summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Borkmann <daniel@iogearbox.net>2017-12-22 16:23:08 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2017-12-25 14:26:32 +0100
commit2120fca0ecfb4552d27608d409ebd3403ce02ce4 (patch)
tree60f786ba1a49e94fa1b88870a86f831a89030af9
parent6c8e098d0324412d4ae9e06c7e611a96b87faf80 (diff)
downloadlinux-stable-2120fca0ecfb4552d27608d409ebd3403ce02ce4.tar.gz
linux-stable-2120fca0ecfb4552d27608d409ebd3403ce02ce4.tar.bz2
linux-stable-2120fca0ecfb4552d27608d409ebd3403ce02ce4.zip
bpf: fix missing error return in check_stack_boundary()
From: Jann Horn <jannh@google.com> Prevent indirect stack accesses at non-constant addresses, which would permit reading and corrupting spilled pointers. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat
-rw-r--r--kernel/bpf/verifier.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0c7e4c8a2b8a..8aa98a0591d6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
verbose("invalid variable stack read R%d var_off=%s\n",
regno, tn_buf);
+ return -EACCES;
}
off = regs[regno].off + regs[regno].var_off.value;
if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-28 20:41:41 +0000