Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6f1f78ef authored by Alexei Starovoitov's avatar Alexei Starovoitov
Browse files

Merge branch 'line_info-check-for-ld_imm64' 



Martin KaFai Lau says:

====================
This series ensures the line_info (passed by the userspace during
bpf_prog_load) cannot have its line_info.insn_off pointing to a
zero bpf insn code.  F.e. a broken userspace tool might
generate a line_info.insn_off that points to the second
8 bytes of a BPF_LD_IMM64.

The first patch is the kernel change.
The second patch is a new test case.
====================

Acked-by: default avatarYonghong Song <yhs@fb.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parents 9e88b931 e30f5640

kernel/bpf/verifier.c

+8 −0
Original line number Diff line number Diff line
@@ -4980,6 +4980,14 @@ static int check_btf_line(struct bpf_verifier_env *env, 
			goto err_free;

		}



		if (!prog->insnsi[linfo[i].insn_off].code) {

			verbose(env,

				"Invalid insn code at line_info[%u].insn_off\n",

				i);

			err = -EINVAL;

			goto err_free;

		}



		if (!btf_name_by_offset(btf, linfo[i].line_off) ||

		    !btf_name_by_offset(btf, linfo[i].file_name_off)) {

			verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i);

tools/testing/selftests/bpf/test_btf.c

+27 −0
Original line number Diff line number Diff line
@@ -4253,6 +4253,33 @@ static struct prog_info_raw_test { 
	.expected_prog_load_failure = true,

},



{

	.descr = "line_info (Zero bpf insn code)",

	.raw_types = {

		BTF_TYPE_INT_ENC(NAME_TBD, BTF_INT_SIGNED, 0, 32, 4),	/* [1] */

		BTF_TYPE_INT_ENC(NAME_TBD, 0, 0, 64, 8),	/* [2] */

		BTF_TYPEDEF_ENC(NAME_TBD, 2),			/* [3] */

		BTF_END_RAW,

	},

	BTF_STR_SEC("\0int\0unsigned long\0u64\0u64 a=1;\0return a;"),

	.insns = {

		BPF_LD_IMM64(BPF_REG_0, 1),

		BPF_EXIT_INSN(),

	},

	.prog_type = BPF_PROG_TYPE_TRACEPOINT,

	.func_info_cnt = 0,

	.line_info = {

		BPF_LINE_INFO_ENC(0, 0, NAME_TBD, 1, 10),

		BPF_LINE_INFO_ENC(1, 0, 0, 2, 9),

		BPF_LINE_INFO_ENC(2, 0, NAME_TBD, 3, 8),

		BTF_END_RAW,

	},

	.line_info_rec_size = sizeof(struct bpf_line_info),

	.nr_jited_ksyms = 1,

	.err_str = "Invalid insn code at line_info[1]",

	.expected_prog_load_failure = true,

},



{

	.descr = "line_info (No subprog. zero tailing line_info",

	.raw_types = {