[PATCH OLK-6.6] bpf: Fix a kernel verifier crash in stacksafe() - Kernel

14 Sep 2024

From: Yonghong Song yonghong.song@linux.dev
stable inclusion
from stable-v6.6.48
commit 7cad3174cc79519bf5f6c4441780264416822c08
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAQOJD
CVE: CVE-2024-45020
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
commit bed2eb964c70b780fb55925892a74f26cb590b25 upstream.
Daniel Hodges reported a kernel verifier crash when playing with sched-ext.
Further investigation shows that the crash is due to invalid memory access
in stacksafe(). More specifically, it is the following code:
if (exact != NOT_EXACT &&
        old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
        cur->stack[spi].slot_type[i % BPF_REG_SIZE])
            return false;
The 'i' iterates old->allocated_stack.
If cur->allocated_stack < old->allocated_stack the out-of-bound
access will happen.
To fix the issue add 'i >= cur->allocated_stack' check such that if
the condition is true, stacksafe() should fail. Otherwise,
cur->stack[spi].slot_type[i % BPF_REG_SIZE] memory access is legal.
Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Cc: Eduard Zingerman eddyz87@gmail.com
Reported-by: Daniel Hodges hodgesd@meta.com
Acked-by: Eduard Zingerman eddyz87@gmail.com
Signed-off-by: Yonghong Song yonghong.song@linux.dev
Link: https://lore.kernel.org/r/20240812214847.213612-1-yonghong.song@linux.dev
Signed-off-by: Alexei Starovoitov ast@kernel.org
[ shung-hsi.yu: "exact" variable is bool instead enum because commit
  4f81c16f50ba ("bpf: Recognize that two registers are safe when their
  ranges match") is not present. ]
Signed-off-by: Shung-Hsi Yu shung-hsi.yu@suse.com
Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
Signed-off-by: Pu Lehui pulehui@huawei.com
---
 kernel/bpf/verifier.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e02ed203e90b..6a94f341587a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -16128,8 +16128,9 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
    	spi = i / BPF_REG_SIZE;
if (exact &&
-		    old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
-		    cur->stack[spi].slot_type[i % BPF_REG_SIZE])
+		    (i >= cur->allocated_stack ||
+		     old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
+		     cur->stack[spi].slot_type[i % BPF_REG_SIZE]))
    		return false;
if (!(old->stack[spi].spilled_ptr.live & REG_LIVE_READ) && !exact) {
-- 
2.34.1


    