bpf: Fix slot type check in check_stack_write_var_off

[ Upstream commit f5e477a861e4a20d8a1c5f7a245f3a3c3c376b03 ]

For the case where allow_ptr_leaks is false, code is checking whether
slot type is STACK_INVALID and STACK_SPILL and rejecting other cases.
This is a consequence of incorrectly checking for register type instead
of the slot type (NOT_INIT and SCALAR_VALUE respectively). Fix the
check.

Fixes: 01f810ace9ed ("bpf: Allow variable-offset stack access")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20221103191013.1236066-5-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 146056c..d533488 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3186,14 +3186,17 @@ static int check_stack_write_var_off(struct bpf_verifier_env *env,
                stype = &state->stack[spi].slot_type[slot % BPF_REG_SIZE];
                mark_stack_slot_scratched(env, spi);
 
-               if (!env->allow_ptr_leaks
-                               && *stype != NOT_INIT
-                               && *stype != SCALAR_VALUE) {
-                       /* Reject the write if there's are spilled pointers in
-                        * range. If we didn't reject here, the ptr status
-                        * would be erased below (even though not all slots are
-                        * actually overwritten), possibly opening the door to
-                        * leaks.
+               if (!env->allow_ptr_leaks && *stype != STACK_MISC && *stype != STACK_ZERO) {
+                       /* Reject the write if range we may write to has not
+                        * been initialized beforehand. If we didn't reject
+                        * here, the ptr status would be erased below (even
+                        * though not all slots are actually overwritten),
+                        * possibly opening the door to leaks.
+                        *
+                        * We do however catch STACK_INVALID case below, and
+                        * only allow reading possibly uninitialized memory
+                        * later for CAP_PERFMON, as the write may not happen to
+                        * that slot.
                         */
                        verbose(env, "spilled ptr in range of var-offset stack write; insn %d, ptr off: %d",
                                insn_idx, i);