Commit 4314a445 authored by Yazhou Tang's avatar Yazhou Tang Committed by Alexei Starovoitov
Browse files

bpf: Fix out-of-bounds read in bpf_patch_call_args() 



The interpreters_args array only accommodates stack depths up to
MAX_BPF_STACK (512 bytes). However, do_misc_fixups() may allow a larger
stack depth if JIT is requested.

If JIT compilation later fails and falls back to the interpreter, the
verifier invokes bpf_patch_call_args() with this oversized stack depth.
This causes a load-time out-of-bounds (OOB) read when calculating the
interpreter function pointer index.

Fix this by changing bpf_patch_call_args() to return an int and explicitly
rejecting the JIT fallback (returning -EINVAL) if the stack depth exceeds
MAX_BPF_STACK.

Fixes: 1ea47e01 ("bpf: add support for bpf_call to interpreter")
Co-developed-by: default avatarTianci Cao <ziye@zju.edu.cn>
Signed-off-by: default avatarTianci Cao <ziye@zju.edu.cn>
Co-developed-by: default avatarShenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: default avatarShenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: default avatarYazhou Tang <tangyazhou518@outlook.com>
Acked-by: default avatarXu Kuohai <xukuohai@huawei.com>
Link: https://lore.kernel.org/r/20260506094714.419842-2-tangyazhou@zju.edu.cn


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 5d691905

include/linux/bpf.h

+1 −1
Original line number Diff line number Diff line
@@ -2917,7 +2917,7 @@ int bpf_check_uarg_tail_zero(bpfptr_t uaddr, size_t expected_size, 
int bpf_check(struct bpf_prog **fp, union bpf_attr *attr, bpfptr_t uattr, u32 uattr_size);



#ifndef CONFIG_BPF_JIT_ALWAYS_ON

void bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth);

int bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth);

#endif



struct btf *bpf_get_btf_vmlinux(void);

kernel/bpf/core.c

+5 −1
Original line number Diff line number Diff line
@@ -2394,13 +2394,17 @@ EVAL4(PROG_NAME_LIST, 416, 448, 480, 512) 
#undef PROG_NAME_LIST



#ifdef CONFIG_BPF_SYSCALL

void bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth)

int bpf_patch_call_args(struct bpf_insn *insn, u32 stack_depth)

{

	stack_depth = max_t(u32, stack_depth, 1);

	/* Prevent out-of-bounds read to interpreters_args */

	if (stack_depth > MAX_BPF_STACK)

		return -EINVAL;

	insn->off = (s16) insn->imm;

	insn->imm = interpreters_args[(round_up(stack_depth, 32) / 32) - 1] -

		__bpf_call_base_args;

	insn->code = BPF_JMP | BPF_CALL_ARGS;

	return 0;

}

#endif

#endif

kernel/bpf/fixups.c

+6 −1
Original line number Diff line number Diff line
@@ -1416,7 +1416,12 @@ int bpf_fixup_call_args(struct bpf_verifier_env *env) 
		depth = get_callee_stack_depth(env, insn, i);

		if (depth < 0)

			return depth;

		bpf_patch_call_args(insn, depth);

		err = bpf_patch_call_args(insn, depth);

		if (err) {

			verbose(env, "stack depth %d exceeds interpreter stack depth limit\n",

				depth);

			return err;

		}

	}

	err = 0;

#endif