bpf: Ensure reg is PTR_TO_STACK in process_iter_arg

lvtao-sec · mehmetb0 · commit 8c815e4fb262 · 2025-02-14T14:42:35.000+03:00
BugLink: https://bugs.launchpad.net/bugs/2096827 [ Upstream commit 12659d2 ] Currently, KF_ARG_PTR_TO_ITER handling missed checking the reg->type and ensuring it is PTR_TO_STACK. Instead of enforcing this in the caller of process_iter_arg, move the check into it instead so that all callers will gain the check by default. This is similar to process_dynptr_func. An existing selftest in verifier_bits_iter.c fails due to this change, but it's because it was passing a NULL pointer into iter_next helper and getting an error further down the checks, but probably meant to pass an uninitialized iterator on the stack (as is done in the subsequent test below it). We will gain coverage for non-PTR_TO_STACK arguments in later patches hence just change the declaration to zero-ed stack object. Fixes: 06accc8 ("bpf: add support for open-coded iterator loops") Suggested-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Tao Lyu <tao.lyu@epfl.ch> [ Kartikeya: move check into process_iter_arg, rewrite commit log ] Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> Link: https://lore.kernel.org/r/20241203000238.3602922-2-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> [koichiroden: adjusted context due to missing commit: baebe9a ("bpf: allow passing struct bpf_iter_<type> as kfunc arguments")] Signed-off-by: Koichiro Den <koichiro.den@canonical.com>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -7928,6 +7928,11 @@ static int process_iter_arg(struct bpf_verifier_env *env, int regno, int insn_id
 	int spi, err, i, nr_slots;
 	u32 btf_id;
 
+	if (reg->type != PTR_TO_STACK) {
+		verbose(env, "arg#%d expected pointer to an iterator on stack\n", regno - 1);
+		return -EINVAL;
+	}
+
 	/* btf_check_iter_kfuncs() ensures we don't need to validate anything here */
 	arg = &btf_params(meta->func_proto)[0];
 	t = btf_type_skip_modifiers(meta->btf, arg->type, NULL);	/* PTR */
diff --git a/tools/testing/selftests/bpf/progs/verifier_bits_iter.c b/tools/testing/selftests/bpf/progs/verifier_bits_iter.c
@@ -33,9 +33,9 @@ __description("uninitialized iter in ->next()")
 __failure __msg("expected an initialized iter_bits as arg #1")
 int BPF_PROG(next_uninit, struct bpf_iter_meta *meta, struct cgroup *cgrp)
 {
-	struct bpf_iter_bits *it = NULL;
+	struct bpf_iter_bits it = {};
 
-	bpf_iter_bits_next(it);
+	bpf_iter_bits_next(&it);
 	return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -33,9 +33,9 @@ __description("uninitialized iter in ->next()")`
`33`	`33`	`__failure __msg("expected an initialized iter_bits as arg #1")`
`34`	`34`	`int BPF_PROG(next_uninit, struct bpf_iter_meta meta, struct cgroup cgrp)`
`35`	`35`	`{`
`36`		`- struct bpf_iter_bits *it = NULL;`
	`36`	`+ struct bpf_iter_bits it = {};`
`37`	`37`
`38`		`- bpf_iter_bits_next(it);`
	`38`	`+ bpf_iter_bits_next(&it);`
`39`	`39`	`return 0;`
`40`	`40`	`}`
`41`	`41`