On Wed, 2024-06-19 at 08:29 +0000, Matt Bobrowski wrote:
> Currently, it's possible to pass in a modified CONST_PTR_TO_DYNPTR to
> a global function as an argument. The adverse effects of this is that
> BPF helpers can continue to make use of this modified
> CONST_PTR_TO_DYNPTR from within the context of the global function,
> which can unintentionally result in out-of-bounds memory accesses and
> therefore compromise overall system stability i.e.
[...]
> Reported-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
> Signed-off-by: Matt Bobrowski <mattbobrowski@xxxxxxxxxx>
> ---
Hi Matt,
Thank you for fixing this bug. Overall looks good,
I second the requests from Kumar + one nit from me.
Also, note that kfunc_param_nullable/kfunc_dynptr_nullable_test3
needs an update.
Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
[...]
> @@ -9464,7 +9471,13 @@ static int btf_check_func_arg_match(struct bpf_verifier_env *env, int subprog,
> return -EINVAL;
> }
> } else if (arg->arg_type == (ARG_PTR_TO_DYNPTR | MEM_RDONLY)) {
> - ret = process_dynptr_func(env, regno, -1, arg->arg_type, 0);
> + ret = check_func_arg_reg_off(env, reg, regno,
> + ARG_PTR_TO_DYNPTR);
Nit: Please avoid splitting lines too often, this line should be:
ret = check_func_arg_reg_off(env, reg, regno, ARG_PTR_TO_DYNPTR);
the limit for line length is 100 characters.
There are a few more such places.
> + if (ret)
> + return ret;
> +
> + ret = process_dynptr_func(env, regno, -1, arg->arg_type,
> + 0);
> if (ret)
> return ret;
> } else if (base_type(arg->arg_type) == ARG_PTR_TO_BTF_ID) {
[...]
