• Andrey Ignatov's avatar
    bpf: Reject indirect var_off stack access in unpriv mode · 088ec26d
    Andrey Ignatov authored
    Proper support of indirect stack access with variable offset in
    unprivileged mode (!root) requires corresponding support in Spectre
    masking for stack ALU in retrieve_ptr_limit().
    
    There are no use-case for variable offset in unprivileged mode though so
    make verifier reject such accesses for simplicity.
    
    Pointer arithmetics is one (and only?) way to cause variable offset and
    it's already rejected in unpriv mode so that verifier won't even get to
    helper function whose argument contains variable offset, e.g.:
    
      0: (7a) *(u64 *)(r10 -16) = 0
      1: (7a) *(u64 *)(r10 -8) = 0
      2: (61) r2 = *(u32 *)(r1 +0)
      3: (57) r2 &= 4
      4: (17) r2 -= 16
      5: (0f) r2 += r10
      variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16 size=1R2
      stack pointer arithmetic goes out of range, prohibited for !root
    
    Still it looks like a good idea to reject variable offset indirect stack
    access for unprivileged mode in check_stack_boundary() explicitly.
    
    Fixes: 2011fccf ("bpf: Support variable offset stack access from helpers")
    Reported-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    Signed-off-by: default avatarAndrey Ignatov <rdna@fb.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    088ec26d
verifier.c 233 KB