diff options
| author | Andrii Nakryiko <andrii@kernel.org> | 2023-12-08 14:19:00 -0800 |
|---|---|---|
| committer | Andrii Nakryiko <andrii@kernel.org> | 2023-12-08 14:19:01 -0800 |
| commit | 4af20ab9edee62aa2bb5b6f31b7f029de14e0756 (patch) | |
| tree | fc1c424f93e93746a902718f4a0284e6fd002822 /include/linux | |
| parent | 8b7b0e5fe47de90ba6c350f9abece589fb637f79 (diff) | |
| parent | 2929bfac006d8f8e22b307d04e0d71bcb84db698 (diff) | |
Merge branch 'bpf-fix-accesses-to-uninit-stack-slots'
Andrei Matei says:
====================
bpf: fix accesses to uninit stack slots
Fix two related issues issues around verifying stack accesses:
1. accesses to uninitialized stack memory was allowed inconsistently
2. the maximum stack depth needed for a program was not always
maintained correctly
The two issues are fixed together in one commit because the code for one
affects the other.
V4 to V5:
- target bpf-next (Alexei)
V3 to V4:
- minor fixup to comment in patch 1 (Eduard)
- C89-style in patch 3 (Andrii)
V2 to V3:
- address review comments from Andrii and Eduard
- drop new verifier tests in favor of editing existing tests to check
for stack depth
- append a patch with a bit of cleanup coming out of the previous review
====================
Link: https://lore.kernel.org/r/20231208032519.260451-1-andreimatei1@gmail.com
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/bpf_verifier.h | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index bada59812e00..314b679fb494 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -321,7 +321,17 @@ struct bpf_func_state { /* The following fields should be last. See copy_func_state() */ int acquired_refs; struct bpf_reference_state *refs; + /* The state of the stack. Each element of the array describes BPF_REG_SIZE + * (i.e. 8) bytes worth of stack memory. + * stack[0] represents bytes [*(r10-8)..*(r10-1)] + * stack[1] represents bytes [*(r10-16)..*(r10-9)] + * ... + * stack[allocated_stack/8 - 1] represents [*(r10-allocated_stack)..*(r10-allocated_stack+7)] + */ struct bpf_stack_state *stack; + /* Size of the current stack, in bytes. The stack state is tracked below, in + * `stack`. allocated_stack is always a multiple of BPF_REG_SIZE. + */ int allocated_stack; }; @@ -658,6 +668,10 @@ struct bpf_verifier_env { int exception_callback_subprog; bool explore_alu_limits; bool allow_ptr_leaks; + /* Allow access to uninitialized stack memory. Writes with fixed offset are + * always allowed, so this refers to reads (with fixed or variable offset), + * to writes with variable offset and to indirect (helper) accesses. + */ bool allow_uninit_stack; bool bpf_capable; bool bypass_spec_v1; |