summaryrefslogtreecommitdiffstats
path: root/kernel
diff options
context:
space:
mode:
authorJann Horn <jannh@google.com>2017-12-19 05:11:57 +0100
committerDaniel Borkmann <daniel@iogearbox.net>2017-12-21 02:15:41 +0100
commitea25f914dc164c8d56b36147ecc86bc65f83c469 (patch)
treeae74d60039bef82d303017c162822f4fa8ddbf02 /kernel
parentbpf: fix 32-bit ALU op verification (diff)
downloadlinux-ea25f914dc164c8d56b36147ecc86bc65f83c469.tar.xz
linux-ea25f914dc164c8d56b36147ecc86bc65f83c469.zip
bpf: fix missing error return in check_stack_boundary()
Prevent indirect stack accesses at non-constant addresses, which would permit reading and corrupting spilled pointers. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel')
-rw-r--r--kernel/bpf/verifier.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index ecdc265244ca..77e4b5223867 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
verbose(env, "invalid variable stack read R%d var_off=%s\n",
regno, tn_buf);
+ return -EACCES;
}
off = regs[regno].off + regs[regno].var_off.value;
if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||