Yonghong Song bed2eb964c bpf: Fix a kernel verifier crash in stacksafe() ...

Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:

    if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;

The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.

To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Daniel Hodges <hodgesd@meta.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

2024-08-12 18:09:48 -07:00

..

preload

bpf: make preloaded map iterators to display map elements count

2023-07-06 12:42:25 -07:00

arena.c

bpf: Fix remap of arena.

2024-06-18 17:19:46 +02:00

arraymap.c

bpf: Do not walk twice the map on free

2024-04-30 16:28:33 +02:00

bloom_filter.c

bpf: Check bloom filter map value size

2024-03-27 09:56:17 -07:00

bpf_cgrp_storage.c

bpf: Enable bpf_cgrp_storage for cgroup1 non-attach case

2023-12-08 17:08:18 -08:00

bpf_inode_storage.c

Networking changes for 6.4.

2023-04-26 16:07:23 -07:00

bpf_iter.c

bpf: move sleepable flag from bpf_prog_aux to bpf_prog

2024-03-11 16:41:25 -07:00

bpf_local_storage.c

bpf: fix order of args in call to bpf_map_kvcalloc

2024-07-10 15:31:19 -07:00

bpf_lru_list.c

bpf: Address KCSAN report on bpf_lru_list

2023-05-12 12:01:03 -07:00

bpf_lru_list.h

bpf: lru: Remove unused declaration bpf_lru_promote()

2023-08-08 17:21:42 -07:00

bpf_lsm.c

bpf: Add security_file_post_open() LSM hook to sleepable_lsm_hooks

2024-06-21 19:55:57 +02:00

bpf_struct_ops.c

bpf: Use precise image size for struct_ops trampoline

2024-07-01 17:10:46 +02:00

bpf_task_storage.c

bpf: Teach verifier that certain helpers accept NULL pointer.

2023-04-04 16:57:16 -07:00

btf.c

bpf: Eliminate remaining "make W=1" warnings in kernel/bpf/btf.o

2024-07-12 17:02:26 +02:00

cgroup_iter.c

bpf: Let verifier consider {task,cgroup} is trusted in bpf_iter_reg

2023-11-07 15:24:25 -08:00

cgroup.c

bpf: Allow helper bpf_get_[ns_]current_pid_tgid() for all prog types

2024-03-19 14:24:07 -07:00

core.c

bpf-next-for-netdev

2024-07-09 17:01:46 +02:00

cpumap.c

net: Move flush list retrieval to where it is used.

2024-07-02 15:26:57 +02:00

cpumask.c

bpf: Allow invoking kfuncs from BPF_PROG_TYPE_SYSCALL progs

2024-04-05 10:56:09 -07:00

crypto.c

bpf: crypto: make state and IV dynptr nullable

2024-06-13 16:33:04 -07:00

devmap.c

bpf-next-for-netdev

2024-07-09 17:01:46 +02:00

disasm.c

bpf: add special internal-only MOV instruction to resolve per-CPU addrs

2024-04-03 10:29:55 -07:00

disasm.h

bpf: Relicense disassembler as GPL-2.0-only OR BSD-2-Clause

2021-09-02 14:49:23 +02:00

dispatcher.c

bpf: Use arch_bpf_trampoline_size

2023-12-06 17:17:20 -08:00

hashtab.c

bpf: Do not walk twice the hash map on free

2024-04-30 16:28:46 +02:00

helpers.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2024-07-11 12:58:13 -07:00

inode.c

bpf: Support symbolic BPF FS delegation mount options

2024-01-24 16:21:02 -08:00

Kconfig

bpf: remove CONFIG_BPF_JIT dependency on CONFIG_MODULES of

2024-05-14 00:36:29 -07:00

link_iter.c

bpf: Add bpf_link iterator

2022-05-10 11:20:45 -07:00

local_storage.c

cgroup changes for v6.4-rc1

2023-04-29 10:05:22 -07:00

log.c

bpf: remove redeclaration of new_n in bpf_verifier_vlog

2024-06-20 19:50:26 -07:00

lpm_trie.c

bpf: Avoid kfree_rcu() under lock in bpf_lpm_trie.

2024-03-29 11:10:41 -07:00

Makefile

libbpf,bpf: Share BTF relocate-related code with kernel

2024-06-21 14:45:07 -07:00

map_in_map.c

bpf: save extended inner map info for percpu array maps as well

2024-05-15 09:34:54 -07:00

map_in_map.h

bpf: Add map and need_defer parameters to .map_fd_put_ptr()

2023-12-04 17:50:26 -08:00

map_iter.c

bpf: treewide: Annotate BPF kfuncs in BTF

2024-01-31 20:40:56 -08:00

memalloc.c

mm: remove CONFIG_MEMCG_KMEM

2024-07-10 12:14:54 -07:00

mmap_unlock_work.h

bpf: Introduce helper bpf_find_vma

2021-11-07 11:54:51 -08:00

mprog.c

bpf: Handle bpf_mprog_query with NULL entry

2023-10-06 17:11:20 -07:00

net_namespace.c

net: Add includes masked by netdevice.h including uapi/bpf.h

2021-12-29 20:03:05 -08:00

offload.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net

2023-09-21 21:49:45 +02:00

percpu_freelist.c

bpf: Initialize same number of free nodes for each pcpu_freelist

2022-11-11 12:05:14 -08:00

percpu_freelist.h

bpf: Use raw_spin_trylock() for pcpu_freelist_push/pop in NMI

2020-10-06 00:04:11 +02:00

prog_iter.c

bpf: Refactor bpf_iter_reg to have separate seq_info member

2020-07-25 20:16:32 -07:00

queue_stack_maps.c

bpf: Avoid deadlock when using queue and stack maps from NMI

2023-09-11 19:04:49 -07:00

reuseport_array.c

bpf: Centralize permissions checks for all BPF map types

2023-06-19 14:04:04 +02:00

ringbuf.c

bpf: Fix overrunning reservations in ringbuf

2024-06-21 13:04:21 -07:00

stackmap.c

bpf: Fix stackmap overflow check on 32-bit arches

2024-03-07 20:06:25 -08:00

syscall.c

sysctl: treewide: constify the ctl_table argument of proc_handlers

2024-07-24 20:59:29 +02:00

sysfs_btf.c

btf: Avoid weak external references

2024-04-16 16:35:13 +02:00

task_iter.c

bpf: Remove unnecessary loop in task_file_seq_get_next()

2024-07-08 16:23:19 +02:00

tcx.c

bpf, tcx: Get rid of tcx_link_const

2023-10-23 15:01:53 -07:00

tnum.c

bpf: simplify tnum output if a fully known constant

2023-12-02 11:36:51 -08:00

token.c

bpf,token: Use BIT_ULL() to convert the bit mask

2024-01-29 20:04:55 -08:00

trampoline.c

Networking changes for 6.10.

2024-05-14 19:42:24 -07:00

verifier.c

bpf: Fix a kernel verifier crash in stacksafe()

2024-08-12 18:09:48 -07:00