bpf: fix check for attempt to corrupt spilled pointer (!4255) · Merge requests · Red Hat / centos-stream / src / kernel / centos-stream-9

Viktor Malik requested to merge vmalikrh/centos-stream-9:cve-2023-52462 into main May 16, 2024

JIRA: https://issues.redhat.com/browse/RHEL-26569
CVE: CVE-2023-52462

commit ab125ed3ec1c10ccc36bc98c7a4256ad114a3dae
Author: Andrii Nakryiko <andrii@kernel.org>
Date:   Tue Dec 5 10:42:41 2023 -0800

    bpf: fix check for attempt to corrupt spilled pointer

    When register is spilled onto a stack as a 1/2/4-byte register, we set
    slot_type[BPF_REG_SIZE - 1] (plus potentially few more below it,
    depending on actual spill size). So to check if some stack slot has
    spilled register we need to consult slot_type[7], not slot_type[0].

    To avoid the need to remember and double-check this in the future, just
    use is_spilled_reg() helper.

    Fixes: 27113c59b6d0 ("bpf: Check the other end of slot_type for STACK_SPILL")
    Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
    Link: https://lore.kernel.org/r/20231205184248.1502704-4-andrii@kernel.org
    Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Signed-off-by: Viktor Malik vmalik@redhat.com

bpf: fix check for attempt to corrupt spilled pointer

Merge request reports