In the Linux kernel, the following vulnerability has been resolved:
bpf: Fix a kernel verifier crash in stacksafe()
Daniel Hodges reported a kernel verifier crash when playing with sched-ext. Further investigation shows that the crash is due to invalid memory access in stacksafe(). More specifically, it is the following code:
if (exact != NOT_EXACT &&
old->stack[spi].slot_type[i % BPF_REG_SIZE] !=
cur->stack[spi].slot_type[i % BPF_REG_SIZE])
return false;
The 'i' iterates old->allocatedstack. If cur->allocatedstack < old->allocated_stack the out-of-bound access will happen.
To fix the issue add 'i >= cur->allocatedstack' check such that if the condition is true, stacksafe() should fail. Otherwise, cur->stack[spi].slottype[i % BPFREGSIZE] memory access is legal.