bpf: force strict alignment checks for stack pointers

Force strict alignment checks for stack pointers because the tracking of
stack spills relies on it; unaligned stack accesses can lead to corruption
of spilled registers, which is exploitable.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Gbp-Pq: Topic bugfix/all
Gbp-Pq: Name bpf-force-strict-alignment-checks-for-stack-pointers.patch

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a9f9a5e57babb17cbe8d3629a3fb5ed93b775dcb..7d7adf3fb8996e01bc9318be894bb2f2238cb6e6 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1071,6 +1071,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
                break;
        case PTR_TO_STACK:
                pointer_desc = "stack ";
+               /* The stack spill tracking logic in check_stack_write()
+                * and check_stack_read() relies on stack accesses being
+                * aligned.
+                */
+               strict = true;
                break;
        default:
                break;