[bpf-next,v1,0/6] Fixes for bad PTR_TO_BTF_ID offset

Message

Kumar Kartikeya Dwivedi March 1, 2022, 6:57 a.m. UTC

This set fixes a bug related to bad var_off being permitted for kfunc call in
case of PTR_TO_BTF_ID, consolidates offset checks for all register types allowed
as helper or kfunc arguments into a common shared helper, and introduces a
couple of other checks to harden the kfunc release logic and prevent future
bugs. Some selftests are also included that fail in absence of these fixes,
serving as demonstration of the issues being fixed.

Kumar Kartikeya Dwivedi (6):
  bpf: Add check_func_arg_reg_off function
  bpf: Fix PTR_TO_BTF_ID var_off check
  bpf: Disallow negative offset in check_ptr_off_reg
  bpf: Harden register offset checks for release kfunc
  selftests/bpf: Update tests for new errstr
  selftests/bpf: Add tests for kfunc register offset checks

 include/linux/bpf_verifier.h                  |  3 +
 kernel/bpf/btf.c                              | 24 ++++--
 kernel/bpf/verifier.c                         | 75 ++++++++++-------
 net/bpf/test_run.c                            | 11 +++
 .../selftests/bpf/verifier/bounds_deduction.c |  2 +-
 tools/testing/selftests/bpf/verifier/calls.c  | 82 +++++++++++++++++++
 tools/testing/selftests/bpf/verifier/ctx.c    |  8 +-
 7 files changed, 167 insertions(+), 38 deletions(-)