bpf_arena_free_pages() can be called with a scalar arena address. The
runtime reconstructs a full user address from the arena base and the low
32 bits before returning the range to the arena free tree. A scalar one
page below the arena base can otherwise produce an out-of-domain free-tree
offset and make a later allocation return an address below the arena
mapping.

Patch 1 rejects frees whose reconstructed full user address is below
user_vm_start. Patch 2 adds verifier_arena coverage for the
scalar-below-base case.

Yiyang Chen (2):
  bpf: Reject arena frees below the arena base
  selftests/bpf: Cover scalar arena frees below the base

 kernel/bpf/arena.c                            |  2 +
 .../selftests/bpf/progs/verifier_arena.c      | 41 ++++++++++++++++---
 2 files changed, 38 insertions(+), 5 deletions(-)


base-commit: 7feeed42d8b97d0db0eab2c1c30aa86f110fe49c
-- 
2.34.1


Reply via email to