From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-19.4 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,INCLUDES_CR_TRAILER,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45F4BC4709F for ; Thu, 3 Jun 2021 17:08:54 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2E625613FF for ; Thu, 3 Jun 2021 17:08:54 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231579AbhFCRKh (ORCPT ); Thu, 3 Jun 2021 13:10:37 -0400 Received: from mail.kernel.org ([198.145.29.99]:41888 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231783AbhFCRKV (ORCPT ); Thu, 3 Jun 2021 13:10:21 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E61D4613F6; Thu, 3 Jun 2021 17:08:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1622740116; bh=P2NiAcDDakW4b0/dW1SMWHEB1xRgaqQX6RaVY4jIeQ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=KbfDNx3efZpNMXFSgpCYdKavCkmj7zxQqun4s6ffOToqbicYFpPWfJoLsXN4JCb15 aCwn3nKbwOe3ICCN3FKeIqQlyhcq/wNhyFCELzWJXGFsTK0v9cecW6E56WF1F1xHyn frqDinJyQicWNCgIb9utB7Vf+Dc1h63mH0VclVXVkIk7VW38z5md4lIACAqpAj6gCz GjFTIFS8IBhpLRp0rWkRBtWZgnxrQ0EgVe/wisjpDBTN2iFzXYLe7ZiCjJoWiYH+uV r/EjbbPMMSbngwkXcChZrQHMgYB+PM/Y5hYvFBom5qSZ71VsoIaoARzNnfbc66i7a/ Gw0YVU9Zpc/4A== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jiri Olsa , Daniel Borkmann , Andrii Nakryiko , Sasha Levin , netdev@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH AUTOSEL 5.10 05/39] bpf: Forbid trampoline attach for functions with variable arguments Date: Thu, 3 Jun 2021 13:07:55 -0400 Message-Id: <20210603170829.3168708-5-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210603170829.3168708-1-sashal@kernel.org> References: <20210603170829.3168708-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org From: Jiri Olsa [ Upstream commit 31379397dcc364a59ce764fabb131b645c43e340 ] We can't currently allow to attach functions with variable arguments. The problem is that we should save all the registers for arguments, which is probably doable, but if caller uses more than 6 arguments, we need stack data, which will be wrong, because of the extra stack frame we do in bpf trampoline, so we could crash. Also currently there's malformed trampoline code generated for such functions at the moment as described in: https://lore.kernel.org/bpf/20210429212834.82621-1-jolsa@kernel.org/ Signed-off-by: Jiri Olsa Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210505132529.401047-1-jolsa@kernel.org Signed-off-by: Sasha Levin --- kernel/bpf/btf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index ed7d02e8bc93..aaf2fbaa0cc7 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -4960,6 +4960,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, m->ret_size = ret; for (i = 0; i < nargs; i++) { + if (i == nargs - 1 && args[i].type == 0) { + bpf_log(log, + "The function %s with variable args is unsupported.\n", + tname); + return -EINVAL; + } ret = __get_type_size(btf, args[i].type, &t); if (ret < 0) { bpf_log(log, @@ -4967,6 +4973,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, tname, i, btf_kind_str[BTF_INFO_KIND(t->info)]); return -EINVAL; } + if (ret == 0) { + bpf_log(log, + "The function %s has malformed void argument.\n", + tname); + return -EINVAL; + } m->arg_size[i] = ret; } m->nr_args = nargs; -- 2.30.2