diff options
| author | Yonghong Song <[email protected]> | 2024-08-12 14:48:47 -0700 |
|---|---|---|
| committer | Alexei Starovoitov <[email protected]> | 2024-08-12 18:09:48 -0700 |
| commit | bed2eb964c70b780fb55925892a74f26cb590b25 (patch) | |
| tree | 6b3b06cd087a165a9985ba6a859f43b7684291f7 /tools/testing/selftests/bpf/prog_tests/autoload.c | |
| parent | fdad456cbcca739bae1849549c7a999857c56f88 (diff) | |
bpf: Fix a kernel verifier crash in stacksafe()
Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:
if (exact != NOT_EXACT &&
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
cur->stack[spi].slot_type[i % BPF_REG_SIZE])
return false;
The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.
To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman <[email protected]>
Reported-by: Daniel Hodges <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
Signed-off-by: Yonghong Song <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>
Diffstat (limited to 'tools/testing/selftests/bpf/prog_tests/autoload.c')
0 files changed, 0 insertions, 0 deletions