bpf: Ensure line_info.insn_off cannot point to insn with zero code

This patch rejects a line_info if the bpf insn code referred by
line_info.insn_off is 0. F.e. a broken userspace tool might generate
a line_info.insn_off that points to the second 8 bytes of a BPF_LD_IMM64.

Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
This commit is contained in:
Martin KaFai Lau 2018-12-19 13:01:01 -08:00 коммит произвёл Alexei Starovoitov
Родитель 9e88b9312a
Коммит fdbaa0beb7
1 изменённых файлов: 8 добавлений и 0 удалений

Просмотреть файл

@ -4980,6 +4980,14 @@ static int check_btf_line(struct bpf_verifier_env *env,
goto err_free;
}
if (!prog->insnsi[linfo[i].insn_off].code) {
verbose(env,
"Invalid insn code at line_info[%u].insn_off\n",
i);
err = -EINVAL;
goto err_free;
}
if (!btf_name_by_offset(btf, linfo[i].line_off) ||
!btf_name_by_offset(btf, linfo[i].file_name_off)) {
verbose(env, "Invalid line_info[%u].line_off or .file_name_off\n", i);