Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2655755pxj; Mon, 14 Jun 2021 04:10:29 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzh9pPn9tUO1P9k6R/jh2l+8ov1bvyzJqV+GEETs8PwYTmBWZjJIYRnMaKoFo6N3Zkly8p X-Received: by 2002:a05:6402:268f:: with SMTP id w15mr13795571edd.228.1623669028944; Mon, 14 Jun 2021 04:10:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623669028; cv=none; d=google.com; s=arc-20160816; b=sMfORCv/a/LSC3aCVFMAs6kipJnVeRvhhsvg+/RfWm1QMhU/lMpKatyFYJl5oiBy4c FleDWEq6STA6DEA/V5UQ3P0hGVxjlicPJ4OGAFTf2lzF380qNs9xZgk4/FWNKXw0SmRJ 7xf1Now0iMzSDb5NKL/kkTsEW6yA25+DLgOD2Mc+ePpaesv/l6qd+9JJOBi6WRl63Adg /B0eTw5MUBbVLx9mDry9lCTT/ljdsAew2HEqwZ4ZtkD21Dj607jF7hr5K+0w6vPVmvca DsUHro5R/gc2Rqcvp+qTqiiUTqWRfuHVOTeuBmYVaPbcXg5reeGf+g+VMZ6OPHVABX+b 4wXQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tKWG93e3dq/INYnDCjj23iRPKQ+JDzVuXq0IU1bOLeU=; b=HMscwgeIlILWH+LLc70laR7ElVLWzQ8BW6W+LGyZZBJOx8FNAPLE7ZbToz9sXT+mFQ A8BLi45J2o5p531ZpqvXRqSXAzvddOtR0qegHPAQMtZovx3NA83+vitA0cxVWBrNxgt9 CeElH97bLxCrxF9x1NH1mI0G5649J9RbDeC+zhGfTXBwn12j3IGfJujLdrbAsc0xfq6d fh1gEbGN1X5mp9jBxcJ58oy2fJ3T06HusWGV5/uzztSL7FpwznpVCIu6I6f3pgjVkv+b x1qEYlvK00o0P64Fi/pxHJMWzNtqDTMJuRc5o+wLpKWSKlP4BjbFckvGFfj1lWOA6HIM ZlUA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XtMGWPHN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f3si590726ejj.302.2021.06.14.04.10.06; Mon, 14 Jun 2021 04:10:28 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=XtMGWPHN; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235466AbhFNLKX (ORCPT + 99 others); Mon, 14 Jun 2021 07:10:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:36434 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234690AbhFNK6e (ORCPT ); Mon, 14 Jun 2021 06:58:34 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id EFB24613E9; Mon, 14 Jun 2021 10:41:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623667315; bh=P2NiAcDDakW4b0/dW1SMWHEB1xRgaqQX6RaVY4jIeQ8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XtMGWPHNaMRCCrvoecwRqTvxOUf7EyPRnkTd1HzqO8k5+r+92B3n2FFzV9iJLLyJC W55bF18RMfwj71fBm4htJ8Tb9nIp83XUFM+bC8d1xGq6WTNPLb6d0+VfhmxFBk9iRE YRTLxoDGlgSqnuke7ji2BOHQoCUdqhVBkwPp/HvA= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jiri Olsa , Daniel Borkmann , Andrii Nakryiko , Sasha Levin Subject: [PATCH 5.10 006/131] bpf: Forbid trampoline attach for functions with variable arguments Date: Mon, 14 Jun 2021 12:26:07 +0200 Message-Id: <20210614102653.187278759@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102652.964395392@linuxfoundation.org> References: <20210614102652.964395392@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jiri Olsa [ Upstream commit 31379397dcc364a59ce764fabb131b645c43e340 ] We can't currently allow to attach functions with variable arguments. The problem is that we should save all the registers for arguments, which is probably doable, but if caller uses more than 6 arguments, we need stack data, which will be wrong, because of the extra stack frame we do in bpf trampoline, so we could crash. Also currently there's malformed trampoline code generated for such functions at the moment as described in: https://lore.kernel.org/bpf/20210429212834.82621-1-jolsa@kernel.org/ Signed-off-by: Jiri Olsa Signed-off-by: Daniel Borkmann Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20210505132529.401047-1-jolsa@kernel.org Signed-off-by: Sasha Levin --- kernel/bpf/btf.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c index ed7d02e8bc93..aaf2fbaa0cc7 100644 --- a/kernel/bpf/btf.c +++ b/kernel/bpf/btf.c @@ -4960,6 +4960,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, m->ret_size = ret; for (i = 0; i < nargs; i++) { + if (i == nargs - 1 && args[i].type == 0) { + bpf_log(log, + "The function %s with variable args is unsupported.\n", + tname); + return -EINVAL; + } ret = __get_type_size(btf, args[i].type, &t); if (ret < 0) { bpf_log(log, @@ -4967,6 +4973,12 @@ int btf_distill_func_proto(struct bpf_verifier_log *log, tname, i, btf_kind_str[BTF_INFO_KIND(t->info)]); return -EINVAL; } + if (ret == 0) { + bpf_log(log, + "The function %s has malformed void argument.\n", + tname); + return -EINVAL; + } m->arg_size[i] = ret; } m->nr_args = nargs; -- 2.30.2