bpf: Ensure line_info.insn_off cannot point to insn with zero code

This patch rejects a line_info if the bpf insn code referred by line_info.insn_off is 0. F.e. a broken userspace tool might generate a line_info.insn_off that points to the second 8 bytes of a BPF_LD_IMM64. Signed-off-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>

bpf: Ensure line_info.insn_off cannot point to insn with zero code
This patch rejects a line_info if the bpf insn code referred by line_info.insn_off is 0. F.e. a broken userspace tool might generate a line_info.insn_off that points to the second 8 bytes of a BPF_LD_IMM64. Signed-off-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
fdbaa0be · Martin KaFai Lau · Alexei Starovoitov · 9e88b931 · fdbaa0be
Commit fdbaa0be authored Dec 19, 2018 by Martin KaFai Lau Committed by Alexei Starovoitov Dec 19, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 8 additions and 0 deletions

kernel/bpf/verifier.c kernel/bpf/verifier.c +8 -0

No files found.
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4980,6 +4980,14 @@ static int check_btf_line(struct bpf_verifier_env *env,
 			goto err_free;
 		}

+		if (!prog->insnsi[linfo[i].insn_off].code) {
+			verbose(env,
+				"Invalid insn code at line_info[%u].insn_off\n",
+				i);
+			err = -EINVAL;
+			goto err_free;
+		}
+
 		if (!btf_name_by_offset(btf, linfo[i].line_off) ||
 		    !btf_name_by_offset(btf, linfo[i].file_name_off)) {
 			verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i);