CVE-2023-54247

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: Silence a warning in btf_type_id_size()<br /> <br /> syzbot reported a warning in [1] with the following stacktrace:<br /> WARNING: CPU: 0 PID: 5005 at kernel/bpf/btf.c:1988 btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988<br /> ...<br /> RIP: 0010:btf_type_id_size+0x2d9/0x9d0 kernel/bpf/btf.c:1988<br /> ...<br /> Call Trace:<br /> <br /> map_check_btf kernel/bpf/syscall.c:1024 [inline]<br /> map_create+0x1157/0x1860 kernel/bpf/syscall.c:1198<br /> __sys_bpf+0x127f/0x5420 kernel/bpf/syscall.c:5040<br /> __do_sys_bpf kernel/bpf/syscall.c:5162 [inline]<br /> __se_sys_bpf kernel/bpf/syscall.c:5160 [inline]<br /> __x64_sys_bpf+0x79/0xc0 kernel/bpf/syscall.c:5160<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> With the following btf<br /> [1] DECL_TAG &amp;#39;a&amp;#39; type_id=4 component_idx=-1<br /> [2] PTR &amp;#39;(anon)&amp;#39; type_id=0<br /> [3] TYPE_TAG &amp;#39;a&amp;#39; type_id=2<br /> [4] VAR &amp;#39;a&amp;#39; type_id=3, linkage=static<br /> and when the bpf_attr.btf_key_type_id = 1 (DECL_TAG),<br /> the following WARN_ON_ONCE in btf_type_id_size() is triggered:<br /> if (WARN_ON_ONCE(!btf_type_is_modifier(size_type) &amp;&amp;<br /> !btf_type_is_var(size_type)))<br /> return NULL;<br /> <br /> Note that &amp;#39;return NULL&amp;#39; is the correct behavior as we don&amp;#39;t want<br /> a DECL_TAG type to be used as a btf_{key,value}_type_id even<br /> for the case like &amp;#39;DECL_TAG -&gt; STRUCT&amp;#39;. So there<br /> is no correctness issue here, we just want to silence warning.<br /> <br /> To silence the warning, I added DECL_TAG as one of kinds in<br /> btf_type_nosize() which will cause btf_type_id_size() returning<br /> NULL earlier without the warning.<br /> <br /> [1] https://lore.kernel.org/bpf/000000000000e0df8d05fc75ba86@google.com/