• Alexei Starovoitov's avatar
    bpf: fix integer overflows · bb7f0f98
    Alexei Starovoitov authored
    There were various issues related to the limited size of integers used in
    the verifier:
     - `off + size` overflow in __check_map_access()
     - `off + reg->off` overflow in check_mem_access()
     - `off + reg->var_off.value` overflow or 32-bit truncation of
       `reg->var_off.value` in check_mem_access()
     - 32-bit truncation in check_stack_boundary()
    
    Make sure that any integer math cannot overflow by not allowing
    pointer math with large values.
    
    Also reduce the scope of "scalar op scalar" tracking.
    
    Fixes: f1174f77 ("bpf/verifier: rework value tracking")
    Reported-by: default avatarJann Horn <jannh@google.com>
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    bb7f0f98
verifier.c 137 KB