On Wed, Feb 19, 2025 at 4:51 AM Kumar Kartikeya Dwivedi
<memxor@xxxxxxxxx> wrote:
>
> For the bpf_dynptr_slice_rdwr kfunc, the verifier may return a pointer
> to the underlying packet (if the requested slice is linear), or copy out
> the data to the buffer passed into the kfunc. The verifier performs
> symbolic execution assuming the returned value is a PTR_TO_MEM of a
> certain size (passed into the kfunc), and ensures reads and writes are
> within bounds.
sounds like
check_kfunc_mem_size_reg() -> check_mem_size_reg() ->
check_helper_mem_access()
case PTR_TO_STACK:
check_stack_range_initialized()
clobber = true
if (clobber) {
__mark_reg_unknown(env, &state->stack[spi].spilled_ptr);
is somehow broken?
ohh. It might be:
|| !is_kfunc_arg_optional(meta->btf, buff_arg)
This bit is wrong then.
When arg is not-null check_kfunc_mem_size_reg() should be called.
The PTR_TO_STACK abuse is a small subset of issues
if check_kfunc_mem_size_reg() is indeed not called.
