On Mon, Jan 06, 2020 at 10:51:57PM +0100, Daniel Borkmann wrote:
> Anatoly has been fuzzing with kBdysch harness and reported a KASAN
> slab oob in one of the outcomes:
>
> After further debugging, turns out while in case of other helper functions
> we disallow passing modified ctx, the special case of ld/abs/ind instruction
> which has similar semantics (except r6 being the ctx argument) is missing
> such check. Modified ctx is impossible here as bpf_skb_load_helper_8_no_cache()
> and others are expecting skb fields in original position, hence, add
> check_ctx_reg() to reject any modified ctx. Issue was first introduced back
> in f1174f77b50c ("bpf/verifier: rework value tracking").
>
> Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
> Reported-by: Anatoly Trosinenko <anatoly.trosinenko@xxxxxxxxx>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Applied, Thanks
