Commit 91f6b051 authored by Daniel Borkmann's avatar Daniel Borkmann Committed by Zheng Zengkai
Browse files

bpf: Generalize check_ctx_reg for reuse with other types 

mainline inclusion
from mainline-v5.17-rc1
commit be80a1d3
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I4WT90
CVE: CVE-2021-4204

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=be80a1d3f9dbe5aee79a325964f7037fe2d92f30



--------------------------------

Generalize the check_ctx_reg() helper function into a more generic named one
so that it can be reused for other register types as well to check whether
their offset is non-zero. No functional change.

Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Conflicts:
	include/linux/bpf_verifier.h
	kernel/bpf/btf.c
Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
Reviewed-by: default avatarKuohai Xu <xukuohai@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent bf00d9ad

include/linux/bpf_verifier.h

+2 −2
Original line number Diff line number Diff line
@@ -469,7 +469,7 @@ bpf_prog_offload_replace_insn(struct bpf_verifier_env *env, u32 off, 
void

bpf_prog_offload_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt);



int check_ctx_reg(struct bpf_verifier_env *env,

int check_ptr_off_reg(struct bpf_verifier_env *env,

		      const struct bpf_reg_state *reg, int regno);



/* this lives here instead of in bpf.h because it needs to dereference tgt_prog */

kernel/bpf/btf.c

+1 −1
Original line number Diff line number Diff line
@@ -5207,7 +5207,7 @@ int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog, 
						i, btf_kind_str[BTF_INFO_KIND(t->info)]);

					goto out;

				}

				if (check_ctx_reg(env, &reg[i + 1], i + 1))

				if (check_ptr_off_reg(env, &reg[i + 1], i + 1))

					goto out;

				continue;

			}

kernel/bpf/verifier.c

+11 −10
Original line number Diff line number Diff line
@@ -3359,16 +3359,16 @@ static int get_callee_stack_depth(struct bpf_verifier_env *env, 
}

#endif



int check_ctx_reg(struct bpf_verifier_env *env,

int check_ptr_off_reg(struct bpf_verifier_env *env,

		      const struct bpf_reg_state *reg, int regno)

{

	/* Access to ctx or passing it to a helper is only allowed in

	 * its original, unmodified form.

	/* Access to this pointer-typed register or passing it to a helper

	 * is only allowed in its original, unmodified form.

	 */



	if (reg->off) {

		verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n",

			regno, reg->off);

		verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",

			reg_type_str(env, reg->type), regno, reg->off);

		return -EACCES;

	}
@@ -3376,7 +3376,8 @@ int check_ctx_reg(struct bpf_verifier_env *env, 
		char tn_buf[48];



		tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);

		verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf);

		verbose(env, "variable %s access var_off=%s disallowed\n",

			reg_type_str(env, reg->type), tn_buf);

		return -EACCES;

	}
@@ -3814,7 +3815,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn 
			return -EACCES;

		}



		err = check_ctx_reg(env, reg, regno);

		err = check_ptr_off_reg(env, reg, regno);

		if (err < 0)

			return err;
@@ -4533,7 +4534,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg, 
		return err;



	if (type == PTR_TO_CTX) {

		err = check_ctx_reg(env, reg, regno);

		err = check_ptr_off_reg(env, reg, regno);

		if (err < 0)

			return err;

	}
@@ -8301,7 +8302,7 @@ static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn) 
			return err;

	}



	err = check_ctx_reg(env, &regs[ctx_reg], ctx_reg);

	err = check_ptr_off_reg(env, &regs[ctx_reg], ctx_reg);

	if (err < 0)

		return err;