diff options
| author |   Alexei Starovoitov <ast@kernel.org> | 2024-12-04 09:19:50 -0800 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2024-12-04 09:19:51 -0800 |
| commit | e2cf913314b9543f4479788443c7e9009c6c56d8 (patch) | |
| tree | 946a937b0d54c465efe576bd77e6e1676345d25b /kernel | |
| parent | samples/bpf: Remove unnecessary -I flags from libbpf EXTRA_CFLAGS (diff) | |
| parent | selftests/bpf: Add test for narrow spill into 64-bit spilled scalar (diff) | |
| download | wireguard-linux-e2cf913314b9543f4479788443c7e9009c6c56d8.tar.xz wireguard-linux-e2cf913314b9543f4479788443c7e9009c6c56d8.zip | |
Merge branch 'fixes-for-stack-with-allow_ptr_leaks'
Kumar Kartikeya Dwivedi says:
====================
Fixes for stack with allow_ptr_leaks
Two fixes for usability/correctness gaps when interacting with the stack
without CAP_PERFMON (i.e. with allow_ptr_leaks = false). See the commits
for details. I've verified that the tests fail when run without the fixes.
Changelog:
----------
v3 -> v4
v3: https://lore.kernel.org/bpf/20241202083814.1888784-1-memxor@gmail.com
* Address Andrii's comments
* Fix bug paperered over by missing CAP_NET_ADMIN in verifier_mtu
test
* Add warning when undefined CAP_ constant is specified, and fail
test
* Reorder annotations to be more clear
* Verify that fixes fail without patches again
* Add Acked-by from Andrii
v2 -> v3
v2: https://lore.kernel.org/bpf/20241127212026.3580542-1-memxor@gmail.com
* Address comments from Eduard
* Fix comment for mark_stack_slot_misc
* We can simply always return early when stype == STACK_INVALID
* Drop allow_ptr_leaks conditionals
* Add Eduard's __caps_unpriv patch into the series
* Convert test_verifier_mtu to use it
* Move existing tests to __caps_unpriv annotation and verifier_spill_fill.c
* Add Acked-by from Eduard
v1 -> v2
v1: https://lore.kernel.org/bpf/20241127185135.2753982-1-memxor@gmail.com
* Fix CI errors in selftest by removing dependence on BPF_ST
====================
Link: https://patch.msgid.link/20241204044757.1483141-1-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/bpf/verifier.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2fd35465d650..01fbef9576e0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1202,14 +1202,17 @@ static bool is_spilled_scalar_reg64(const struct bpf_stack_state *stack) /* Mark stack slot as STACK_MISC, unless it is already STACK_INVALID, in which * case they are equivalent, or it's STACK_ZERO, in which case we preserve * more precise STACK_ZERO. - * Note, in uprivileged mode leaving STACK_INVALID is wrong, so we take - * env->allow_ptr_leaks into account and force STACK_MISC, if necessary. + * Regardless of allow_ptr_leaks setting (i.e., privileged or unprivileged + * mode), we won't promote STACK_INVALID to STACK_MISC. In privileged case it is + * unnecessary as both are considered equivalent when loading data and pruning, + * in case of unprivileged mode it will be incorrect to allow reads of invalid + * slots. */ static void mark_stack_slot_misc(struct bpf_verifier_env *env, u8 *stype) { if (*stype == STACK_ZERO) return; - if (env->allow_ptr_leaks && *stype == STACK_INVALID) + if (*stype == STACK_INVALID) return; *stype = STACK_MISC; } @@ -4700,6 +4703,7 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env, */ if (!env->allow_ptr_leaks && is_spilled_reg(&state->stack[spi]) && + !is_spilled_scalar_reg(&state->stack[spi]) && size != BPF_REG_SIZE) { verbose(env, "attempt to corrupt spilled pointer on stack\n"); return -EACCES; |