libbpf: Fix unbounded memory access in bpf_usdt_arg() - kernel

diff options

author	Ilya Leoshkevich <[email protected]>	2023-01-28 00:06:41 +0000
committer	Alexei Starovoitov <[email protected]>	2023-01-28 20:45:14 +0000
commit	25c76ed428219127aba385d40756f6d5814e96e9 (patch)
tree	33578894d2cc06a87f3cedbd20c7b3f8f6702f37 /tools/lib/bpf/bpf_core_read.h
parent	libbpf: Simplify barrier_var() (diff)
download	kernel-25c76ed428219127aba385d40756f6d5814e96e9.tar.gz kernel-25c76ed428219127aba385d40756f6d5814e96e9.zip

libbpf: Fix unbounded memory access in bpf_usdt_arg()

Loading programs that use bpf_usdt_arg() on s390x fails with: ; if (arg_num >= BPF_USDT_MAX_ARG_CNT || arg_num >= spec->arg_cnt) 128: (79) r1 = *(u64 *)(r10 -24) ; frame1: R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0 129: (25) if r1 > 0xb goto pc+83 ; frame1: R1_w=scalar(umax=11,var_off=(0x0; 0xf)) ... ; arg_spec = &spec->args[arg_num]; 135: (79) r1 = *(u64 *)(r10 -24) ; frame1: R1_w=scalar(umax=4294967295,var_off=(0x0; 0xffffffff)) R10=fp0 ... ; switch (arg_spec->arg_type) { 139: (61) r1 = *(u32 *)(r2 +8) R2 unbounded memory access, make sure to bounds check any such access The reason is that, even though the C code enforces that arg_num < BPF_USDT_MAX_ARG_CNT, the verifier cannot propagate this constraint to the arg_spec assignment yet. Help it by forcing r1 back to stack after comparison. Signed-off-by: Ilya Leoshkevich <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>

Diffstat (limited to 'tools/lib/bpf/bpf_core_read.h')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: