[bpf,6/9] bpf: force strict alignment checks for stack pointers

Message ID 20171219041201.1979983-7-ast@kernel.org
State Accepted
Delegated to: BPF Maintainers
Headers show
  • bpf: verifier security fixes
Related show

Commit Message

Alexei Starovoitov Dec. 19, 2017, 4:11 a.m.
From: Jann Horn <jannh@google.com>

Force strict alignment checks for stack pointers because the tracking of
stack spills relies on it; unaligned stack accesses can lead to corruption
of spilled registers, which is exploitable.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
 kernel/bpf/verifier.c | 5 +++++
 1 file changed, 5 insertions(+)


diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 77e4b5223867..102c519836f6 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1059,6 +1059,11 @@  static int check_ptr_alignment(struct bpf_verifier_env *env,
 	case PTR_TO_STACK:
 		pointer_desc = "stack ";
+		/* The stack spill tracking logic in check_stack_write()
+		 * and check_stack_read() relies on stack accesses being
+		 * aligned.
+		 */
+		strict = true;