• Kumar Kartikeya Dwivedi's avatar
    bpf: Clobber stack slot when writing over spilled PTR_TO_BTF_ID · 261f4664
    Kumar Kartikeya Dwivedi authored
    When support was added for spilled PTR_TO_BTF_ID to be accessed by
    helper memory access, the stack slot was not overwritten to STACK_MISC
    (and that too is only safe when env->allow_ptr_leaks is true).
    
    This means that helpers who take ARG_PTR_TO_MEM and write to it may
    essentially overwrite the value while the verifier continues to track
    the slot for spilled register.
    
    This can cause issues when PTR_TO_BTF_ID is spilled to stack, and then
    overwritten by helper write access, which can then be passed to BPF
    helpers or kfuncs.
    
    Handle this by falling back to the case introduced in a later commit,
    which will also handle PTR_TO_BTF_ID along with other pointer types,
    i.e. cd17d38f ("bpf: Permits pointers on stack for helper calls").
    
    Finally, include a comment on why REG_LIVE_WRITTEN is not being set when
    clobber is set to true. In short, the reason is that while when clobber
    is unset, we know that we won't be writing, when it is true, we *may*
    write to any of the stack slots in that range. It may be a partial or
    complete write, to just one or many stack slots.
    
    We cannot be sure, hence to be conservative, we leave things as is and
    never set REG_LIVE_WRITTEN for any stack slot. However, clobber still
    needs to reset them to STACK_MISC assuming writes happened. However read
    marks still need to be propagated upwards from liveness point of view,
    as parent stack slot's contents may still continue to matter to child
    states.
    
    Cc: Yonghong Song <yhs@meta.com>
    Fixes: 1d68f22b ("bpf: Handle spilled PTR_TO_BTF_ID properly when checking stack_boundary")
    Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
    Link: https://lore.kernel.org/r/20221103191013.1236066-4-memxor@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    261f4664
verifier.c 438 KB