[0/2] Check the types of iter arguments

Message

Tao Lyu Nov. 6, 2024, 8:18 p.m. UTC

The verifier misses the type checking on iter arguments,
so any pointer types (e.g., map value pointers) can be passed as iter arguments.

As the included selftest shows, when passing a ptr_to_map_value with offset 0,
process_iter_arg still regards it as a stack pointer and uses offset 0 to check
the stack slot types.

In this case, as long as the stack slot types at offset 0 are STACK_ITER,
verifier checks can be passed before the fix.

To fix this issue, we add a type check in process_iter_arg to ensure the passed
iter arguments are in the type of PTR_TO_STACK.

Tao Lyu (2):
  bpf: Check if iter args are stack pointers
  selftests/bpf: Add a test for the type checking of iter args

 kernel/bpf/verifier.c                     |  5 +++++
 tools/testing/selftests/bpf/progs/iters.c | 21 +++++++++++++++++++++
 2 files changed, 26 insertions(+)