Skip to content

Commit c96c679

Browse files
laoargregkh
laoar
authored and
gregkh
committed
bpf: Fix issue in verifying allow_ptr_leaks
commit d75e30d upstream. After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited". A simple reproducer as follows, SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ Suggested-by: Yonghong Song <yonghong.song@linux.dev> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent b23c965 commit c96c679

1 file changed

Lines changed: 9 additions & 8 deletions

File tree

kernel/bpf/verifier.c

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -10401,6 +10401,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
1040110401
return -EINVAL;
1040210402
}
1040310403

10404+
/* check src2 operand */
10405+
err = check_reg_arg(env, insn->dst_reg, SRC_OP);
10406+
if (err)
10407+
return err;
10408+
10409+
dst_reg = &regs[insn->dst_reg];
1040410410
if (BPF_SRC(insn->code) == BPF_X) {
1040510411
if (insn->imm != 0) {
1040610412
verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
@@ -10412,25 +10418,20 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
1041210418
if (err)
1041310419
return err;
1041410420

10415-
if (is_pointer_value(env, insn->src_reg)) {
10421+
src_reg = &regs[insn->src_reg];
10422+
if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
10423+
is_pointer_value(env, insn->src_reg)) {
1041610424
verbose(env, "R%d pointer comparison prohibited\n",
1041710425
insn->src_reg);
1041810426
return -EACCES;
1041910427
}
10420-
src_reg = &regs[insn->src_reg];
1042110428
} else {
1042210429
if (insn->src_reg != BPF_REG_0) {
1042310430
verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
1042410431
return -EINVAL;
1042510432
}
1042610433
}
1042710434

10428-
/* check src2 operand */
10429-
err = check_reg_arg(env, insn->dst_reg, SRC_OP);
10430-
if (err)
10431-
return err;
10432-
10433-
dst_reg = &regs[insn->dst_reg];
1043410435
is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
1043510436

1043610437
if (BPF_SRC(insn->code) == BPF_K) {

0 commit comments

Comments
 (0)