diff options
| author | Kris Van Hees <kris.van.hees@oracle.com> | 2022-01-05 16:01:50 -0500 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2022-01-05 13:38:22 -0800 |
| commit | a5bebc4f00dee47113eed48098c68e88b5ba70e8 (patch) | |
| tree | f181ef8d0f48c0d045e245e445ba404113ee6cb3 /kernel/bpf/bpf_iter.c | |
| parent | 58d8a3fc4a40dcfebf333ab2dc2c7c338249be51 (diff) | |
| download | lwn-a5bebc4f00dee47113eed48098c68e88b5ba70e8.tar.gz lwn-a5bebc4f00dee47113eed48098c68e88b5ba70e8.zip | |
bpf: Fix verifier support for validation of async callbacks
Commit bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.")
added support for BPF_FUNC_timer_set_callback to
the __check_func_call() function. The test in __check_func_call() is
flaweed because it can mis-interpret a regular BPF-to-BPF pseudo-call
as a BPF_FUNC_timer_set_callback callback call.
Consider the conditional in the code:
if (insn->code == (BPF_JMP | BPF_CALL) &&
insn->imm == BPF_FUNC_timer_set_callback) {
The BPF_FUNC_timer_set_callback has value 170. This means that if you
have a BPF program that contains a pseudo-call with an instruction delta
of 170, this conditional will be found to be true by the verifier, and
it will interpret the pseudo-call as a callback. This leads to a mess
with the verification of the program because it makes the wrong
assumptions about the nature of this call.
Solution: include an explicit check to ensure that insn->src_reg == 0.
This ensures that calls cannot be mis-interpreted as an async callback
call.
Fixes: bfc6bb74e4f1 ("bpf: Implement verifier support for validation of async callbacks.")
Signed-off-by: Kris Van Hees <kris.van.hees@oracle.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220105210150.GH1559@oracle.com
Diffstat (limited to 'kernel/bpf/bpf_iter.c')
0 files changed, 0 insertions, 0 deletions