This is a note to let you know that I've just added the patch titled bpf: Fix a kernel verifier crash in stacksafe() to the 6.10-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch and it can be found in the queue-6.10 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. commit 99ba64bd8f67a115a02c06973299a90bfdb91ca3 Author: Yonghong Song <yonghong.song@xxxxxxxxx> Date: Mon Aug 12 14:48:47 2024 -0700 bpf: Fix a kernel verifier crash in stacksafe() [ Upstream commit bed2eb964c70b780fb55925892a74f26cb590b25 ] Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code: if (exact != NOT_EXACT && old->stack[spi].slot_type[i % BPF_REG_SIZE] != cur->stack[spi].slot_type[i % BPF_REG_SIZE]) return false; The 'i' iterates old->allocated_stack. If cur->allocated_stack < old->allocated_stack the out-of-bound access will happen. To fix the issue add 'i >= cur->allocated_stack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal. Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks") Cc: Eduard Zingerman <eddyz87@xxxxxxxxx> Reported-by: Daniel Hodges <hodgesd@xxxxxxxx> Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx> Signed-off-by: Yonghong Song <yonghong.song@xxxxxxxxx> Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@xxxxxxxxx Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a8845cc299fec..521bd7efae038 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16881,8 +16881,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old, spi = i / BPF_REG_SIZE; if (exact != NOT_EXACT && - old->stack[spi].slot_type[i % BPF_REG_SIZE] != - cur->stack[spi].slot_type[i % BPF_REG_SIZE]) + (i >= cur->allocated_stack || + old->stack[spi].slot_type[i % BPF_REG_SIZE] != + cur->stack[spi].slot_type[i % BPF_REG_SIZE])) return false; if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)