On Thu, Nov 7, 2024 at 1:48 PM Tao Lyu <tao.lyu@xxxxxxx> wrote:
>
> The verifier misses the type checking on iter arguments,
> so any pointer types (e.g., map value pointers) can be passed
> as iter arguments.
>
> We fix this issue by adding a type check to ensure the passed
> iter arguments are in the type of PTR_TO_STACK.
>
> Fixes: 06accc8779c1 ("bpf: add support for open-coded iterator loops")
> Signed-off-by: Tao Lyu <tao.lyu@xxxxxxx>
> ---
> kernel/bpf/verifier.c | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 797cf3ed32e0..98afdcecefbc 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -12234,6 +12234,11 @@ static int check_kfunc_args(struct bpf_verifier_env *env, struct bpf_kfunc_call_
> return -EINVAL;
> }
> }
> + /* Ensure the iter arg is a stack pointer */
> + if (reg->type != PTR_TO_STACK) {
> + verbose(env, "arg#%d expected pointer to the iterator\n", i);
> + return -EINVAL;
> + }
For process_dynptr_func() we do PTR_TO_STACK check inside the
processing function, maybe let's move this check there for consistency
and to minimize a chance of forgetting to do this check in some new
place from which process_iter_arg() might be called?
And while you are at it, maybe fix process_dynptr_func() to report
zero-based argument number, which seems to be what we do for other
cases? Right now we'll print arg#1 for first argument inside
process_dynptr_func().
pw-bot: cr
> ret = process_iter_arg(env, regno, insn_idx, meta);
> if (ret < 0)
> return ret;
> --
> 2.34.1
>
