The verifier misses the type checking on iter arguments,
so any pointer types (e.g., map value pointers) can be passed
as iter arguments.
We fix this issue by adding a type check to ensure the passed
iter arguments are in the type of PTR_TO_STACK.
Fixes: 06accc8779c1 ("bpf: add support for open-coded iterator loops")
Signed-off-by: Tao Lyu <tao.lyu@xxxxxxx>
---
kernel/bpf/verifier.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 797cf3ed32e0..98afdcecefbc 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -12234,6 +12234,11 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
return -EINVAL;
}
}
+ /* Ensure the iter arg is a stack pointer */
+ if (reg->type != PTR_TO_STACK) {
+ verbose(env, "arg#%d expected pointer to the iterator\n", i);
+ return -EINVAL;
+ }
ret = process_iter_arg(env, regno, insn_idx, meta);
if (ret < 0)
return ret;
--
2.34.1
