bpf: fix missing error return in check_stack_boundary()

Prevent indirect stack accesses at non-constant addresses, which would permit reading and corrupting spilled pointers. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Jann Horn <jannh@google.com> 2017-12-18 20:11:57 -0800
committer: Daniel Borkmann <daniel@iogearbox.net> 2017-12-21 02:15:41 +0100
commit: ea25f914dc164c8d56b36147ecc86bc65f83c469 (patch)
tree: ae74d60039bef82d303017c162822f4fa8ddbf02 /kernel/bpf/verifier.c
parent: bpf: fix 32-bit ALU op verification (diff)
download: linux-dev-ea25f914dc164c8d56b36147ecc86bc65f83c469.tar.xz
linux-dev-ea25f914dc164c8d56b36147ecc86bc65f83c469.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ecdc265244ca..77e4b5223867 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
 		tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
 		verbose(env, "invalid variable stack read R%d var_off=%s\n",
 			regno, tn_buf);
+		return -EACCES;
 	}
 	off = regs[regno].off + regs[regno].var_off.value;
 	if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
author	Jann Horn <jannh@google.com>	2017-12-18 20:11:57 -0800
committer	Daniel Borkmann <daniel@iogearbox.net>	2017-12-21 02:15:41 +0100
commit	ea25f914dc164c8d56b36147ecc86bc65f83c469 (patch)
tree	ae74d60039bef82d303017c162822f4fa8ddbf02 /kernel/bpf/verifier.c
parent	bpf: fix 32-bit ALU op verification (diff)
download	linux-dev-ea25f914dc164c8d56b36147ecc86bc65f83c469.tar.xz linux-dev-ea25f914dc164c8d56b36147ecc86bc65f83c469.zip