Skip to content

Commit 5927f01

Browse files
laoargregkh
laoar
authored and
gregkh
committed
bpf: Fix issue in verifying allow_ptr_leaks
commit d75e30d upstream. After we converted the capabilities of our networking-bpf program from cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program failed to start. Because it failed the bpf verifier, and the error log is "R3 pointer comparison prohibited". A simple reproducer as follows, SEC("cls-ingress") int ingress(struct __sk_buff *skb) { struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr); if ((long)(iph + 1) > (long)skb->data_end) return TC_ACT_STOLEN; return TC_ACT_OK; } Per discussion with Yonghong and Alexei [1], comparison of two packet pointers is not a pointer leak. This patch fixes it. Our local kernel is 6.1.y and we expect this fix to be backported to 6.1.y, so stable is CCed. [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/ Suggested-by: Yonghong Song <yonghong.song@linux.dev> Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> Signed-off-by: Yafang Shao <laoar.shao@gmail.com> Acked-by: Eduard Zingerman <eddyz87@gmail.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 parent 247ee56 commit 5927f01

1 file changed

Lines changed: 9 additions & 8 deletions

File tree

kernel/bpf/verifier.c

Lines changed: 9 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -13597,6 +13597,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
1359713597
return -EINVAL;
1359813598
}
1359913599

13600+
/* check src2 operand */
13601+
err = check_reg_arg(env, insn->dst_reg, SRC_OP);
13602+
if (err)
13603+
return err;
13604+
13605+
dst_reg = &regs[insn->dst_reg];
1360013606
if (BPF_SRC(insn->code) == BPF_X) {
1360113607
if (insn->imm != 0) {
1360213608
verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
@@ -13608,25 +13614,20 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
1360813614
if (err)
1360913615
return err;
1361013616

13611-
if (is_pointer_value(env, insn->src_reg)) {
13617+
src_reg = &regs[insn->src_reg];
13618+
if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
13619+
is_pointer_value(env, insn->src_reg)) {
1361213620
verbose(env, "R%d pointer comparison prohibited\n",
1361313621
insn->src_reg);
1361413622
return -EACCES;
1361513623
}
13616-
src_reg = &regs[insn->src_reg];
1361713624
} else {
1361813625
if (insn->src_reg != BPF_REG_0) {
1361913626
verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
1362013627
return -EINVAL;
1362113628
}
1362213629
}
1362313630

13624-
/* check src2 operand */
13625-
err = check_reg_arg(env, insn->dst_reg, SRC_OP);
13626-
if (err)
13627-
return err;
13628-
13629-
dst_reg = &regs[insn->dst_reg];
1363013631
is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
1363113632

1363213633
if (BPF_SRC(insn->code) == BPF_K) {

0 commit comments

Comments
 (0)