From 2e0702854b0e2428f6b5b32678f5f79ca341c619 Mon Sep 17 00:00:00 2001
From: Michal Rostecki <vadorovsky@gmail.com>
Date: Wed, 20 Jul 2022 16:39:42 +0200
Subject: [PATCH] Ensure log buffer bounds

This change adds checks in `TagLenValue.write()` to ensure that the size
of written data doesn't exceed the buffer size.

Verifier in recent kernel versions requires the bound to be a constant
value, so using `buf.len()` does not work.

Signed-off-by: Michal Rostecki <vadorovsky@gmail.com>
---
 aya-log/aya-log-common/src/lib.rs | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/aya-log/aya-log-common/src/lib.rs b/aya-log/aya-log-common/src/lib.rs
index b91d07db..c1a5b666 100644
--- a/aya-log/aya-log-common/src/lib.rs
+++ b/aya-log/aya-log-common/src/lib.rs
@@ -90,7 +90,9 @@ where
 
     pub(crate) fn write(&self, mut buf: &mut [u8]) -> Result<usize, ()> {
         let size = mem::size_of::<T>() + mem::size_of::<usize>() + self.value.len();
-        if buf.len() < size {
+        // The verifier rejects the program if it can't see that `size` doesn't
+        // exceed the buffer size.
+        if size > LOG_BUF_CAPACITY {
             return Err(());
         }
 
@@ -101,6 +103,11 @@ where
         buf = &mut buf[mem::size_of::<usize>()..];
 
         let len = cmp::min(buf.len(), self.value.len());
+        // The verifier rejects the program if it can't see that `size` doesn't
+        // exceed the buffer size.
+        if len > LOG_BUF_CAPACITY {
+            return Err(());
+        }
         buf[..len].copy_from_slice(&self.value[..len]);
         Ok(size)
     }