From: Andrii Nakryiko <andrii@kernel.org> stable inclusion from stable-v6.1.107 commit 40c88c429a598006f91ad7a2b89856cd50b3a008 category: bugfix bugzilla: https://atomgit.com/src-openeuler/kernel/issues/13001 CVE: CVE-2023-54145 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=... -------------------------------- [ Upstream commit cff36398bd4c7d322d424433db437f3c3391c491 ] It's trivial for user to trigger "verifier log line truncated" warning, as verifier has a fixed-sized buffer of 1024 bytes (as of now), and there are at least two pieces of user-provided information that can be output through this buffer, and both can be arbitrarily sized by user: - BTF names; - BTF.ext source code lines strings. Verifier log buffer should be properly sized for typical verifier state output. But it's sort-of expected that this buffer won't be long enough in some circumstances. So let's drop the check. In any case code will work correctly, at worst truncating a part of a single line output. Reported-by: syzbot+8b2a08dfbd25fd933d75@syzkaller.appspotmail.com Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/r/20230516180409.3549088-1-andrii@kernel.org Signed-off-by: Alexei Starovoitov <ast@kernel.org> Conflicts: kernel/bpf/verifier.c kernel/bpf/log.c [Conflicts due to not merge 4294a0a7ab62 ("bpf: Split off basic BPF verifier log into separate file")] Signed-off-by: Zhang Qilong <zhangqilong3@huawei.com> --- kernel/bpf/verifier.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 13849004ae38..fe05d95569d8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -273,13 +273,10 @@ void bpf_verifier_vlog(struct bpf_verifier_log *log, const char *fmt, { unsigned int n; n = vscnprintf(log->kbuf, BPF_VERIFIER_TMP_LOG_SIZE, fmt, args); - WARN_ONCE(n >= BPF_VERIFIER_TMP_LOG_SIZE - 1, - "verifier log line truncated - local buffer too short\n"); - n = min(log->len_total - log->len_used - 1, n); log->kbuf[n] = '\0'; if (log->level == BPF_LOG_KERNEL) { pr_err("BPF:%s\n", log->kbuf); -- 2.43.0