git.proxmox.com Git - mirror_ubuntu-kernels.git/commit

author	Kumar Kartikeya Dwivedi <memxor@gmail.com>
	Wed, 16 Feb 2022 20:19:43 +0000 (01:49 +0530)
committer	Alexei Starovoitov <ast@kernel.org>
	Wed, 16 Feb 2022 20:46:51 +0000 (12:46 -0800)
commit	45ce4b4f9009102cd9f581196d480a59208690c1
tree	806a5cc566416b243fb0fabc7a7adbf7ab97efea	tree
parent	61d06f01f9710b327a53492e5add9f972eb909b3	commit \| diff

bpf: Fix crash due to out of bounds access into reg2btf_ids.

When commit e6ac2450d6de ("bpf: Support bpf program calling kernel function") added
kfunc support, it defined reg2btf_ids as a cheap way to translate the verifier
reg type to the appropriate btf_vmlinux BTF ID, however
commit c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
moved the __BPF_REG_TYPE_MAX from the last member of bpf_reg_type enum to after
the base register types, and defined other variants using type flag
composition. However, now, the direct usage of reg->type to index into
reg2btf_ids may no longer fall into __BPF_REG_TYPE_MAX range, and hence lead to
out of bounds access and kernel crash on dereference of bad pointer.

Fixes: c25b2ae13603 ("bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL")
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20220216201943.624869-1-memxor@gmail.com