Merge branch 'fix-missing-process_iter_arg-type-check'

Kumar Kartikeya Dwivedi says: ==================== Fix missing process_iter_arg type check I am taking over Tao's earlier patch set that can be found at [0], after an offline discussion. The bug reported in that thread is that process_iter_arg missed a reg->type == PTR_TO_STACK check. Fix this by adding it in, and also address comments from Andrii on the earlier attempt. Include more selftests to ensure the error is caught. [0]: https://lore.kernel.org/bpf/20241107214736.347630-1-tao.lyu@epfl.ch Changelog: ---------- v1 -> v2: v1: https://lore.kernel.org/bpf/20241127230147.4158201-1-memxor@gmail.com ==================== Link: https://patch.msgid.link/20241203000238.3602922-1-memxor@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-01 01:14:19 -04:00 · 2024-12-02 17:47:57 -08:00
parent 537a2525ea 7f71197001
commit d4c44354bc
3 changed files with 33 additions and 2 deletions
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8189,6 +8189,11 @@ static int process_iter_arg(struct bpf_verifier_env *env, int regno, int insn_id
 	const struct btf_type *t;
 	int spi, err, i, nr_slots, btf_id;

+	if (reg->type != PTR_TO_STACK) {
+		verbose(env, "arg#%d expected pointer to an iterator on stack\n", regno - 1);
+		return -EINVAL;
+	}
+
 	/* For iter_{new,next,destroy} functions, btf_check_iter_kfuncs()
 	 * ensures struct convention, so we wouldn't need to do any BTF
 	 * validation here. But given iter state can be passed as a parameter
--- a/tools/testing/selftests/bpf/progs/iters.c
+++ b/tools/testing/selftests/bpf/progs/iters.c
@@ -1486,4 +1486,30 @@ int iter_subprog_check_stacksafe(const void *ctx)
 	return 0;
 }

+struct bpf_iter_num global_it;
+
+SEC("raw_tp")
+__failure __msg("arg#0 expected pointer to an iterator on stack")
+int iter_new_bad_arg(const void *ctx)
+{
+	bpf_iter_num_new(&global_it, 0, 1);
+	return 0;
+}
+
+SEC("raw_tp")
+__failure __msg("arg#0 expected pointer to an iterator on stack")
+int iter_next_bad_arg(const void *ctx)
+{
+	bpf_iter_num_next(&global_it);
+	return 0;
+}
+
+SEC("raw_tp")
+__failure __msg("arg#0 expected pointer to an iterator on stack")
+int iter_destroy_bad_arg(const void *ctx)
+{
+	bpf_iter_num_destroy(&global_it);
+	return 0;
+}
+
 char _license[] SEC("license") = "GPL";
--- a/tools/testing/selftests/bpf/progs/verifier_bits_iter.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bits_iter.c
@@ -35,9 +35,9 @@ __description("uninitialized iter in ->next()")
 __failure __msg("expected an initialized iter_bits as arg #1")
 int BPF_PROG(next_uninit, struct bpf_iter_meta *meta, struct cgroup *cgrp)
 {
-	struct bpf_iter_bits *it = NULL;
+	struct bpf_iter_bits it = {};

-	bpf_iter_bits_next(it);
+	bpf_iter_bits_next(&it);
 	return 0;
 }