UBUNTU: SAUCE: bpf: prevent helper argument PTR_TO_ALLOC_MEM to have …

…offset other than 0 BugLink: https://bugs.launchpad.net/bugs/1956585 (OOB write on BPF_RINGBUF (LP: #1956585)) bpf_ringbuf_reserve is currently the only helper that returns a PTR_TO_ALLOC_MEM, and bpf_ringbuf_submit and bpf_ringbuf_discard expect only such pointers. If some arithmetic is done on those pointers, those functions may corrupt arbritary memory. Prevent such argument types from having an offset other than 0. Also, other valid PTR_TO_MEM should not be accepted as parameters to bpf_ringbuf_submit and bpf_ringbuf_discard. A different type mechanism should be used instead, in order to guarantee that only values returned by bpf_ringbuf_reserve can be used. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Acked-by: Kamal Mostafa <kamal@canonical.com> Acked-by: Marcelo Henrique Cerri <marcelo.cerri@canonical.com> Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
mariux64 · Jan 7, 2022 · 197f3c2 · 197f3c2
1 parent 05e4862
commit 197f3c2
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -4903,6 +4903,14 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		 */
 		goto skip_type_check;
 
+	/* We already checked for NULL above */
+	if (arg_type == ARG_PTR_TO_ALLOC_MEM) {
+		if (reg->off != 0 || !tnum_is_const(reg->var_off)) {
+			verbose(env, "helper wants pointer to allocated memory\n");
+			return -EACCES;
+		}
+	}
+
 	err = check_reg_type(env, regno, arg_type, fn->arg_btf_id[arg]);
 	if (err)
 		return err;