review.tizen.org Git - platform/kernel/linux-rpi.git/commit

author	Yonghong Song <yonghong.song@linux.dev>
	Mon, 7 Aug 2023 17:57:21 +0000 (10:57 -0700)
committer	Martin KaFai Lau <martin.lau@kernel.org>
	Mon, 7 Aug 2023 23:23:35 +0000 (16:23 -0700)
commit	db2baf82b098aa10ac16f34e44732ec450fb11c7
tree	60f02ffa5460d354357c53dc53b82ec02eafea56	tree \| snapshot
parent	2369e52657d371c58da0b826f8b87f01611cfc59	commit \| diff

bpf: Fix an incorrect verification success with movsx insn

syzbot reports a verifier bug which triggers a runtime panic.
The test bpf program is:
   0: (62) *(u32 *)(r10 -8) = 553656332
   1: (bf) r1 = (s16)r10
   2: (07) r1 += -8
   3: (b7) r2 = 3
   4: (bd) if r2 <= r1 goto pc+0
   5: (85) call bpf_trace_printk#-138320
   6: (b7) r0 = 0
   7: (95) exit

At insn 1, the current implementation keeps 'r1' as a frame pointer,
which caused later bpf_trace_printk helper call crash since frame
pointer address is not valid any more. Note that at insn 4,
the 'pointer vs. scalar' comparison is allowed for privileged
prog run.

To fix the problem with above insn 1, the fix in the patch adopts
similar pattern to existing 'R1 = (u32) R2' handling. For unprivileged
prog run, verification will fail with 'R<num> sign-extension part of pointer'.
For privileged prog run, the dst_reg 'r1' will be marked as
an unknown scalar, so later 'bpf_trace_pointk' helper will complain
since it expected certain pointers.

Reported-by: syzbot+d61b595e9205573133b3@syzkaller.appspotmail.com
Fixes: 8100928c8814 ("bpf: Support new sign-extension mov insns")
Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20230807175721.671696-1-yonghong.song@linux.dev
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>