You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
bpf: Fix crash due to out of bounds access into reg2btf_ids.
jira VULN-72
jira VULN-7854
cve 2021-4204
cve 2022-48929
commit-author Kumar Kartikeya Dwivedi <[email protected]>
commit 45ce4b4
upstream-diff Part of this upstream change was already backported, but
because commit 3363bd0 ("bpf: Extend kfunc with
PTR_TO_CTX, PTR_TO_MEM argument support") had not been
backported at that time, the out of bound access it
introduced was not fixed in that backport. Since we
have now backported 3363bd0, we need to backport
the remaining change from the upstream fix
When commit e6ac245 ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.
Fixes: c25b2ae ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
Link: https://lore.kernel.org/bpf/[email protected]
(cherry picked from commit 45ce4b4)
Signed-off-by: Brett Mastbergen <[email protected]>
0 commit comments