summaryrefslogtreecommitdiff
path: root/kernel/bpf
diff options
context:
space:
mode:
authorJann Horn <jannh@google.com>2017-12-18 20:11:57 -0800
committerDaniel Borkmann <daniel@iogearbox.net>2017-12-21 02:15:41 +0100
commitea25f914dc164c8d56b36147ecc86bc65f83c469 (patch)
treeae74d60039bef82d303017c162822f4fa8ddbf02 /kernel/bpf
parent468f6eafa6c44cb2c5d8aad35e12f06c240a812a (diff)
downloadlwn-ea25f914dc164c8d56b36147ecc86bc65f83c469.tar.gz
lwn-ea25f914dc164c8d56b36147ecc86bc65f83c469.zip
bpf: fix missing error return in check_stack_boundary()
Prevent indirect stack accesses at non-constant addresses, which would permit reading and corrupting spilled pointers. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel/bpf')
-rw-r--r--kernel/bpf/verifier.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ecdc265244ca..77e4b5223867 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
verbose(env, "invalid variable stack read R%d var_off=%s\n",
regno, tn_buf);
+ return -EACCES;
}
off = regs[regno].off + regs[regno].var_off.value;
if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||