From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Date: Mon, 09 Oct 2023 14:58:00 +0800
Subject: [PATCH] kABI: fix bpf Invalidate slices on destruction of dynptrs on stack
Patch-mainline: Never, kABI fix
References: bsc#1215863 CVE-2023-39191
Upstream commit f8064ab90d664 ("bpf: Invalidate slices on destruction of
dynptrs on stack") adds the `dynptr_id` field to both `struct
bpf_call_arg_meta` and `struct bpf_reg_state`, thus breaking kABI. Luckily
both are quite easy to fix.
`struct bpf_call_arg_meta` still has a 4 byte hole that fits `int dynptr_id`,
and in `struct bpf_reg_state`, the `u32 dynptr_id` is inside a union that's
large enough to accomodate this new addition, so for both case it's a matter
of wrapping the new field in within `#ifndef __GENSYMS__`.
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
---
include/linux/bpf_verifier.h | 4 ++++
kernel/bpf/verifier.c | 4 +++-
2 files changed, 7 insertions(+), 1 deletion(-)
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -70,10 +70,14 @@ struct bpf_reg_state {
u32 btf_id;
};
+#ifndef __GENKSYMS__
struct { /* for PTR_TO_MEM | PTR_TO_MEM_OR_NULL */
u32 mem_size;
u32 dynptr_id; /* for dynptr slices */
};
+#else
+ u32 mem_size;
+#endif
/* For dynptr stack slots */
struct {
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -254,9 +254,11 @@ struct bpf_call_arg_meta {
int mem_size;
u64 msize_max_value;
int ref_obj_id;
- int dynptr_id;
int map_uid;
int func_id;
+#ifndef __GENKSYMS__
+ int dynptr_id;
+#endif
struct btf *btf;
u32 btf_id;
struct btf *ret_btf;