Merge branch 'bpf: Fix out-of-bound issue when jit-ing bpf_pseudo_func'

Martin KaFai says: ==================== This set fixes an out-of-bound access issue when jit-ing the bpf_pseudo_func insn (i.e. ld_imm64 with src_reg == BPF_PSEUDO_FUNC) ==================== Reported-by: Yonatan Komornik <yoniko@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
author: Alexei Starovoitov <ast@kernel.org> 2021-11-06 12:54:13 -0700
committer: Alexei Starovoitov <ast@kernel.org> 2021-11-06 13:22:15 -0700
commit: 47b3708c6088a60e7dc3b809dbb0d4c46590b32f (patch)
tree: 54810b9f3412a1609a829507bf943ae58e88b243 /kernel/bpf/core.c
parent: 70bf363d7adb3a428773bc905011d0ff923ba747 (diff)
parent: d99341b373215cf32bfb7f341fb3e720e0e791ef (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 327e3996eadb..2405e39d800f 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -390,6 +390,13 @@ static int bpf_adj_branches(struct bpf_prog *prog, u32 pos, s32 end_old,
 			i = end_new;
 			insn = prog->insnsi + end_old;
 		}
+		if (bpf_pseudo_func(insn)) {
+			ret = bpf_adj_delta_to_imm(insn, pos, end_old,
+						   end_new, i, probe_pass);
+			if (ret)
+				return ret;
+			continue;
+		}
 		code = insn->code;
 		if ((BPF_CLASS(code) != BPF_JMP &&
 		     BPF_CLASS(code) != BPF_JMP32) ||
author	Alexei Starovoitov <ast@kernel.org>	2021-11-06 12:54:13 -0700
committer	Alexei Starovoitov <ast@kernel.org>	2021-11-06 13:22:15 -0700
commit	47b3708c6088a60e7dc3b809dbb0d4c46590b32f (patch)
tree	54810b9f3412a1609a829507bf943ae58e88b243 /kernel/bpf/core.c
parent	70bf363d7adb3a428773bc905011d0ff923ba747 (diff)
parent	d99341b373215cf32bfb7f341fb3e720e0e791ef (diff)