CVE-2023-54247

In the Linux kernel, the following vulnerability has been resolved:

bpf: Silence a warning in btftypeid_size()

syzbot reported a warning in [1] with the following stacktrace: WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btftypeidsize+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... RIP: 0010:btftypeidsize+0x2d9/0x9d0 kernel/bpf/btf.c:1988 ... Call Trace: <TASK> mapcheckbtf kernel/bpf/syscall.c:1024 [inline] map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198 __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040 __dosysbpf kernel/bpf/syscall.c:5162 [inline] __sesysbpf kernel/bpf/syscall.c:5160 [inline] __x64sysbpf+0x79/0xc0 kernel/bpf/syscall.c:5160 dosyscallx64 arch/x86/entry/common.c:50 [inline] dosyscall64+0x39/0xb0 arch/x86/entry/common.c:80 entrySYSCALL64afterhwframe+0x63/0xcd

With the following btf [1] DECLTAG 'a' typeid=4 componentidx=-1 [2] PTR '(anon)' typeid=0 [3] TYPETAG 'a' typeid=2 [4] VAR 'a' typeid=3, linkage=static and when the bpfattr.btfkeytypeid = 1 (DECLTAG), the following WARNONONCE in btftypeidsize() is triggered: if (WARNONONCE(!btftypeismodifier(sizetype) && !btftypeisvar(size_type))) return NULL;

Note that 'return NULL' is the correct behavior as we don't want a DECLTAG type to be used as a btf{key,value}typeid even for the case like 'DECL_TAG -> STRUCT'. So there is no correctness issue here, we just want to silence warning.

To silence the warning, I added DECLTAG as one of kinds in btftypenosize() which will cause btftypeidsize() returning NULL earlier without the warning.

[1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/