From: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon, 10 Jan 2022 14:05:49 +0000
Subject: bpf: Generalize check_ctx_reg for reuse with other types
Patch-mainline: v5.17-rc1
Git-commit: be80a1d3f9dbe5aee79a325964f7037fe2d92f30
References: bsc#1194111 bsc#1194765 CVE-2021-4204 CVE-2022-23222
X-Info: minor adjustment in context of kernel/bpf/btf.c:btf_check_func_arg_match(), no "bpf: Extend kfunc with PTR_TO_CTX, PTR_TO_MEM argument support" 3363bd0cfbb80dfcd25003cd3815b0ad8b68d0ff
Generalize the check_ctx_reg() helper function into a more generic named one
so that it can be reused for other register types as well to check whether
their offset is non-zero. No functional change.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
---
include/linux/bpf_verifier.h | 4 ++--
kernel/bpf/btf.c | 2 +-
kernel/bpf/verifier.c | 21 +++++++++++----------
3 files changed, 14 insertions(+), 13 deletions(-)
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -483,8 +483,8 @@ bpf_prog_offload_replace_insn(struct bpf
void
bpf_prog_offload_remove_insns(struct bpf_verifier_env *env, u32 off, u32 cnt);
-int check_ctx_reg(struct bpf_verifier_env *env,
- const struct bpf_reg_state *reg, int regno);
+int check_ptr_off_reg(struct bpf_verifier_env *env,
+ const struct bpf_reg_state *reg, int regno);
int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
u32 regno, u32 mem_size);
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -5489,7 +5489,7 @@ static int btf_check_func_arg_match(stru
i, btf_type_str(t));
return -EINVAL;
}
- if (check_ctx_reg(env, reg, regno))
+ if (check_ptr_off_reg(env, reg, regno))
return -EINVAL;
} else if (ptr_to_mem_ok) {
const struct btf_type *resolve_ret;
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3672,16 +3672,16 @@ static int get_callee_stack_depth(struct
}
#endif
-int check_ctx_reg(struct bpf_verifier_env *env,
- const struct bpf_reg_state *reg, int regno)
+int check_ptr_off_reg(struct bpf_verifier_env *env,
+ const struct bpf_reg_state *reg, int regno)
{
- /* Access to ctx or passing it to a helper is only allowed in
- * its original, unmodified form.
+ /* Access to this pointer-typed register or passing it to a helper
+ * is only allowed in its original, unmodified form.
*/
if (reg->off) {
- verbose(env, "dereference of modified ctx ptr R%d off=%d disallowed\n",
- regno, reg->off);
+ verbose(env, "dereference of modified %s ptr R%d off=%d disallowed\n",
+ reg_type_str(env, reg->type), regno, reg->off);
return -EACCES;
}
@@ -3689,7 +3689,8 @@ int check_ctx_reg(struct bpf_verifier_en
char tn_buf[48];
tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
- verbose(env, "variable ctx access var_off=%s disallowed\n", tn_buf);
+ verbose(env, "variable %s access var_off=%s disallowed\n",
+ reg_type_str(env, reg->type), tn_buf);
return -EACCES;
}
@@ -4125,7 +4126,7 @@ static int check_mem_access(struct bpf_v
return -EACCES;
}
- err = check_ctx_reg(env, reg, regno);
+ err = check_ptr_off_reg(env, reg, regno);
if (err < 0)
return err;
@@ -4917,7 +4918,7 @@ static int check_func_arg(struct bpf_ver
return err;
if (type == PTR_TO_CTX) {
- err = check_ctx_reg(env, reg, regno);
+ err = check_ptr_off_reg(env, reg, regno);
if (err < 0)
return err;
}
@@ -9069,7 +9070,7 @@ static int check_ld_abs(struct bpf_verif
return err;
}
- err = check_ctx_reg(env, ®s[ctx_reg], ctx_reg);
+ err = check_ptr_off_reg(env, ®s[ctx_reg], ctx_reg);
if (err < 0)
return err;