collingbourne <pcc@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Xu Kuohai <xukuohai@huawei.com> Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c Link: https://lore.kernel.org/bpf/20241018221644.3240898-1-pcc@google.com

Diffstat (limited to 'tools/perf/scripts/python/exported-sql-viewer.py')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: