Commit 18752d7
bpf: Improve check_raw_mode_ok test for MEM_UNINIT-tagged types
When checking malformed helper function signatures, also take other argument
types into account aside from just ARG_PTR_TO_UNINIT_MEM.
This concerns (formerly) ARG_PTR_TO_{INT,LONG} given uninitialized memory can
be passed there, too.
The func proto sanity check goes back to commit 435faee ("bpf, verifier:
add ARG_PTR_TO_RAW_STACK type"), and its purpose was to detect wrong func protos
which had more than just one MEM_UNINIT-tagged type as arguments.
The reason more than one is currently not supported is as we mark stack slots with
STACK_MISC in check_helper_call() in case of raw mode based on meta.access_size to
allow uninitialized stack memory to be passed to helpers when they just write into
the buffer.
Probing for base type as well as MEM_UNINIT tagging ensures that other types do not
get missed (as it used to be the case for ARG_PTR_TO_{INT,LONG}).
Fixes: 57c3bb7 ("bpf: Introduce ARG_PTR_TO_{INT,LONG} arg types")
Reported-by: Shung-Hsi Yu <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Andrii Nakryiko <[email protected]>
Acked-by: Shung-Hsi Yu <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>1 parent 32556ce commit 18752d7
1 file changed
+11
-5
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
8291 | 8291 | | |
8292 | 8292 | | |
8293 | 8293 | | |
| 8294 | + | |
| 8295 | + | |
| 8296 | + | |
| 8297 | + | |
| 8298 | + | |
| 8299 | + | |
8294 | 8300 | | |
8295 | 8301 | | |
8296 | 8302 | | |
| |||
9340 | 9346 | | |
9341 | 9347 | | |
9342 | 9348 | | |
9343 | | - | |
| 9349 | + | |
9344 | 9350 | | |
9345 | | - | |
| 9351 | + | |
9346 | 9352 | | |
9347 | | - | |
| 9353 | + | |
9348 | 9354 | | |
9349 | | - | |
| 9355 | + | |
9350 | 9356 | | |
9351 | | - | |
| 9357 | + | |
9352 | 9358 | | |
9353 | 9359 | | |
9354 | 9360 | | |
| |||
0 commit comments