BTF struct walks can relax the top-level struct-size check for trailing
flexible arrays. That relaxation must not let a PTR_TO_BTF_ID | MEM_ALLOC
access escape the bytes allocated by bpf_obj_new() or bpf_percpu_obj_new().

Patch 1 rejects MEM_ALLOC BTF walks whose access range reaches past the
current struct size before applying the flexible-array relaxation. This now
also applies to struct ID matching used by kfunc and kptr type checks.
Patch 2 adds a linked_list negative loader case for this path.

Changes in v3:
- Pass the flexible-array walk policy through btf_struct_ids_match() callers,
  so MEM_ALLOC kfunc/kptr type checks use the same bounds rule.
- Rename the btf_struct_walk() parameter to walk_flex_arrays.
- Rebase onto current bpf-next.

v2:
https://lore.kernel.org/bpf/[email protected]/

v1:
https://lore.kernel.org/bpf/[email protected]/

Yiyang Chen (2):
  bpf: Reject MEM_ALLOC BTF accesses past object bounds
  selftests/bpf: Cover MEM_ALLOC access past object bounds

 include/linux/bpf.h                           |  2 +-
 kernel/bpf/btf.c                              | 17 +++++++++-----
 kernel/bpf/verifier.c                         | 11 +++++----
 .../selftests/bpf/prog_tests/linked_list.c    |  1 +
 .../selftests/bpf/progs/linked_list_fail.c    | 23 +++++++++++++++++++
 5 files changed, 43 insertions(+), 11 deletions(-)


base-commit: 53435562a725962e4de0c29653223129ba11643a
-- 
2.34.1


Reply via email to