• Jann Horn's avatar
    bpf: Fix handling of XADD on BTF memory · 8ff3571f
    Jann Horn authored
    check_xadd() can cause check_ptr_to_btf_access() to be executed with
    atype==BPF_READ and value_regno==-1 (meaning "just check whether the access
    is okay, don't tell me what type it will result in").
    Handle that case properly and skip writing type information, instead of
    indexing into the registers at index -1 and writing into out-of-bounds
    memory.
    
    Note that at least at the moment, you can't actually write through a BTF
    pointer, so check_xadd() will reject the program after calling
    check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the
    verifier has already corrupted memory.
    
    This patch assumes that BTF pointers are not available in unprivileged
    programs.
    
    Fixes: 9e15db66 ("bpf: Implement accurate raw_tp context access via BTF")
    Signed-off-by: default avatarJann Horn <jannh@google.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com
    8ff3571f
verifier.c 311 KB