Skip to content

Commit bed2eb9

Browse files
Yonghong SongAlexei Starovoitov
authored andcommitted
bpf: Fix a kernel verifier crash in stacksafe()
Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <[email protected]> Reported-by: Daniel Hodges <[email protected]> Acked-by: Eduard Zingerman <[email protected]> Signed-off-by: Yonghong Song <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
1 parent fdad456 commit bed2eb9

File tree

1 file changed

+3
-2
lines changed

1 file changed

+3
-2
lines changed

kernel/bpf/verifier.c

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -16884,8 +16884,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
1688416884
spi = i / BPF_REG_SIZE;
1688516885

1688616886
if (exact != NOT_EXACT &&
16887-
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
16888-
cur->stack[spi].slot_type[i % BPF_REG_SIZE])
16887+
(i >= cur->allocated_stack ||
16888+
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
16889+
cur->stack[spi].slot_type[i % BPF_REG_SIZE]))
1688916890
return false;
1689016891

1689116892
if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)

0 commit comments

Comments
 (0)