[PATCH openEuler-22.03-LTS-SP1] bpf: Guard stack limits against 32bit overflow - Kernel

21 May 2024

From: Andrei Matei andreimatei1@gmail.com
mainline inclusion
from mainline-v6.8-rc1
commit 1d38a9ee81570c4bd61f557832dead4d6f816760
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9Q9EW
CVE: CVE-2023-52676
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
This patch promotes the arithmetic around checking stack bounds to be
done in the 64-bit domain, instead of the current 32bit. The arithmetic
implies adding together a 64-bit register with a int offset. The
register was checked to be below 1<<29 when it was variable, but not
when it was fixed. The offset either comes from an instruction (in which
case it is 16 bit), from another register (in which case the caller
checked it to be below 1<<29 [1]), or from the size of an argument to a
kfunc (in which case it can be a u32 [2]). Between the register being
inconsistently checked to be below 1<<29, and the offset being up to an
u32, it appears that we were open to overflowing the `int`s which were
currently used for arithmetic.
[1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe...
[2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe...
Reported-by: Andrii Nakryiko andrii.nakryiko@gmail.com
Signed-off-by: Andrei Matei andreimatei1@gmail.com
Signed-off-by: Andrii Nakryiko andrii@kernel.org
Acked-by: Andrii Nakryiko andrii@kernel.org
Link: https://lore.kernel.org/bpf/20231207041150.229139-4-andreimatei1@gmail.com
Conflicts:
    kernel/bpf/verifier.c
[The conflict is because some modifications were merged by the commit
db2a27bb5398e ("bpf: Fix accesses to uninit stack slots")]
Signed-off-by: Pu Lehui pulehui@huawei.com
---
 kernel/bpf/verifier.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d5706782be14..946e485a102c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3697,7 +3697,7 @@ static int check_stack_access_within_bounds(
    struct bpf_reg_state *regs = cur_regs(env);
    struct bpf_reg_state *reg = regs + regno;
    struct bpf_func_state *state = func(env, reg);
-	int min_off, max_off;
+	s64 min_off, max_off;
    int err;
    char *err_extra;
@@ -3710,7 +3710,7 @@ static int check_stack_access_within_bounds(
    	err_extra = " write to";
if (tnum_is_const(reg->var_off)) {
-		min_off = reg->var_off.value + off;
+		min_off = (s64)reg->var_off.value + off;
    	max_off = min_off + access_size;
    } else {
    	if (reg->smax_value >= BPF_MAX_VAR_OFF ||
-- 
2.34.1


    