|
|
|
|
In the Linux kernel, the following vulnerability has been resolved:bpf: Fix accesses to uninit stack slotsPrivileged programs are supposed to be able to read uninitialized stackmemory (ever since 6715df8d5) but, before this patch, these accesseswere permitted inconsistently. In particular, accesses were permittedabove state->allocated_stack, but not below it. In other words, if thestack was already "large enough", the access was permitted, butotherwise the access was rejected instead of being allowed to "grow thestack". This undesired rejection was happening in two places:- in check_stack_slot_within_bounds()- in check_stack_range_initialized()This patch arranges for these accesses to be permitted. A bunch of teststhat were relying on the old rejection had to change; all of them werechanged to add also run unprivileged, in which case the old behaviorpersists. One tests couldn't be updated - global_func16 - because itcan't run unprivileged for other reasons.This patch also fixes the tracking of the stack size for variable-offsetreads. This second fix is bundled in the same commit as the first onebecause they're inter-related. Before this patch, writes to the stackusing registers containing a variable offset (as opposed to registerswith fixed, known values) were not properly contributing to thefunction's needed stack size. As a result, it was possible for a programto verify, but then to attempt to read out-of-bounds data at runtimebecause a too small stack had been allocated for it.Each function tracks the size of the stack it needs inbpf_subprog_info.stack_depth, which is maintained byupdate_stack_depth(). For regular memory accesses, check_mem_access()was calling update_state_depth() but it was passing in only the fixedpart of the offset register, ignoring the variable offset. This wasincorrect; the minimum possible value of that register should be usedinstead.This tracking is now fixed by centralizing the tracking of stack size ingrow_stack_state(), and by lifting the calls to grow_stack_state() tocheck_stack_access_within_bounds() as suggested by Andrii. The code isnow simpler and more convincingly tracks the correct maximum stack size.check_stack_range_initialized() can now rely on enough stack having beenallocated for the access; this helps with the fix for the first issue.A few tests were changed to also check the stack depth computation. Theone that fails without this patch is verifier_var_off:stack_write_priv_vs_unpriv.
|
