Skip to content

Commit 1d38a9e

Browse files
andreimateianakryiko
andreimatei
authored and
anakryiko
committed
bpf: Guard stack limits against 32bit overflow
This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904 Reported-by: Andrii Nakryiko <[email protected]> Signed-off-by: Andrei Matei <[email protected]> Signed-off-by: Andrii Nakryiko <[email protected]> Acked-by: Andrii Nakryiko <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]
1 parent e28bd35 commit 1d38a9e

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

kernel/bpf/verifier.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -6577,7 +6577,7 @@ static int check_ptr_to_map_access(struct bpf_verifier_env *env,
65776577
* The minimum valid offset is -MAX_BPF_STACK for writes, and
65786578
* -state->allocated_stack for reads.
65796579
*/
6580-
static int check_stack_slot_within_bounds(int off,
6580+
static int check_stack_slot_within_bounds(s64 off,
65816581
struct bpf_func_state *state,
65826582
enum bpf_access_type t)
65836583
{
@@ -6606,7 +6606,7 @@ static int check_stack_access_within_bounds(
66066606
struct bpf_reg_state *regs = cur_regs(env);
66076607
struct bpf_reg_state *reg = regs + regno;
66086608
struct bpf_func_state *state = func(env, reg);
6609-
int min_off, max_off;
6609+
s64 min_off, max_off;
66106610
int err;
66116611
char *err_extra;
66126612

@@ -6619,7 +6619,7 @@ static int check_stack_access_within_bounds(
66196619
err_extra = " write to";
66206620

66216621
if (tnum_is_const(reg->var_off)) {
6622-
min_off = reg->var_off.value + off;
6622+
min_off = (s64)reg->var_off.value + off;
66236623
max_off = min_off + access_size;
66246624
} else {
66256625
if (reg->smax_value >= BPF_MAX_VAR_OFF ||

0 commit comments

Comments
 (0)