Gh0st
/
linux
mirror of https://github.com/torvalds/linux.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux/kernel/bpf
History
Eduard Zingerman b0c8e6d3d8 bpf: account for current allocated stack depth in widen_imprecise_scalars() 
The usage pattern for widen_imprecise_scalars() looks as follows:

    prev_st = find_prev_entry(env, ...);
    queued_st = push_stack(...);
    widen_imprecise_scalars(env, prev_st, queued_st);

Where prev_st is an ancestor of the queued_st in the explored states
tree. This ancestor is not guaranteed to have same allocated stack
depth as queued_st. E.g. in the following case:

    def main():
      for i in 1..2:
        foo(i)        // same callsite, differnt param

    def foo(i):
      if i == 1:
        use 128 bytes of stack
      iterator based loop

Here, for a second 'foo' call prev_st->allocated_stack is 128,
while queued_st->allocated_stack is much smaller.
widen_imprecise_scalars() needs to take this into account and avoid
accessing bpf_verifier_state->frame[*]->stack out of bounds.

Fixes: 2793a8b015 ("bpf: exact states comparison for iterator convergence checks")
Reported-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20251114025730.772723-1-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 		2025-11-14 09:26:05 -08:00
..
preload
Kconfig bpf: Update the bpf_prog_calc_tag to use SHA256 2025-09-18 19:10:20 -07:00
Makefile bpf: callchain sensitive stack liveness tracking using CFG 2025-09-19 09:27:23 -07:00
arena.c bpf: Report arena faults to BPF stderr 2025-09-11 13:00:43 -07:00
arraymap.c bpf: bpf task work plumbing 2025-09-23 07:34:38 -07:00
bloom_filter.c
bpf_cgrp_storage.c bpf: use rcu_read_lock_dont_migrate() for bpf_cgrp_storage_free() 2025-08-25 18:52:16 -07:00
bpf_inode_storage.c bpf: use rcu_read_lock_dont_migrate() for bpf_inode_storage_free() 2025-08-25 18:52:16 -07:00
bpf_iter.c bpf: use rcu_read_lock_dont_migrate() for bpf_iter_run_prog() 2025-08-25 18:52:16 -07:00
bpf_local_storage.c
bpf_lru_list.c bpf: Replace get_next_cpu() with cpumask_next_wrap() 2025-08-18 15:11:02 +02:00
bpf_lru_list.h
bpf_lsm.c
bpf_struct_ops.c bpf: Allow struct_ops to get map id by kdata 2025-08-06 13:39:58 -07:00
bpf_task_storage.c bpf: use rcu_read_lock_dont_migrate() for bpf_task_storage_free() 2025-08-25 18:52:16 -07:00
btf.c bpf: Allow union argument in trampoline based programs 2025-09-23 12:07:46 -07:00
btf_iter.c
btf_relocate.c
cgroup.c bpf: WQ_PERCPU added to alloc_workqueue users 2025-09-08 10:04:37 -07:00
cgroup_iter.c
core.c bpf: Enforce expected_attach_type for tailcall compatibility 2025-09-27 06:24:27 -07:00
cpumap.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf after rc5 2025-09-11 09:34:37 -07:00
cpumask.c
crypto.c bpf: Fix out-of-bounds dynptr write in bpf_crypto_crypt 2025-09-09 15:07:57 -07:00
devmap.c bpf: Remove redundant __GFP_NOWARN 2025-08-12 14:56:04 -07:00
disasm.c
disasm.h
dispatcher.c
dmabuf_iter.c
hashtab.c bpf: bpf task work plumbing 2025-09-23 07:34:38 -07:00
helpers.c bpf: add _impl suffix for bpf_stream_vprintk() kfunc 2025-11-04 17:50:25 -08:00
inode.c bpf: Avoid RCU context warning when unpinning htab with internal structs 2025-10-10 10:10:08 -07:00
kmem_cache_iter.c
link_iter.c
liveness.c bpf: Fix memory leak in __lookup_instance error path 2025-10-16 10:45:17 -07:00
local_storage.c bpf: Remove redundant __GFP_NOWARN 2025-08-12 14:56:04 -07:00
log.c bpf: disable and remove registers chain based liveness 2025-09-19 09:27:23 -07:00
lpm_trie.c
map_in_map.c
map_in_map.h
map_iter.c
memalloc.c bpf: replace use of system_unbound_wq with system_dfl_wq 2025-09-08 10:04:37 -07:00
mmap_unlock_work.h
mprog.c
net_namespace.c
offload.c
percpu_freelist.c
percpu_freelist.h
prog_iter.c
queue_stack_maps.c
range_tree.c
range_tree.h
relo_core.c
reuseport_array.c
ringbuf.c bpf: Sync pending IRQ work before freeing ring buffer 2025-10-21 09:57:48 -07:00
rqspinlock.c rqspinlock: Choose trylock fallback for NMI waiters 2025-09-09 15:10:28 -07:00
rqspinlock.h
stackmap.c bpf-next-6.18 2025-09-30 17:58:11 -07:00
stream.c bpf: add _impl suffix for bpf_stream_vprintk() kfunc 2025-11-04 17:50:25 -08:00
syscall.c bpf: Replace bpf_map_kmalloc_node() with kmalloc_nolock() to allocate bpf_async_cb structures. 2025-10-15 12:22:22 +02:00
sysfs_btf.c
task_iter.c
tcx.c
tnum.c bpf: Improve the general precision of tnum_mul 2025-08-27 15:00:26 -07:00
token.c
trampoline.c ftrace: Fix BPF fexit with livepatch 2025-11-03 17:22:06 -08:00
verifier.c bpf: account for current allocated stack depth in widen_imprecise_scalars() 2025-11-14 09:26:05 -08:00