Patch "bpf: Fix a kernel verifier crash in stacksafe()" has been added to the 6.10-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    bpf: Fix a kernel verifier crash in stacksafe()

to the 6.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-a-kernel-verifier-crash-in-stacksafe.patch
and it can be found in the queue-6.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 99ba64bd8f67a115a02c06973299a90bfdb91ca3
Author: Yonghong Song <yonghong.song@xxxxxxxxx>
Date:   Mon Aug 12 14:48:47 2024 -0700

    bpf: Fix a kernel verifier crash in stacksafe()
    
    [ Upstream commit bed2eb964c70b780fb55925892a74f26cb590b25 ]
    
    Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
    Further investigation shows that the crash is due to invalid memory access
    in stacksafe(). More specifically, it is the following code:
    
        if (exact != NOT_EXACT &&
            old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
            cur->stack[spi].slot_type[i % BPF_REG_SIZE])
                return false;
    
    The 'i' iterates old->allocated_stack.
    If cur->allocated_stack < old->allocated_stack the out-of-bound
    access will happen.
    
    To fix the issue add 'i >= cur->allocated_stack' check such that if
    the condition is true, stacksafe() should fail. Otherwise,
    cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
    
    Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
    Cc: Eduard Zingerman <eddyz87@xxxxxxxxx>
    Reported-by: Daniel Hodges <hodgesd@xxxxxxxx>
    Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
    Signed-off-by: Yonghong Song <yonghong.song@xxxxxxxxx>
    Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@xxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a8845cc299fec..521bd7efae038 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16881,8 +16881,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
 		spi = i / BPF_REG_SIZE;
 
 		if (exact != NOT_EXACT &&
-		    old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
-		    cur->stack[spi].slot_type[i % BPF_REG_SIZE])
+		    (i >= cur->allocated_stack ||
+		     old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
+		     cur->stack[spi].slot_type[i % BPF_REG_SIZE]))
 			return false;
 
 		if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ)