diff options
author | Daniel Borkmann <daniel@iogearbox.net> | 2017-12-22 16:23:08 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2017-12-25 14:26:32 +0100 |
commit | 2120fca0ecfb4552d27608d409ebd3403ce02ce4 (patch) | |
tree | 60f786ba1a49e94fa1b88870a86f831a89030af9 /kernel | |
parent | 6c8e098d0324412d4ae9e06c7e611a96b87faf80 (diff) |
bpf: fix missing error return in check_stack_boundary()
From: Jann Horn <jannh@google.com>
Prevent indirect stack accesses at non-constant addresses, which would
permit reading and corrupting spilled pointers.
Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'kernel')
-rw-r--r-- | kernel/bpf/verifier.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 0c7e4c8a2b8a..8aa98a0591d6 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off); verbose("invalid variable stack read R%d var_off=%s\n", regno, tn_buf); + return -EACCES; } off = regs[regno].off + regs[regno].var_off.value; if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || |