From: Daniel Borkmann <daniel@iogearbox.net> mainline inclusion from mainline-v6.12-rc1 commit b8e188f023e07a733b47d5865311ade51878fe40 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAYQOP CVE: CVE-2024-49861 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- The assumption of 'in privileged mode reads from uninitialized stack locations are permitted' is not quite correct since the verifier was probing for read access rather than write access. Both tests need to be annotated as __success for privileged and unprivileged. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/r/20240913191754.13290-6-daniel@iogearbox.net Signed-off-by: Alexei Starovoitov <ast@kernel.org> Conflicts: tools/testing/selftests/bpf/verifier/int_ptr.c tools/testing/selftests/bpf/progs/verifier_int_ptr.c [The conflicts were due to test files changed] Signed-off-by: Xiaomeng Zhang <zhangxiaomeng13@huawei.com> --- tools/testing/selftests/bpf/verifier/int_ptr.c | 7 +------ 1 file changed, 1 insertion(+), 6 deletions(-) diff --git a/tools/testing/selftests/bpf/verifier/int_ptr.c b/tools/testing/selftests/bpf/verifier/int_ptr.c index c28cd2b8f1da..b4a661d24338 100644 --- a/tools/testing/selftests/bpf/verifier/int_ptr.c +++ b/tools/testing/selftests/bpf/verifier/int_ptr.c @@ -1,5 +1,5 @@ { - "ARG_PTR_TO_LONG uninitialized", + "ARG_PTR_TO_LONG uninitialized" .insns = { /* bpf_strtoul arg1 (buf) */ BPF_MOV64_REG(BPF_REG_7, BPF_REG_10), @@ -27,8 +27,6 @@ }, .result = ACCEPT, .retval = POINTER_VALUE, - .errstr_unpriv = "invalid indirect read from stack R4 off -16+0 size 8", - .result_unpriv = REJECT, }, { "ARG_PTR_TO_LONG half-uninitialized", @@ -58,9 +56,6 @@ BPF_MOV64_IMM(BPF_REG_0, 0), BPF_EXIT_INSN(), }, - .result_unpriv = REJECT, - .errstr_unpriv = "invalid indirect read from stack R4 off -16+4 size 8", - /* in privileged mode reads from uninitialized stack locations are permitted */ .result = ACCEPT, }, { -- 2.34.1