Patch "bpf: Fix check_func_arg_reg_off bug for graph root/node" has been added to the 6.4-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    bpf: Fix check_func_arg_reg_off bug for graph root/node

to the 6.4-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-check_func_arg_reg_off-bug-for-graph-root-no.patch
and it can be found in the queue-6.4 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit d854c8309ffcf579dc94708b603ca0f9ec6fc954
Author: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
Date:   Tue Aug 22 23:21:39 2023 +0530

    bpf: Fix check_func_arg_reg_off bug for graph root/node
    
    [ Upstream commit 6785b2edf48c6b1c3ea61fe3b0d2e02b8fbf90c0 ]
    
    The commit being fixed introduced a hunk into check_func_arg_reg_off
    that bypasses reg->off == 0 enforcement when offset points to a graph
    node or root. This might possibly be done for treating bpf_rbtree_remove
    and others as KF_RELEASE and then later check correct reg->off in helper
    argument checks.
    
    But this is not the case, those helpers are already not KF_RELEASE and
    permit non-zero reg->off and verify it later to match the subobject in
    BTF type.
    
    However, this logic leads to bpf_obj_drop permitting free of register
    arguments with non-zero offset when they point to a graph root or node
    within them, which is not ok.
    
    For instance:
    
    struct foo {
            int i;
            int j;
            struct bpf_rb_node node;
    };
    
    struct foo *f = bpf_obj_new(typeof(*f));
    if (!f) ...
    bpf_obj_drop(f); // OK
    bpf_obj_drop(&f->i); // still ok from verifier PoV
    bpf_obj_drop(&f->node); // Not OK, but permitted right now
    
    Fix this by dropping the whole part of code altogether.
    
    Fixes: 6a3cd3318ff6 ("bpf: Migrate release_on_unlock logic to non-owning ref semantics")
    Signed-off-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20230822175140.1317749-2-memxor@xxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b9e4dbdfa296a..d4a6120edbb86 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7611,17 +7611,6 @@ int check_func_arg_reg_off(struct bpf_verifier_env *env,
 		if (arg_type_is_dynptr(arg_type) && type == PTR_TO_STACK)
 			return 0;
 
-		if ((type_is_ptr_alloc_obj(type) || type_is_non_owning_ref(type)) && reg->off) {
-			if (reg_find_field_offset(reg, reg->off, BPF_GRAPH_NODE_OR_ROOT))
-				return __check_ptr_off_reg(env, reg, regno, true);
-
-			verbose(env, "R%d must have zero offset when passed to release func\n",
-				regno);
-			verbose(env, "No graph node or root found at R%d type:%s off:%d\n", regno,
-				btf_type_name(reg->btf, reg->btf_id), reg->off);
-			return -EINVAL;
-		}
-
 		/* Doing check_ptr_off_reg check for the offset will catch this
 		 * because fixed_off_ok is false, but checking here allows us
 		 * to give the user a better error message.



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux