summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJann Horn <jannh@google.com>2017-12-19 05:11:58 +0100
committerDaniel Borkmann <daniel@iogearbox.net>2017-12-21 02:15:41 +0100
commita5ec6ae161d72f01411169a938fa5f8baea16e8f (patch)
treeac35208d260c569dff7eb526c5db93536e07b0f5
parentbpf: fix missing error return in check_stack_boundary() (diff)
downloadlinux-a5ec6ae161d72f01411169a938fa5f8baea16e8f.tar.xz
linux-a5ec6ae161d72f01411169a938fa5f8baea16e8f.zip
bpf: force strict alignment checks for stack pointers
Force strict alignment checks for stack pointers because the tracking of stack spills relies on it; unaligned stack accesses can lead to corruption of spilled registers, which is exploitable. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-rw-r--r--kernel/bpf/verifier.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 77e4b5223867..102c519836f6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1059,6 +1059,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
break;
case PTR_TO_STACK:
pointer_desc = "stack ";
+ /* The stack spill tracking logic in check_stack_write()
+ * and check_stack_read() relies on stack accesses being
+ * aligned.
+ */
+ strict = true;
break;
default:
break;