projects / linux-block.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 1a24af6) | patch
bpf: BPF_ST with variable offset should preserve STACK_ZERO marks
authorEduard Zingerman <eddyz87@gmail.com>
Tue, 14 Feb 2023 23:20:29 +0000 (01:20 +0200)
committerAlexei Starovoitov <ast@kernel.org>
Wed, 15 Feb 2023 19:48:47 +0000 (11:48 -0800)
commit31ff2135121ca9c0fd6c60de6b851509a24446ab
tree1579b17129ae849ffe1b98e7e1ca711f247ca284tree | snapshot
parent1a24af65bb5fed673a9377e794ee3cf416fec64dcommit | diff
bpf: BPF_ST with variable offset should preserve STACK_ZERO marks

BPF_STX instruction preserves STACK_ZERO marks for variable offset
writes in situations like below:

  *(u64*)(r10 - 8) = 0   ; STACK_ZERO marks for fp[-8]
  r0 = random(-7, -1)    ; some random number in range of [-7, -1]
  r0 += r10              ; r0 is now a variable offset pointer to stack
  r1 = 0
  *(u8*)(r0) = r1        ; BPF_STX writing zero, STACK_ZERO mark for
                         ; fp[-8] is preserved

This commit updates verifier.c:check_stack_write_var_off() to process
BPF_ST in a similar manner, e.g. the following example:

  *(u64*)(r10 - 8) = 0   ; STACK_ZERO marks for fp[-8]
  r0 = random(-7, -1)    ; some random number in range of [-7, -1]
  r0 += r10              ; r0 is now variable offset pointer to stack
  *(u8*)(r0) = 0         ; BPF_ST writing zero, STACK_ZERO mark for
                         ; fp[-8] is preserved

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20230214232030.1502829-4-eddyz87@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
kernel/bpf/verifier.c diff | blob | blame | history
Linux 6.x block layer and io_uring tree(s)