diff options
author | Martin KaFai Lau <kafai@fb.com> | 2022-03-30 03:14:56 +0200 |
---|---|---|
committer | Alexei Starovoitov <ast@kernel.org> | 2022-03-31 04:31:30 +0200 |
commit | 4a9c7bbe2ed4d2b240674b1fb606c41d3940c412 (patch) | |
tree | 8a6efef13fb0c6edf3d09f281aafee031bbc5f61 /include | |
parent | rethook: Fix to use WRITE_ONCE() for rethook:: Handler (diff) | |
download | linux-4a9c7bbe2ed4d2b240674b1fb606c41d3940c412.tar.xz linux-4a9c7bbe2ed4d2b240674b1fb606c41d3940c412.zip |
bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT
The commit 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications")
fixes the verifier checking for BPF_PROG_TYPE_EXT (extension)
prog such that the verifier looks for things based
on the target prog type that it is extending instead of
the BPF_PROG_TYPE_EXT itself.
The current resolve_prog_type() returns the target prog type.
It checks for nullness on prog->aux->dst_prog. However,
when loading a BPF_PROG_TYPE_TRACING prog and it is tracing another
bpf prog instead of a kernel function, prog->aux->dst_prog is not
NULL also. In this case, the verifier should still verify as the
BPF_PROG_TYPE_TRACING type instead of the traced prog type in
prog->aux->dst_prog->type.
An oops has been reported when tracing a struct_ops prog. A NULL
dereference happened in check_return_code() when accessing the
prog->aux->attach_func_proto->type and prog->aux->attach_func_proto
is NULL here because the traced struct_ops prog has the "unreliable" set.
This patch is to change the resolve_prog_type() to only
return the target prog type if the prog being verified is
BPF_PROG_TYPE_EXT.
Fixes: 7e40781cc8b7 ("bpf: verifier: Use target program's type for access verifications")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20220330011456.2984509-1-kafai@fb.com
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/bpf_verifier.h | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index c1fc4af47f69..3a9d2d7cc6b7 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -570,9 +570,11 @@ static inline u32 type_flag(u32 type) return type & ~BPF_BASE_TYPE_MASK; } +/* only use after check_attach_btf_id() */ static inline enum bpf_prog_type resolve_prog_type(struct bpf_prog *prog) { - return prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type; + return prog->type == BPF_PROG_TYPE_EXT ? + prog->aux->dst_prog->type : prog->type; } #endif /* _LINUX_BPF_VERIFIER_H */ |