Message ID | 20230809114116.3216687-12-memxor@gmail.com (mailing list archive) |
---|---|
State | Changes Requested |
Delegated to: | BPF |
Headers | show |
Series | Exceptions - 1/2 | expand |
On 8/9/23 7:41 AM, Kumar Kartikeya Dwivedi wrote: > The kfunc code to handle KF_ARG_PTR_TO_CALLBACK does not check the reg > type before using reg->subprogno. This can accidently permit invalid > pointers from being passed into callback helpers (e.g. silently from > different paths). Likewise, reg->subprogno from the per-register type > union may not be meaningful either. We need to reject any other type > except PTR_TO_FUNC. > > Cc: Dave Marchevsky <davemarchevsky@fb.com> > Fixes: 5d92ddc3de1b ("bpf: Add callback validation to kfunc verifier logic") > Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> > --- Acked-by: Dave Marchevsky <davemarchevsky@fb.com>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 13db1fa4163c..1c9a7a6ef906 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -11334,6 +11334,10 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_ break; } case KF_ARG_PTR_TO_CALLBACK: + if (reg->type != PTR_TO_FUNC) { + verbose(env, "arg%d expected pointer to func\n", i); + return -EINVAL; + } meta->subprogno = reg->subprogno; break; case KF_ARG_PTR_TO_REFCOUNTED_KPTR:
The kfunc code to handle KF_ARG_PTR_TO_CALLBACK does not check the reg type before using reg->subprogno. This can accidently permit invalid pointers from being passed into callback helpers (e.g. silently from different paths). Likewise, reg->subprogno from the per-register type union may not be meaningful either. We need to reject any other type except PTR_TO_FUNC. Cc: Dave Marchevsky <davemarchevsky@fb.com> Fixes: 5d92ddc3de1b ("bpf: Add callback validation to kfunc verifier logic") Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com> --- kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+)