mirrors
/
linux-stable
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
1
0
Fork 0
Code Issues Releases Wiki Activity
linux-stable/arch/x86
History
Jakub Sitnicki ff672c67ee bpf, x86: Fix tail call count offset calculation on bpf2bpf call 
On x86-64 the tail call count is passed from one BPF function to another
through %rax. Additionally, on function entry, the tail call count value
is stored on stack right after the BPF program stack, due to register
shortage.

The stored count is later loaded from stack either when performing a tail
call - to check if we have not reached the tail call limit - or before
calling another BPF function call in order to pass it via %rax.

In the latter case, we miscalculate the offset at which the tail call count
was stored on function entry. The JIT does not take into account that the
allocated BPF program stack is always a multiple of 8 on x86, while the
actual stack depth does not have to be.

This leads to a load from an offset that belongs to the BPF stack, as shown
in the example below:

SEC("tc")
int entry(struct __sk_buff *skb)
{
	/* Have data on stack which size is not a multiple of 8 */
	volatile char arr[1] = {};
	return subprog_tail(skb);
}

int entry(struct __sk_buff * skb):
   0: (b4) w2 = 0
   1: (73) *(u8 *)(r10 -1) = r2
   2: (85) call pc+1#bpf_prog_ce2f79bb5f3e06dd_F
   3: (95) exit

int entry(struct __sk_buff * skb):
   0xffffffffa0201788:  nop    DWORD PTR [rax+rax*1+0x0]
   0xffffffffa020178d:  xor    eax,eax
   0xffffffffa020178f:  push   rbp
   0xffffffffa0201790:  mov    rbp,rsp
   0xffffffffa0201793:  sub    rsp,0x8
   0xffffffffa020179a:  push   rax
   0xffffffffa020179b:  xor    esi,esi
   0xffffffffa020179d:  mov    BYTE PTR [rbp-0x1],sil
   0xffffffffa02017a1:  mov    rax,QWORD PTR [rbp-0x9]	!!! tail call count
   0xffffffffa02017a8:  call   0xffffffffa02017d8       !!! is at rbp-0x10
   0xffffffffa02017ad:  leave
   0xffffffffa02017ae:  ret

Fix it by rounding up the BPF stack depth to a multiple of 8, when
calculating the tail call count offset on stack.

Fixes: ebf7d1f508 ("bpf, x64: rework pro/epilogue and tailcall handling in JIT")
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20220616162037.535469-2-jakub@cloudflare.com
 		2022-06-16 21:48:24 +02:00
..
boot Follow-up tweaks for the EFI changes in v5.19 2022-06-03 13:39:30 -07:00
coco Intel Trust Domain Extensions 2022-05-23 17:51:12 -07:00
configs x86/config: Make the x86 defconfigs a bit more usable 2022-03-27 20:58:35 +02:00
crypto crypto: x86 - eliminate anonymous module_init & module_exit 2022-04-08 16:13:31 +08:00
entry kernel-hardening updates for v5.19-rc1 2022-05-24 12:27:09 -07:00
events Two small perf updates: 2022-06-05 10:40:31 -07:00
hyperv hyperv-next for 5.17 2022-01-16 15:53:00 +02:00
ia32 x86: Remove a.out support 2022-04-11 18:04:27 +02:00
include * Fix syzkaller NULL pointer dereference 2022-06-08 09:16:31 -07:00
kernel Hot fixes for 5.19-rc1. 2022-06-05 17:05:38 -07:00
kvm * Fix syzkaller NULL pointer dereference 2022-06-08 09:16:31 -07:00
lib Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
math-emu x86/32: Remove lazy GS macros 2022-04-14 14:09:43 +02:00
mm virtio: replace arch_has_restricted_virtio_memory_access() 2022-06-06 08:22:01 +02:00
net bpf, x86: Fix tail call count offset calculation on bpf2bpf call 2022-06-16 21:48:24 +02:00
pci pci-v5.19-changes 2022-05-27 15:25:10 -07:00
platform arch/x86: replace cpumask_weight with cpumask_empty where appropriate 2022-06-03 06:52:57 -07:00
power x86/cpu: Load microcode during restore_processor_state() 2022-04-19 19:37:05 +02:00
purgatory
ras
realmode Intel Trust Domain Extensions 2022-05-23 17:51:12 -07:00
tools
um um: Fix out-of-bounds read in LDT setup 2022-05-27 09:03:41 +02:00
video
virt/vmx/tdx x86/tdx: Provide common base for SEAMCALL and TDCALL C wrappers 2022-04-07 08:27:50 -07:00
xen xen/virtio: Enable restricted memory access using Xen grant mappings 2022-06-06 16:07:30 +02:00
.gitignore
Kbuild x86/cc: Move arch/x86/{kernel/cc_platform.c => coco/core.c} 2022-02-23 18:25:58 +01:00
Kconfig virtio: replace arch_has_restricted_virtio_memory_access() 2022-06-06 08:22:01 +02:00
Kconfig.assembler
Kconfig.cpu
Kconfig.debug x86/Kconfig: Fix indentation of arch/x86/Kconfig.debug 2022-05-25 15:39:27 +02:00
Makefile Kbuild updates for v5.19 2022-05-26 12:09:50 -07:00
Makefile.um
Makefile_32.cpu