bpf: Fix kfunc callback register type handling

The kfunc code to handle KF_ARG_PTR_TO_CALLBACK does not check the reg type before using reg->subprogno. This can accidently permit invalid pointers from being passed into callback helpers (e.g. silently from different paths). Likewise, reg->subprogno from the per-register type union may not be meaningful either. We need to reject any other type except PTR_TO_FUNC. Acked-by: Dave Marchevsky <[email protected]> Fixes: 5d92ddc3de1b ("bpf: Add callback validation to kfunc verifier logic") Signed-off-by: Kumar Kartikeya Dwivedi <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
author: Kumar Kartikeya Dwivedi <[email protected]> 2023-09-13 01:32:10 +0200
committer: Alexei Starovoitov <[email protected]> 2023-09-16 09:36:43 -0700
commit: 06d686f771ddc27a8554cd8f5b22e071040dc90e (patch)
tree: cf207fd0455d4abeaf94b3322bc782336cfd612f
parent: fd548e1a46185000191a89cae4be560e076ed6c7 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 5ccb50fd74e5..a7178ecf676d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11407,6 +11407,10 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
 			break;
 		}
 		case KF_ARG_PTR_TO_CALLBACK:
+			if (reg->type != PTR_TO_FUNC) {
+				verbose(env, "arg%d expected pointer to func\n", i);
+				return -EINVAL;
+			}
 			meta->subprogno = reg->subprogno;
 			break;
 		case KF_ARG_PTR_TO_REFCOUNTED_KPTR:
author	Kumar Kartikeya Dwivedi <[email protected]>	2023-09-13 01:32:10 +0200
committer	Alexei Starovoitov <[email protected]>	2023-09-16 09:36:43 -0700
commit	06d686f771ddc27a8554cd8f5b22e071040dc90e (patch)
tree	cf207fd0455d4abeaf94b3322bc782336cfd612f
parent	fd548e1a46185000191a89cae4be560e076ed6c7 (diff)