git.ipfire.org Git - thirdparty/linux.git/commit

author	Jann Horn <jannh@google.com>
	Fri, 17 Apr 2020 00:00:07 +0000 (02:00 +0200)
committer	Alexei Starovoitov <ast@kernel.org>
	Tue, 21 Apr 2020 01:41:34 +0000 (18:41 -0700)
commit	8ff3571f7e1bf3f293cc5e3dc14f2943f4fa7fcf
tree	d1f5c6273b9160b4a90058afdd0271063f610a4c	tree \| snapshot
parent	6e7e63cbb023976d828cdb22422606bf77baa8a9	commit \| diff

bpf: Fix handling of XADD on BTF memory

check_xadd() can cause check_ptr_to_btf_access() to be executed with
atype==BPF_READ and value_regno==-1 (meaning "just check whether the access
is okay, don't tell me what type it will result in").
Handle that case properly and skip writing type information, instead of
indexing into the registers at index -1 and writing into out-of-bounds
memory.

Note that at least at the moment, you can't actually write through a BTF
pointer, so check_xadd() will reject the program after calling
check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the
verifier has already corrupted memory.

This patch assumes that BTF pointers are not available in unprivileged
programs.

Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com