diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index bfc342b2349bf0..d692e09d273ff1 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1756,29 +1756,6 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins BPF_SIZE(insn->code), BPF_WRITE, -1, true); } -static int __check_stack_boundary(struct bpf_verifier_env *env, u32 regno, - int off, int access_size, - bool zero_size_allowed) -{ - struct bpf_reg_state *reg = cur_regs(env) + regno; - - if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || - access_size < 0 || (access_size == 0 && !zero_size_allowed)) { - if (tnum_is_const(reg->var_off)) { - verbose(env, "invalid stack type R%d off=%d access_size=%d\n", - regno, off, access_size); - } else { - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); - verbose(env, "invalid stack type R%d var_off=%s access_size=%d\n", - regno, tn_buf, access_size); - } - return -EACCES; - } - return 0; -} - /* when register 'regno' is passed into function that will read 'access_size' * bytes from that pointer, make sure that it's within stack boundary * and all elements of stack are initialized. @@ -1791,7 +1768,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, { struct bpf_reg_state *reg = cur_regs(env) + regno; struct bpf_func_state *state = func(env, reg); - int err, min_off, max_off, i, slot, spi; + int off, i, slot, spi; if (reg->type != PTR_TO_STACK) { /* Allow zero-byte read from NULL, regardless of pointer type */ @@ -1805,23 +1782,21 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, return -EACCES; } - if (tnum_is_const(reg->var_off)) { - min_off = max_off = reg->var_off.value + reg->off; - err = __check_stack_boundary(env, regno, min_off, access_size, - zero_size_allowed); - if (err) - return err; - } else { - min_off = reg->smin_value + reg->off; - max_off = reg->umax_value + reg->off; - err = __check_stack_boundary(env, regno, min_off, access_size, - zero_size_allowed); - if (err) - return err; - err = __check_stack_boundary(env, regno, max_off, access_size, - zero_size_allowed); - if (err) - return err; + /* Only allow fixed-offset stack reads */ + if (!tnum_is_const(reg->var_off)) { + char tn_buf[48]; + + tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); + verbose(env, "invalid variable stack read R%d var_off=%s\n", + regno, tn_buf); + return -EACCES; + } + off = reg->off + reg->var_off.value; + if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 || + access_size < 0 || (access_size == 0 && !zero_size_allowed)) { + verbose(env, "invalid stack type R%d off=%d access_size=%d\n", + regno, off, access_size); + return -EACCES; } if (meta && meta->raw_mode) { @@ -1830,10 +1805,10 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, return 0; } - for (i = min_off; i < max_off + access_size; i++) { + for (i = 0; i < access_size; i++) { u8 *stype; - slot = -i - 1; + slot = -(off + i) - 1; spi = slot / BPF_REG_SIZE; if (state->allocated_stack <= slot) goto err; @@ -1846,16 +1821,8 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, goto mark; } err: - if (tnum_is_const(reg->var_off)) { - verbose(env, "invalid indirect read from stack off %d+%d size %d\n", - min_off, i - min_off, access_size); - } else { - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); - verbose(env, "invalid indirect read from stack var_off %s+%d size %d\n", - tn_buf, i - min_off, access_size); - } + verbose(env, "invalid indirect read from stack off %d+%d size %d\n", + off, i, access_size); return -EACCES; mark: /* reading any byte out of 8-byte 'spill_slot' will cause @@ -1864,7 +1831,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno, mark_reg_read(env, &state->stack[spi].spilled_ptr, state->stack[spi].spilled_ptr.parent); } - return update_stack_depth(env, state, min_off); + return update_stack_depth(env, state, off); } static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,