Commit 9e80f36
bpf, arm64: Fix address emission with tag-based KASAN enabled
commit a552e2e upstream.
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.
Fixes: 19d3c17 ("bpf, arm64: Fix trampoline for BPF_TRAMP_F_CALL_ORIG")
Signed-off-by: Peter Collingbourne <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Xu Kuohai <[email protected]>
Link: https://linux-review.googlesource.com/id/I1496f2bc24fba7a1d492e16e2b94cf43714f2d3c
Link: https://lore.kernel.org/bpf/[email protected]
[Minor context change fixed.]
Signed-off-by: Bin Lan <[email protected]>
Signed-off-by: He Zhe <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>1 parent 0771494 commit 9e80f36
1 file changed
+10
-2
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1942 | 1942 | | |
1943 | 1943 | | |
1944 | 1944 | | |
1945 | | - | |
| 1945 | + | |
| 1946 | + | |
| 1947 | + | |
| 1948 | + | |
| 1949 | + | |
1946 | 1950 | | |
1947 | 1951 | | |
1948 | 1952 | | |
| |||
1986 | 1990 | | |
1987 | 1991 | | |
1988 | 1992 | | |
1989 | | - | |
| 1993 | + | |
| 1994 | + | |
| 1995 | + | |
| 1996 | + | |
| 1997 | + | |
1990 | 1998 | | |
1991 | 1999 | | |
1992 | 2000 | | |
| |||
0 commit comments