diff options
| author | Eduard Zingerman <[email protected]> | 2025-11-14 02:57:29 +0000 |
|---|---|---|
| committer | Alexei Starovoitov <[email protected]> | 2025-11-14 17:26:05 +0000 |
| commit | b0c8e6d3d866b6a7f73877f71968dbffd27b7785 (patch) | |
| tree | 7dd8795b867154e7b8bf0723f1a2a0de8883fd1a /net/unix/af_unix.c | |
| parent | bpf: Add bpf_prog_run_data_pointers() (diff) | |
| download | kernel-b0c8e6d3d866b6a7f73877f71968dbffd27b7785.tar.gz kernel-b0c8e6d3d866b6a7f73877f71968dbffd27b7785.zip | |
bpf: account for current allocated stack depth in widen_imprecise_scalars()
The usage pattern for widen_imprecise_scalars() looks as follows:
prev_st = find_prev_entry(env, ...);
queued_st = push_stack(...);
widen_imprecise_scalars(env, prev_st, queued_st);
Where prev_st is an ancestor of the queued_st in the explored states
tree. This ancestor is not guaranteed to have same allocated stack
depth as queued_st. E.g. in the following case:
def main():
for i in 1..2:
foo(i) // same callsite, differnt param
def foo(i):
if i == 1:
use 128 bytes of stack
iterator based loop
Here, for a second 'foo' call prev_st->allocated_stack is 128,
while queued_st->allocated_stack is much smaller.
widen_imprecise_scalars() needs to take this into account and avoid
accessing bpf_verifier_state->frame[*]->stack out of bounds.
Fixes: 2793a8b015f7 ("bpf: exact states comparison for iterator convergence checks")
Reported-by: Emil Tsalapatis <[email protected]>
Signed-off-by: Eduard Zingerman <[email protected]>
Link: https://lore.kernel.org/r/[email protected]
Signed-off-by: Alexei Starovoitov <[email protected]>
Diffstat (limited to 'net/unix/af_unix.c')
0 files changed, 0 insertions, 0 deletions