bpf, btf: fix a missing check bug in btf_parse (4a6998af) · Commits · 戴 / test

kernel/bpf/btf.c

+25 −33

Original line number	Diff line number	Diff line
		@@ -2067,56 +2067,47 @@ static int btf_check_sec_info(struct btf_verifier_env *env,
		return 0;
		}

		static int btf_parse_hdr(struct btf_verifier_env env, void __user btf_data,
		u32 btf_data_size)
		static int btf_parse_hdr(struct btf_verifier_env *env)
		{
		u32 hdr_len, hdr_copy, btf_data_size;
		const struct btf_header *hdr;
		u32 hdr_len, hdr_copy;
		/*
		* Minimal part of the "struct btf_header" that
		* contains the hdr_len.
		*/
		struct btf_min_header {
		u16 magic;
		u8 version;
		u8 flags;
		u32 hdr_len;
		} __user *min_hdr;
		struct btf *btf;
		int err;

		btf = env->btf;
		min_hdr = btf_data;
		btf_data_size = btf->data_size;

		if (btf_data_size < sizeof(*min_hdr)) {
		if (btf_data_size <
		offsetof(struct btf_header, hdr_len) + sizeof(hdr->hdr_len)) {
		btf_verifier_log(env, "hdr_len not found");
		return -EINVAL;
		}

		if (get_user(hdr_len, &min_hdr->hdr_len))
		return -EFAULT;

		hdr = btf->data;
		hdr_len = hdr->hdr_len;
		if (btf_data_size < hdr_len) {
		btf_verifier_log(env, "btf_header not found");
		return -EINVAL;
		}

		err = bpf_check_uarg_tail_zero(btf_data, sizeof(btf->hdr), hdr_len);
		if (err) {
		if (err == -E2BIG)
		/* Ensure the unsupported header fields are zero */
		if (hdr_len > sizeof(btf->hdr)) {
		u8 *expected_zero = btf->data + sizeof(btf->hdr);
		u8 *end = btf->data + hdr_len;

		for (; expected_zero < end; expected_zero++) {
		if (*expected_zero) {
		btf_verifier_log(env, "Unsupported btf_header");
		return err;
		return -E2BIG;
		}
		}
		}

		hdr_copy = min_t(u32, hdr_len, sizeof(btf->hdr));
		if (copy_from_user(&btf->hdr, btf_data, hdr_copy))
		return -EFAULT;
		memcpy(&btf->hdr, btf->data, hdr_copy);

		hdr = &btf->hdr;

		if (hdr->hdr_len != hdr_len)
		return -EINVAL;

		btf_verifier_log_hdr(env, btf_data_size);

		if (hdr->magic != BTF_MAGIC) {
		@@ -2186,10 +2177,6 @@ static struct btf btf_parse(void __user btf_data, u32 btf_data_size,
		}
		env->btf = btf;

		err = btf_parse_hdr(env, btf_data, btf_data_size);
		if (err)
		goto errout;

		data = kvmalloc(btf_data_size, GFP_KERNEL \| __GFP_NOWARN);
		if (!data) {
		err = -ENOMEM;
		@@ -2198,13 +2185,18 @@ static struct btf btf_parse(void __user btf_data, u32 btf_data_size,

		btf->data = data;
		btf->data_size = btf_data_size;
		btf->nohdr_data = btf->data + btf->hdr.hdr_len;

		if (copy_from_user(data, btf_data, btf_data_size)) {
		err = -EFAULT;
		goto errout;
		}

		err = btf_parse_hdr(env);
		if (err)
		goto errout;

		btf->nohdr_data = btf->data + btf->hdr.hdr_len;

		err = btf_parse_str_sec(env);
		if (err)
		goto errout;

Admin message