]> git.ipfire.org Git - thirdparty/kernel/stable.git/commit
projects / thirdparty / kernel / stable.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 8ed82f8) | patch
bpf: Fix variable length stack write over spilled pointers
authorAlexei Starovoitov <ast@kernel.org>
Tue, 24 Mar 2026 21:59:36 +0000 (14:59 -0700)
committerAlexei Starovoitov <ast@kernel.org>
Wed, 25 Mar 2026 00:00:11 +0000 (17:00 -0700)
commit4639eb9e30ab10c7935c7c19e872facf9a94713f
treea97df9dcc8e8154433a9dad92f5a4351a175def0tree | snapshot
parent8ed82f807bb09d2c8455aaa665f2c6cb17bc6a19commit | diff
bpf: Fix variable length stack write over spilled pointers

Scrub slots if variable-offset stack write goes over spilled pointers.
Otherwise is_spilled_reg() may == true && spilled_ptr.type == NOT_INIT
and valid program is rejected by check_stack_read_fixed_off()
with obscure "invalid size of register fill" message.

Fixes: 01f810ace9ed ("bpf: Allow variable-offset stack access")
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260324215938.81733-1-alexei.starovoitov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
kernel/bpf/verifier.c diff | blob | blame | history
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git