mirror of
https://github.com/torvalds/linux.git
synced 2024-11-10 06:01:57 +00:00
a552e2ef5f
When BPF_TRAMP_F_CALL_ORIG is enabled, the address of a bpf_tramp_image
struct on the stack is passed during the size calculation pass and
an address on the heap is passed during code generation. This may
cause a heap buffer overflow if the heap address is tagged because
emit_a64_mov_i64() will emit longer code than it did during the size
calculation pass. The same problem could occur without tag-based
KASAN if one of the 16-bit words of the stack address happened to
be all-ones during the size calculation pass. Fix the problem by
assuming the worst case (4 instructions) when calculating the size
of the bpf_tramp_image address emission.
Fixes:
|
||
---|---|---|
.. | ||
bpf_jit_comp.c | ||
bpf_jit.h | ||
Makefile |