Commit 1955351d authored by Mickaël Salaün's avatar Mickaël Salaün Committed by David S. Miller
Browse files

bpf: Set register type according to is_valid_access() 



This prevent future potential pointer leaks when an unprivileged eBPF
program will read a pointer value from its context. Even if
is_valid_access() returns a pointer type, the eBPF verifier replace it
with UNKNOWN_VALUE. The register value that contains a kernel address is
then allowed to leak. Moreover, this fix allows unprivileged eBPF
programs to use functions with (legitimate) pointer arguments.

Not an issue currently since reg_type is only set for PTR_TO_PACKET or
PTR_TO_PACKET_END in XDP and TC programs that can only be loaded as
privileged. For now, the only unprivileged eBPF program allowed is for
socket filtering and all the types from its context are UNKNOWN_VALUE.
However, this fix is important for future unprivileged eBPF programs
which could use pointers in their context.

Signed-off-by: default avatarMickaël Salaün <mic@digikod.net>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 973d94d8

kernel/bpf/verifier.c

+2 −3
Original line number Diff line number Diff line
@@ -749,7 +749,6 @@ static int check_mem_access(struct bpf_verifier_env *env, u32 regno, int off, 
		err = check_ctx_access(env, off, size, t, &reg_type);

		if (!err && t == BPF_READ && value_regno >= 0) {

			mark_reg_unknown_value(state->regs, value_regno);

			if (env->allow_ptr_leaks)

			/* note that reg.[id|off|range] == 0 */

			state->regs[value_regno].type = reg_type;

		}

CRA Git | Maintained and supported by SUSTech CRA and CCSE