[PATCH 4.19 142/142] bpf: fix off-by-one error in adjust_subprog_starts

From: Greg Kroah-Hartman
Date: Fri Dec 14 2018 - 07:07:32 EST

Next message: Greg Kroah-Hartman: "[PATCH 4.14 10/89] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 124/142] ocfs2: fix deadlock caused by ocfs2_defrag_extent()"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 124/142] ocfs2: fix deadlock caused by ocfs2_defrag_extent()"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 117/142] fscache: fix race between enablement and dropping of object"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

4.19-stable review patch. If anyone has any objections, please let me know.

------------------

From: Edward Cree <ecree@xxxxxxxxxxxxxx>

commit afd594240806acc138cf696c09f2f4829d55d02f upstream.

When patching in a new sequence for the first insn of a subprog, the start
of that subprog does not change (it's the first insn of the sequence), so
adjust_subprog_starts should check start <= off (rather than < off).
Also added a test to test_verifier.c (it's essentially the syz reproducer).

Fixes: cc8b0b92a169 ("bpf: introduce function calls (function boundaries)")
Reported-by: syzbot+4fc427c7af994b0948be@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Edward Cree <ecree@xxxxxxxxxxxxxx>
Acked-by: Yonghong Song <yhs@xxxxxx>
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
kernel/bpf/verifier.c | 2 +-
tools/testing/selftests/bpf/test_verifier.c | 19 +++++++++++++++++++
2 files changed, 20 insertions(+), 1 deletion(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5283,7 +5283,7 @@ static void adjust_subprog_starts(struct
return;
/* NOTE: fake 'exit' subprog should be updated as well. */
for (i = 0; i <= env->subprog_cnt; i++) {
- if (env->subprog_info[i].start < off)
+ if (env->subprog_info[i].start <= off)
continue;
env->subprog_info[i].start += len - 1;
}
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -12511,6 +12511,25 @@ static struct bpf_test tests[] = {
.prog_type = BPF_PROG_TYPE_SCHED_CLS,
.result = ACCEPT,
},
+ {
+ "calls: ctx read at start of subprog",
+ .insns = {
+ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5),
+ BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6),
+ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2),
+ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
+ BPF_EXIT_INSN(),
+ BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .prog_type = BPF_PROG_TYPE_SOCKET_FILTER,
+ .errstr_unpriv = "function calls to other bpf functions are allowed for root only",
+ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
};

static int probe_filter_length(const struct bpf_insn *fp)

Next message: Greg Kroah-Hartman: "[PATCH 4.14 10/89] rtnetlink: ndo_dflt_fdb_dump() only work for ARPHRD_ETHER devices"
Previous message: Greg Kroah-Hartman: "[PATCH 4.19 124/142] ocfs2: fix deadlock caused by ocfs2_defrag_extent()"
In reply to: Greg Kroah-Hartman: "[PATCH 4.19 124/142] ocfs2: fix deadlock caused by ocfs2_defrag_extent()"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.19 117/142] fscache: fix race between enablement and dropping of object"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]