linux

mirror of https://github.com/torvalds/linux.git synced 2026-06-06 05:27:07 +02:00

Linux kernel source tree

Go to file

Andrei Matei 0954982db8 bpf: Fix accesses to uninit stack slots [ Upstream commit `6b4a64bafd` ] Privileged programs are supposed to be able to read uninitialized stack memory (ever since `6715df8d5`) but, before this patch, these accesses were permitted inconsistently. In particular, accesses were permitted above state->allocated_stack, but not below it. In other words, if the stack was already "large enough", the access was permitted, but otherwise the access was rejected instead of being allowed to "grow the stack". This undesired rejection was happening in two places: - in check_stack_slot_within_bounds() - in check_stack_range_initialized() This patch arranges for these accesses to be permitted. A bunch of tests that were relying on the old rejection had to change; all of them were changed to add also run unprivileged, in which case the old behavior persists. One tests couldn't be updated - global_func16 - because it can't run unprivileged for other reasons. This patch also fixes the tracking of the stack size for variable-offset reads. This second fix is bundled in the same commit as the first one because they're inter-related. Before this patch, writes to the stack using registers containing a variable offset (as opposed to registers with fixed, known values) were not properly contributing to the function's needed stack size. As a result, it was possible for a program to verify, but then to attempt to read out-of-bounds data at runtime because a too small stack had been allocated for it. Each function tracks the size of the stack it needs in bpf_subprog_info.stack_depth, which is maintained by update_stack_depth(). For regular memory accesses, check_mem_access() was calling update_state_depth() but it was passing in only the fixed part of the offset register, ignoring the variable offset. This was incorrect; the minimum possible value of that register should be used instead. This tracking is now fixed by centralizing the tracking of stack size in grow_stack_state(), and by lifting the calls to grow_stack_state() to check_stack_access_within_bounds() as suggested by Andrii. The code is now simpler and more convincingly tracks the correct maximum stack size. check_stack_range_initialized() can now rely on enough stack having been allocated for the access; this helps with the fix for the first issue. A few tests were changed to also check the stack depth computation. The one that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv. Fixes: `01f810ace9` ("bpf: Allow variable-offset stack access") Reported-by: Hao Sun <sunhao.th@gmail.com> Signed-off-by: Andrei Matei <andreimatei1@gmail.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20231208032519.260451-3-andreimatei1@gmail.com Closes: https://lore.kernel.org/bpf/CABWLsev9g8UP_c3a=1qbuZUi20tGoUXoU07FPf-5FLvhOKOY+Q@mail.gmail.com/ Signed-off-by: Sasha Levin <sashal@kernel.org>		2024-01-25 15:35:24 -08:00
arch	arm64: dts: hisilicon: hikey970-pmic: fix regulator cells properties	2024-01-25 15:35:24 -08:00
block	blk-mq: don't count completed flush data request as inflight in case of quiesce	2024-01-20 11:51:39 +01:00
certs
crypto	crypto: scomp - fix req->dst buffer overflow	2024-01-25 15:35:18 -08:00
Documentation	dt-bindings: arm: qcom: Fix html link	2024-01-25 15:35:21 -08:00
drivers	wifi: mt76: mt7921s: fix workqueue problem causes STA association fail	2024-01-25 15:35:24 -08:00
fs	pNFS: Fix the pnfs block driver's calculation of layoutget size	2024-01-25 15:35:18 -08:00
include	bpf: Defer the free of inner map when necessary	2024-01-25 15:35:22 -08:00
init	proc: sysctl: prevent aliased sysctls from getting passed to init	2023-11-28 17:19:57 +00:00
io_uring	io_uring: use fget/fput consistently	2024-01-20 11:51:38 +01:00
ipc	Add x86 shadow stack support	2023-08-31 12:20:12 -07:00
kernel	bpf: Fix accesses to uninit stack slots	2024-01-25 15:35:24 -08:00
lib	kunit: debugfs: Fix unchecked dereference in debugfs_print_results()	2024-01-25 15:35:15 -08:00
LICENSES
mm	mm/memory_hotplug: fix memmap_on_memory sysfs value retrieval	2024-01-20 11:51:49 +01:00
net	net/ncsi: Fix netlink major/minor version numbers	2024-01-25 15:35:20 -08:00
rust	rust: docs: fix logo replacement	2023-10-19 16:40:00 +02:00
samples	vfio/mtty: Overhaul mtty interrupt handling	2024-01-10 17:16:55 +01:00
scripts	scripts/decode_stacktrace.sh: optionally use LLVM utilities	2024-01-20 11:51:49 +01:00
security	selinux: Fix error priority for bind with AF_UNSPEC on PF_INET6 socket	2024-01-25 15:35:15 -08:00
sound	ASoC: SOF: Intel: hda-codec: Delay the codec device registration	2024-01-20 11:51:47 +01:00
tools	bpf: Fix accesses to uninit stack slots	2024-01-25 15:35:24 -08:00
usr
virt	ARM:	2023-09-07 13:52:20 -07:00
.clang-format
.cocciconfig
.get_maintainer.ignore
.gitattributes
.gitignore
.mailmap	20 hotfixes. 12 are cc:stable and the remainder address post-6.5 issues	2023-10-24 09:52:16 -10:00
.rustfmt.toml
COPYING
CREDITS
Kbuild
Kconfig
MAINTAINERS	Char/Misc driver fixes for 6.6-final	2023-10-28 07:51:27 -10:00
Makefile	Linux 6.6.13	2024-01-20 11:51:49 +01:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.