GitHub-Mirror/Star64_linux
2
0
Fork 0
mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-07-16 20:00:28 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions
Star64_linux/kernel/bpf
History
Kumar Kartikeya Dwivedi f336adb0b0 bpf: Fix crash due to out of bounds access into reg2btf_ids. 
commit 45ce4b4f90 upstream

When commit e6ac2450d6 ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae136 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.

[backport note: commit 3363bd0cfb ("bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM
 argument support") was introduced after 5.15 and contains an out of bound
 reg2btf_ids access. Since that commit hasn't been backported, this patch
 doesn't include fix to that access. If we backport that commit in future,
 we need to fix its faulting access as well.]

Fixes: c25b2ae136 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Hao Luo <haoluo@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220216201943.624869-1-memxor@gmail.com
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2023-04-19 17:48:17 +08:00
..
preload
arraymap.c
bpf_inode_storage.c
bpf_iter.c
bpf_local_storage.c
bpf_lru_list.c
bpf_lru_list.h
bpf_lsm.c
bpf_struct_ops.c
bpf_struct_ops_types.h
bpf_task_storage.c
btf.c bpf: Fix crash due to out of bounds access into reg2btf_ids. 2023-04-19 17:48:17 +08:00
cgroup.c bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. 2023-04-19 17:48:17 +08:00
core.c
cpumap.c
devmap.c
disasm.c
disasm.h
dispatcher.c
hashtab.c
helpers.c bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. 2023-04-19 17:48:17 +08:00
inode.c bpf: Fix mount source show for bpffs 2023-04-19 17:44:39 +08:00
Kconfig
local_storage.c
lpm_trie.c
Makefile
map_in_map.c
map_in_map.h
map_iter.c bpf: Introduce MEM_RDONLY flag 2023-04-19 17:48:17 +08:00
net_namespace.c
offload.c
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c
reuseport_array.c
ringbuf.c bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. 2023-04-19 17:48:17 +08:00
stackmap.c bpf: Adjust BPF stack helper functions to accommodate skip > 0 2023-04-19 17:47:30 +08:00
syscall.c bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. 2023-04-19 17:48:17 +08:00
sysfs_btf.c
task_iter.c
tnum.c
trampoline.c bpf: Fix possible race in inc_misses_counter 2023-04-19 17:45:55 +08:00
verifier.c bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. 2023-04-19 17:48:17 +08:00