projects / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: b34fe28)
bpf: fix missing error return in check_stack_boundary()
authorJann Horn <jannh@google.com>
Tue, 19 Dec 2017 04:11:57 +0000 (20:11 -0800)
committerBen Hutchings <ben@decadent.org.uk>
Fri, 22 Dec 2017 14:12:23 +0000 (14:12 +0000)
Prevent indirect stack accesses at non-constant addresses, which would
permit reading and corrupting spilled pointers.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name bpf-fix-missing-error-return-in-check_stack_boundary.patch

kernel/bpf/verifier.c patch | blob | history

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e6d15c0cf3babfbbb2f1dd29f3bcb378a6558bf4..a9f9a5e57babb17cbe8d3629a3fb5ed93b775dcb 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1320,6 +1320,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
                tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
                verbose(env, "invalid variable stack read R%d var_off=%s\n",
                        regno, tn_buf);
+               return -EACCES;
        }
        off = regs[regno].off + regs[regno].var_off.value;
        if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
Unnamed repository; edit this file 'description' to name the repository.