Commit e1fad0ff authored by Kumar Kartikeya Dwivedi's avatar Kumar Kartikeya Dwivedi Committed by Alexei Starovoitov

bpf: Disallow negative offset in check_ptr_off_reg

check_ptr_off_reg only allows fixed offset to be set for PTR_TO_BTF_ID,
where reg->off < 0 doesn't make sense. This would shift the pointer
backwards, and fails later in btf_struct_ids_match or btf_struct_walk
due to out of bounds access (since offset is interpreted as unsigned).

Improve the verifier by rejecting this case by using a better error
message for BPF helpers and kfunc, by putting a check inside the
check_func_arg_reg_off function.

Also, update existing verifier selftests to work with new error string.
Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220304224645.3677453-4-memxor@gmail.com
parent 655efe50
...@@ -3990,6 +3990,12 @@ static int __check_ptr_off_reg(struct bpf_verifier_env *env, ...@@ -3990,6 +3990,12 @@ static int __check_ptr_off_reg(struct bpf_verifier_env *env,
* is only allowed in its original, unmodified form. * is only allowed in its original, unmodified form.
*/ */
if (reg->off < 0) {
verbose(env, "negative offset %s ptr R%d off=%d disallowed\n",
reg_type_str(env, reg->type), regno, reg->off);
return -EACCES;
}
if (!fixed_off_ok && reg->off) { if (!fixed_off_ok && reg->off) {
verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n", verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",
reg_type_str(env, reg->type), regno, reg->off); reg_type_str(env, reg->type), regno, reg->off);
......
...@@ -105,7 +105,7 @@ ...@@ -105,7 +105,7 @@
BPF_EXIT_INSN(), BPF_EXIT_INSN(),
}, },
.errstr_unpriv = "R1 has pointer with unsupported alu operation", .errstr_unpriv = "R1 has pointer with unsupported alu operation",
.errstr = "dereference of modified ctx ptr", .errstr = "negative offset ctx ptr R1 off=-1 disallowed",
.result = REJECT, .result = REJECT,
.flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
}, },
......
...@@ -58,7 +58,7 @@ ...@@ -58,7 +58,7 @@
}, },
.prog_type = BPF_PROG_TYPE_SCHED_CLS, .prog_type = BPF_PROG_TYPE_SCHED_CLS,
.result = REJECT, .result = REJECT,
.errstr = "dereference of modified ctx ptr", .errstr = "negative offset ctx ptr R1 off=-612 disallowed",
}, },
{ {
"pass modified ctx pointer to helper, 2", "pass modified ctx pointer to helper, 2",
...@@ -71,8 +71,8 @@ ...@@ -71,8 +71,8 @@
}, },
.result_unpriv = REJECT, .result_unpriv = REJECT,
.result = REJECT, .result = REJECT,
.errstr_unpriv = "dereference of modified ctx ptr", .errstr_unpriv = "negative offset ctx ptr R1 off=-612 disallowed",
.errstr = "dereference of modified ctx ptr", .errstr = "negative offset ctx ptr R1 off=-612 disallowed",
}, },
{ {
"pass modified ctx pointer to helper, 3", "pass modified ctx pointer to helper, 3",
...@@ -141,7 +141,7 @@ ...@@ -141,7 +141,7 @@
.prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR, .prog_type = BPF_PROG_TYPE_CGROUP_SOCK_ADDR,
.expected_attach_type = BPF_CGROUP_UDP6_SENDMSG, .expected_attach_type = BPF_CGROUP_UDP6_SENDMSG,
.result = REJECT, .result = REJECT,
.errstr = "dereference of modified ctx ptr", .errstr = "negative offset ctx ptr R1 off=-612 disallowed",
}, },
{ {
"pass ctx or null check, 5: null (connect)", "pass ctx or null check, 5: null (connect)",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment