Merge branch 'fix-missing-process_iter_arg-type-check'

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Kumar Kartikeya Dwivedi says:

====================
Fix missing process_iter_arg type check

I am taking over Tao's earlier patch set that can be found at [0], after
an offline discussion. The bug reported in that thread is that
process_iter_arg missed a reg->type == PTR_TO_STACK check. Fix this by
adding it in, and also address comments from Andrii on the earlier
attempt. Include more selftests to ensure the error is caught.

[0]: https://lore.kernel.org/bpf/20241107214736.347630-1-tao.lyu@epfl.ch

Changelog:
----------
v1 -> v2:
v1: https://lore.kernel.org/bpf/20241127230147.4158201-1-memxor@gmail.com
====================

Link: https://patch.msgid.link/20241203000238.3602922-1-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov 1 year ago d4c44354 537a2525

+33 -2

3 changed files

expand all

kernel

bpf

verifier.c

tools

testing

selftests

bpf

progs

iters.c

verifier_bits_iter.c

kernel/bpf/verifier.c

··· 8189 8189 const struct btf_type *t; 8190 8190 int spi, err, i, nr_slots, btf_id; 8191 8191 8192 + if (reg->type != PTR_TO_STACK) { 8193 + verbose(env, "arg#%d expected pointer to an iterator on stack\n", regno - 1); 8194 + return -EINVAL; 8195 + } 8196 + 8192 8197 /* For iter_{new,next,destroy} functions, btf_check_iter_kfuncs() 8193 8198 * ensures struct convention, so we wouldn't need to do any BTF 8194 8199 * validation here. But given iter state can be passed as a parameter

+26

tools/testing/selftests/bpf/progs/iters.c

··· 1486 1486 return 0; 1487 1487 } 1488 1488 1489 + struct bpf_iter_num global_it; 1490 + 1491 + SEC("raw_tp") 1492 + __failure __msg("arg#0 expected pointer to an iterator on stack") 1493 + int iter_new_bad_arg(const void *ctx) 1494 + { 1495 + bpf_iter_num_new(&global_it, 0, 1); 1496 + return 0; 1497 + } 1498 + 1499 + SEC("raw_tp") 1500 + __failure __msg("arg#0 expected pointer to an iterator on stack") 1501 + int iter_next_bad_arg(const void *ctx) 1502 + { 1503 + bpf_iter_num_next(&global_it); 1504 + return 0; 1505 + } 1506 + 1507 + SEC("raw_tp") 1508 + __failure __msg("arg#0 expected pointer to an iterator on stack") 1509 + int iter_destroy_bad_arg(const void *ctx) 1510 + { 1511 + bpf_iter_num_destroy(&global_it); 1512 + return 0; 1513 + } 1514 + 1489 1515 char _license[] SEC("license") = "GPL";

+2 -2

tools/testing/selftests/bpf/progs/verifier_bits_iter.c

··· 35 35 __failure __msg("expected an initialized iter_bits as arg #1") 36 36 int BPF_PROG(next_uninit, struct bpf_iter_meta *meta, struct cgroup *cgrp) 37 37 { 38 - struct bpf_iter_bits *it = NULL; 38 + struct bpf_iter_bits it = {}; 39 39 40 - bpf_iter_bits_next(it); 40 + bpf_iter_bits_next(&it); 41 41 return 0; 42 42 } 43 43