bpf: Fix a kernel verifier crash in stacksafe() - kernel/linux.git

diff options

author	Yonghong Song <yonghong.song@linux.dev>	2024-08-13 00:48:47 +0300
committer	Alexei Starovoitov <ast@kernel.org>	2024-08-13 04:09:48 +0300
commit	bed2eb964c70b780fb55925892a74f26cb590b25 (patch)
tree	6b3b06cd087a165a9985ba6a859f43b7684291f7 /tools
parent	fdad456cbcca739bae1849549c7a999857c56f88 (diff)
download	linux-bed2eb964c70b780fb55925892a74f26cb590b25.tar.xz

bpf: Fix a kernel verifier crash in stacksafe()

Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87@gmail.com> Reported-by: Daniel Hodges <hodgesd@meta.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Signed-off-by: Yonghong Song <yonghong.song@linux.dev> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Diffstat (limited to 'tools')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: