Commit 1f240541 authored Nov 18, 2024 by Andrii Nakryiko Committed by Pu Lehui Nov 18, 2024

bpf: handle fake register spill to stack with BPF_ST_MEM instruction

mainline inclusion
from mainline-v6.8-rc1
commit 482d548d40b0af9af730e4869903d4433e44f014
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IB2AQ3
CVE: CVE-2023-52920

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=482d548d40b0



--------------------------------

When verifier validates BPF_ST_MEM instruction that stores known
constant to stack (e.g., *(u64 *)(r10 - 8) = 123), it effectively spills
a fake register with a constant (but initially imprecise) value to
a stack slot. Because read-side logic treats it as a proper register
fill from stack slot, we need to mark such stack slot initialization as
INSN_F_STACK_ACCESS instruction to stop precision backtracking from
missing it.

Fixes: 41f6f64e6999 ("bpf: support non-r10 register spill/fill to/from stack in precision tracking")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20231209010958.66758-1-andrii@kernel.org


Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Conflicts:
	kernel/bpf/verifier.c
[The conflicts were due to some minor issue]
Signed-off-by: Pu Lehui <pulehui@huawei.com>

parent b3564a74

kernel/bpf/verifier.c

+0 −1

Original line number	Diff line number	Diff line
		@@ -2718,7 +2718,6 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
		__mark_reg_known(&fake_reg, insn->imm);
		fake_reg.type = SCALAR_VALUE;
		save_register_state(state, spi, &fake_reg, size);
		insn_flags = 0; /* not a register spill */
		} else if (reg && is_spillable_regtype(reg->type)) {
		/* register containing pointer is being spilled into stack */
		if (size != BPF_REG_SIZE) {