!12870 Fix CVE-2024-47703

 */

struct bpf_insn_access_aux {

	enum bpf_reg_type reg_type;

	bool is_retval; /* is accessing function return value ? */

	union {

		int ctx_field_size;

		u32 btf_id;

#define _LINUX_BPF_LSM_H

#include <linux/bpf.h>

#include <linux/bpf_verifier.h>

#include <linux/lsm_hooks.h>

#ifdef CONFIG_BPF_LSM

extern const struct bpf_func_proto bpf_inode_storage_delete_proto;

void bpf_inode_storage_free(struct inode *inode);

int bpf_lsm_get_retval_range(const struct bpf_prog *prog,

			     struct bpf_retval_range *range);

#else /* !CONFIG_BPF_LSM */

static inline int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,

{

}

static inline int bpf_lsm_get_retval_range(const struct bpf_prog *prog,

					   struct bpf_retval_range *range)

{

	return -EOPNOTSUPP;

}

#endif /* CONFIG_BPF_LSM */

#endif /* _LINUX_BPF_LSM_H */

	int insn_idx;

};

struct bpf_retval_range {

	s32 minval;

	s32 maxval;

};

/* state of the program:

 * type of all registers and stack info

 */

#include <linux/lsm_hooks.h>

#include <linux/bpf_lsm.h>

#include <linux/kallsyms.h>

#include <linux/bpf_verifier.h>

#include <net/bpf_sk_storage.h>

#include <linux/bpf_local_storage.h>

#include <linux/btf_ids.h>

#undef LSM_HOOK

BTF_SET_END(bpf_lsm_hooks)

BTF_SET_START(bpf_lsm_disabled_hooks)

BTF_ID(func, bpf_lsm_vm_enough_memory)

BTF_ID(func, bpf_lsm_inode_need_killpriv)

BTF_ID(func, bpf_lsm_inode_getsecurity)

BTF_ID(func, bpf_lsm_inode_listsecurity)

BTF_ID(func, bpf_lsm_inode_copy_up_xattr)

BTF_ID(func, bpf_lsm_getprocattr)

BTF_ID(func, bpf_lsm_setprocattr)

#ifdef CONFIG_KEYS

BTF_ID(func, bpf_lsm_key_getsecurity)

#endif

#ifdef CONFIG_AUDIT

BTF_ID(func, bpf_lsm_audit_rule_match)

#endif

BTF_ID(func, bpf_lsm_ismaclabel)

BTF_SET_END(bpf_lsm_disabled_hooks)

int bpf_lsm_verify_prog(struct bpf_verifier_log *vlog,

			const struct bpf_prog *prog)

{

	u32 btf_id = prog->aux->attach_btf_id;

	const char *func_name = prog->aux->attach_func_name;

	if (!prog->gpl_compatible) {

		bpf_log(vlog,

			"LSM programs must have a GPL compatible license\n");

		return -EINVAL;

	}

	if (!btf_id_set_contains(&bpf_lsm_hooks, prog->aux->attach_btf_id)) {

	if (btf_id_set_contains(&bpf_lsm_disabled_hooks, btf_id)) {

		bpf_log(vlog, "attach_btf_id %u points to disabled hook %s\n",

			btf_id, func_name);

		return -EINVAL;

	}

	if (!btf_id_set_contains(&bpf_lsm_hooks, btf_id)) {

		bpf_log(vlog, "attach_btf_id %u points to wrong type name %s\n",

			prog->aux->attach_btf_id, prog->aux->attach_func_name);

			btf_id, func_name);

		return -EINVAL;

	}

	.get_func_proto = bpf_lsm_func_proto,

	.is_valid_access = btf_ctx_access,

};

/* hooks return 0 or 1 */

BTF_SET_START(bool_lsm_hooks)

#ifdef CONFIG_SECURITY_NETWORK_XFRM

BTF_ID(func, bpf_lsm_xfrm_state_pol_flow_match)

#endif

#ifdef CONFIG_AUDIT

BTF_ID(func, bpf_lsm_audit_rule_known)

#endif

BTF_SET_END(bool_lsm_hooks)

int bpf_lsm_get_retval_range(const struct bpf_prog *prog,

			     struct bpf_retval_range *retval_range)

{

	/* no return value range for void hooks */

	if (!prog->aux->attach_func_proto->type)

		return -EINVAL;

	if (btf_id_set_contains(&bool_lsm_hooks, prog->aux->attach_btf_id)) {

		retval_range->minval = 0;

		retval_range->maxval = 1;

	} else {

		/* All other available LSM hooks, except task_prctl, return 0

		 * on success and negative error code on failure.

		 * To keep things simple, we only allow bpf progs to return 0

		 * or negative errno for task_prctl too.

		 */

		retval_range->minval = -MAX_ERRNO;

		retval_range->maxval = 0;

	}

	return 0;

}

	if (arg == nr_args) {

		switch (prog->expected_attach_type) {

		case BPF_LSM_MAC:

			/* mark we are accessing the return value */

			info->is_retval = true;

			fallthrough;

		case BPF_TRACE_FEXIT:

			/* When LSM programs are attached to void LSM hooks

			 * they use FEXIT trampolines and when attached to