git.baikalelectronics.ru Git - kernel.git/commit

author	Martin KaFai Lau <kafai@fb.com>
	Tue, 2 Nov 2021 06:45:35 +0000 (23:45 -0700)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Wed, 3 Nov 2021 14:46:46 +0000 (15:46 +0100)
commit	cca8c56edab1cf64ed29a36c31e3f923ee8b6558
tree	169aa41553126c12b1e8e5c36812f951c1b1607e	tree \| snapshot
parent	b96dc33383b900f1c0b14bbda9090de1b79b6eea	commit \| diff

bpf: Do not reject when the stack read size is different from the tracked scalar size

Below is a simplified case from a report in bcc [0]:

  r4 = 20
  *(u32 *)(r10 -4) = r4
  *(u32 *)(r10 -8) = r4  /* r4 state is tracked */
  r4 = *(u64 *)(r10 -8)  /* Read more than the tracked 32bit scalar.
  * verifier rejects as 'corrupted spill memory'.
  */

After commit 645b4075d71b ("bpf: Support <8-byte scalar spill and refill"),
the 8-byte aligned 32bit spill is also tracked by the verifier and the
register state is stored.

However, if 8 bytes are read from the stack instead of the tracked 4 byte
scalar, then verifier currently rejects the program as "corrupted spill
memory". This patch fixes this case by allowing it to read but marks the
register as unknown.

Also note that, if the prog is trying to corrupt/leak an earlier spilled
pointer by spilling another <8 bytes register on top, this has already
been rejected in the check_stack_write_fixed_off().

  [0] https://github.com/iovisor/bcc/pull/3683

Fixes: 645b4075d71b ("bpf: Support <8-byte scalar spill and refill")
Reported-by: Hengqi Chen <hengqi.chen@gmail.com>
Reported-by: Yonghong Song <yhs@gmail.com>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Hengqi Chen <hengqi.chen@gmail.com>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20211102064535.316018-1-kafai@fb.com