[0/2] Check the types of iter arguments

Message

Tao Lyu Nov. 7, 2024, 9:47 p.m. UTC

The verifier misses the type checking on iter arguments,
so any pointer types (e.g., map value pointers) can be
passed as iter arguments.

As the included selftest shows, when passing a ptr_to_map_value
with offset 0, process_iter_arg still regards it as a stack pointer
and uses offset 0 to check the stack slot types.

In this case, as long as the stack slot types at offset 0 are STACK_ITER,
verifier checks can be passed before the fix.

To fix this issue, we add a type check in process_iter_arg to ensure
the passed iter arguments are in the type of PTR_TO_STACK.

Tao Lyu (2):
  bpf: Check if iter args are stack pointers
  selftests/bpf: Add a test for the type checking of iter args

 kernel/bpf/verifier.c                     |  5 +++++
 tools/testing/selftests/bpf/progs/iters.c | 20 ++++++++++++++++++++
 2 files changed, 25 insertions(+)