| Message ID | cover.1554358433.git.rdna@fb.com |
|---|---|
| Headers | show |
| Series | bpf: Fix indirect var_off stack access support | expand |
On 04/04/2019 08:22 AM, Andrey Ignatov wrote: > v2->v3: > - sanity check max value for variable offset. > > v1->v2: > - rely on meta = NULL to reject var_off stack access to uninit buffer. > > This patch set is a follow-up for discussion [1]. > > It fixes variable offset stack access handling for raw and unprivileged > mode, rejecting both of them, and sanity checks max variable offset value. > > Patch 1 handles raw (uninitialized) mode. > Patch 2 adds test for raw mode. > Patch 3 handles unprivileged mode. > Patch 4 adds test for unprivileged mode. > Patch 5 adds sanity check for max value of variable offset. > Patch 6 adds test for variable offset max value checking. > Patch 7 is a minor fix in verbose log. > > Unprivileged mode is an interesting case since one (and only?) way to come > up with variable offset is to use pointer arithmetics. Though pointer > arithmetics is already prohibited for unprivileged mode. I'm not sure if > it's enough though and it seems like a good idea to still reject variable > offset for unpriv in check_stack_boundary(). Please see patches 3 and 4 for > more details on this. > > [1] https://marc.info/?l=linux-netdev&m=155419526427742&w=2 > > > Andrey Ignatov (7): > bpf: Reject indirect var_off stack access in raw mode > selftests/bpf: Test indirect var_off stack access in raw mode > bpf: Reject indirect var_off stack access in unpriv mode > selftests/bpf: Test indirect var_off stack access in unpriv mode > bpf: Sanity check max value for var_off stack access > selftests/bpf: Test unbounded var_off stack access > bpf: Add missed newline in verifier verbose log > > kernel/bpf/verifier.c | 45 ++++++- > .../testing/selftests/bpf/verifier/var_off.c | 111 +++++++++++++++++- > 2 files changed, 150 insertions(+), 6 deletions(-) > Applied, thanks!