bpf: Fix handling of XADD on BTF memory

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

check_xadd() can cause check_ptr_to_btf_access() to be executed with
atype==BPF_READ and value_regno==-1 (meaning "just check whether the access
is okay, don't tell me what type it will result in").
Handle that case properly and skip writing type information, instead of
indexing into the registers at index -1 and writing into out-of-bounds
memory.

Note that at least at the moment, you can't actually write through a BTF
pointer, so check_xadd() will reject the program after calling
check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the
verifier has already corrupted memory.

This patch assumes that BTF pointers are not available in unprivileged
programs.

Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com

authored by

Jann Horn and committed by

Alexei Starovoitov 6 years ago 8ff3571f 6e7e63cb

+1 -1

1 changed file

expand all

kernel

bpf

verifier.c

+1 -1

kernel/bpf/verifier.c

··· 3099 3099 if (ret < 0) 3100 3100 return ret; 3101 3101 3102 - if (atype == BPF_READ) { 3102 + if (atype == BPF_READ && value_regno >= 0) { 3103 3103 if (ret == SCALAR_VALUE) { 3104 3104 mark_reg_unknown(env, regs, value_regno); 3105 3105 return 0;