bpf: fix integer overflows (bb7f0f98) · Commits · e / devices / android_kernel_teracube_mt6765

include/linux/bpf_verifier.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -15,11 +15,11 @@
		* In practice this is far bigger than any realistic pointer offset; this limit
		* ensures that umax_value + (int)off + (int)size cannot overflow a u64.
		*/
		#define BPF_MAX_VAR_OFF (1ULL << 31)
		#define BPF_MAX_VAR_OFF (1 << 29)
		/* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO]. This ensures
		* that converting umax_value to int cannot overflow.
		*/
		#define BPF_MAX_VAR_SIZ INT_MAX
		#define BPF_MAX_VAR_SIZ (1 << 29)

		/* Liveness marks, used for registers and spilled-regs (in stack slots).
		* Read marks propagate upwards until they find a write mark; they record that

kernel/bpf/verifier.c

+48 −0

Original line number	Diff line number	Diff line
		@@ -1819,6 +1819,41 @@ static bool signed_sub_overflows(s64 a, s64 b)
		return res > a;
		}

		static bool check_reg_sane_offset(struct bpf_verifier_env *env,
		const struct bpf_reg_state *reg,
		enum bpf_reg_type type)
		{
		bool known = tnum_is_const(reg->var_off);
		s64 val = reg->var_off.value;
		s64 smin = reg->smin_value;

		if (known && (val >= BPF_MAX_VAR_OFF \|\| val <= -BPF_MAX_VAR_OFF)) {
		verbose(env, "math between %s pointer and %lld is not allowed\n",
		reg_type_str[type], val);
		return false;
		}

		if (reg->off >= BPF_MAX_VAR_OFF \|\| reg->off <= -BPF_MAX_VAR_OFF) {
		verbose(env, "%s pointer offset %d is not allowed\n",
		reg_type_str[type], reg->off);
		return false;
		}

		if (smin == S64_MIN) {
		verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n",
		reg_type_str[type]);
		return false;
		}

		if (smin >= BPF_MAX_VAR_OFF \|\| smin <= -BPF_MAX_VAR_OFF) {
		verbose(env, "value %lld makes %s pointer be out of bounds\n",
		smin, reg_type_str[type]);
		return false;
		}

		return true;
		}

		/* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
		* Caller should also handle BPF_MOV case separately.
		* If we return -EACCES, caller may want to try again treating pointer as a
		@@ -1887,6 +1922,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
		dst_reg->type = ptr_reg->type;
		dst_reg->id = ptr_reg->id;

		if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) \|\|
		!check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
		return -EINVAL;

		switch (opcode) {
		case BPF_ADD:
		/* We can take a fixed offset as long as it doesn't overflow
		@@ -2017,6 +2056,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
		return -EACCES;
		}

		if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
		return -EINVAL;

		__update_reg_bounds(dst_reg);
		__reg_deduce_bounds(dst_reg);
		__reg_bound_offset(dst_reg);
		@@ -2046,6 +2088,12 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
		src_known = tnum_is_const(src_reg.var_off);
		dst_known = tnum_is_const(dst_reg->var_off);

		if (!src_known &&
		opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
		__mark_reg_unknown(dst_reg);
		return 0;
		}

		switch (opcode) {
		case BPF_ADD:
		if (signed_add_overflows(dst_reg->smin_value, smin_val) \|\|