git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Yonghong Song <yonghong.song@linux.dev>
	Mon, 12 Aug 2024 21:48:47 +0000 (14:48 -0700)
committer	Alexei Starovoitov <ast@kernel.org>
	Tue, 13 Aug 2024 01:09:48 +0000 (18:09 -0700)
commit	bed2eb964c70b780fb55925892a74f26cb590b25
tree	6b3b06cd087a165a9985ba6a859f43b7684291f7	tree
parent	fdad456cbcca739bae1849549c7a999857c56f88	commit \| diff

bpf: Fix a kernel verifier crash in stacksafe()

Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:

    if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;

The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.

To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.

Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <eddyz87@gmail.com>
Reported-by: Daniel Hodges <hodgesd@meta.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov <ast@kernel.org>