From: Hou Tao <houtao1@xxxxxxxxxx>
For map with dynptr key, only allow a bpf_dynptr on stack to be used as
a map key.
Signed-off-by: Hou Tao <houtao1@xxxxxxxxxx>
---
kernel/bpf/verifier.c | 17 ++++++++++++++---
1 file changed, 14 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6f6d2d511c06..5d2868a798d6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -6020,9 +6020,20 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
verbose(env, "invalid map_ptr to access map->key\n");
return -EACCES;
}
- err = check_helper_mem_access(env, regno,
- meta->map_ptr->key_size, false,
- NULL);
+ /* Allow bpf_dynptr to be used as map key */
+ if (map_key_has_dynptr(meta->map_ptr)) {
+ if (base_type(reg->type) != PTR_TO_STACK ||
+ !is_dynptr_reg_valid_init(env, reg) ||
+ !is_dynptr_type_expected(env, reg, ARG_PTR_TO_DYNPTR)) {
+ verbose(env, "expect R%d to be dynptr instead of %s\n",
+ regno, reg_type_str(env, reg->type));
+ return -EACCES;
+ }
+ } else {
+ err = check_helper_mem_access(env, regno,
+ meta->map_ptr->key_size, false,
+ NULL);
+ }
break;
case ARG_PTR_TO_MAP_VALUE:
if (type_may_be_null(arg_type) && register_is_null(reg))
--
2.29.2
