Commit f5e477a8 authored by Kumar Kartikeya Dwivedi's avatar Kumar Kartikeya Dwivedi Committed by Alexei Starovoitov
Browse files

bpf: Fix slot type check in check_stack_write_var_off 



For the case where allow_ptr_leaks is false, code is checking whether
slot type is STACK_INVALID and STACK_SPILL and rejecting other cases.
This is a consequence of incorrectly checking for register type instead
of the slot type (NOT_INIT and SCALAR_VALUE respectively). Fix the
check.

Fixes: 01f810ac ("bpf: Allow variable-offset stack access")
Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20221103191013.1236066-5-memxor@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 261f4664

kernel/bpf/verifier.c

+11 −8
Original line number Diff line number Diff line
@@ -3181,14 +3181,17 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env, 
		stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];

		mark_stack_slot_scratched(env, spi);



		if (!env->allow_ptr_leaks

				&& *stype != NOT_INIT

				&& *stype != SCALAR_VALUE) {

			/* Reject the write if there's are spilled pointers in

			 * range. If we didn't reject here, the ptr status

			 * would be erased below (even though not all slots are

			 * actually overwritten), possibly opening the door to

			 * leaks.

		if (!env->allow_ptr_leaks && *stype != STACK_MISC && *stype != STACK_ZERO) {

			/* Reject the write if range we may write to has not

			 * been initialized beforehand. If we didn't reject

			 * here, the ptr status would be erased below (even

			 * though not all slots are actually overwritten),

			 * possibly opening the door to leaks.

			 *

			 * We do however catch STACK_INVALID case below, and

			 * only allow reading possibly uninitialized memory

			 * later for CAP_PERFMON, as the write may not happen to

			 * that slot.

			 */

			verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d",

				insn_idx, i);