Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ea25f914 authored by Jann Horn's avatar Jann Horn Committed by Daniel Borkmann
Browse files

bpf: fix missing error return in check_stack_boundary() 



Prevent indirect stack accesses at non-constant addresses, which would
permit reading and corrupting spilled pointers.

Fixes: f1174f77 ("bpf/verifier: rework value tracking")
Signed-off-by: default avatarJann Horn <jannh@google.com>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent 468f6eaf

kernel/bpf/verifier.c

+1 −0
Original line number Diff line number Diff line
@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, 
		tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);

		verbose(env, "invalid variable stack read R%d var_off=%s\n",

			regno, tn_buf);

		return -EACCES;

	}

	off = regs[regno].off + regs[regno].var_off.value;

	if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||