From d5bb54bbee9d76690d6ee7b9b7ca94f27d925ce0 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 22 Dec 2017 14:05:11 +0100 Subject: [PATCH 1/8] bpf/verifier: fix bounds calculation on BPF_RSH --- debian/changelog | 1 + ...erifier-fix-bounds-calculation-on-BPF_RSH.patch | 62 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 64 insertions(+) create mode 100644 debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch diff --git a/debian/changelog b/debian/changelog index c6d6afc86..bd4089a73 100644 --- a/debian/changelog +++ b/debian/changelog @@ -509,6 +509,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium * crypto: salsa20 - fix blkcipher_walk API usage (CVE-2017-17805) * crypto: hmac - require that the underlying hash algorithm is unkeyed (CVE-2017-17806) + * bpf/verifier: fix bounds calculation on BPF_RSH [ Vagrant Cascadian ] * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i. diff --git a/debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch b/debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch new file mode 100644 index 000000000..9fc43f4ad --- /dev/null +++ b/debian/patches/bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch @@ -0,0 +1,62 @@ +From: Edward Cree +Date: Mon, 18 Dec 2017 20:11:53 -0800 +Subject: bpf/verifier: fix bounds calculation on BPF_RSH +Origin: https://git.kernel.org/linus/4374f256ce8182019353c0c639bb8d0695b4c941 + +Incorrect signed bounds were being computed. +If the old upper signed bound was positive and the old lower signed bound was +negative, this could cause the new upper signed bound to be too low, +leading to security issues. + +Fixes: b03c9f9fdc37 ("bpf/verifier: track signed and unsigned min/max values") +Reported-by: Jann Horn +Signed-off-by: Edward Cree +Acked-by: Alexei Starovoitov +[jannh@google.com: changed description to reflect bug impact] +Signed-off-by: Jann Horn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +[carnil: Refresh context for backport to 4.14] +--- + kernel/bpf/verifier.c | 30 ++++++++++++++++-------------- + 1 file changed, 16 insertions(+), 14 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2157,20 +2157,22 @@ static int adjust_scalar_min_max_vals(st + mark_reg_unknown(regs, insn->dst_reg); + break; + } +- /* BPF_RSH is an unsigned shift, so make the appropriate casts */ +- if (dst_reg->smin_value < 0) { +- if (umin_val) { +- /* Sign bit will be cleared */ +- dst_reg->smin_value = 0; +- } else { +- /* Lost sign bit information */ +- dst_reg->smin_value = S64_MIN; +- dst_reg->smax_value = S64_MAX; +- } +- } else { +- dst_reg->smin_value = +- (u64)(dst_reg->smin_value) >> umax_val; +- } ++ /* BPF_RSH is an unsigned shift. If the value in dst_reg might ++ * be negative, then either: ++ * 1) src_reg might be zero, so the sign bit of the result is ++ * unknown, so we lose our signed bounds ++ * 2) it's known negative, thus the unsigned bounds capture the ++ * signed bounds ++ * 3) the signed bounds cross zero, so they tell us nothing ++ * about the result ++ * If the value in dst_reg is known nonnegative, then again the ++ * unsigned bounts capture the signed bounds. ++ * Thus, in all cases it suffices to blow away our signed bounds ++ * and rely on inferring new ones from the unsigned bounds and ++ * var_off of the result. ++ */ ++ dst_reg->smin_value = S64_MIN; ++ dst_reg->smax_value = S64_MAX; + if (src_known) + dst_reg->var_off = tnum_rshift(dst_reg->var_off, + umin_val); diff --git a/debian/patches/series b/debian/patches/series index f38ac7f9c..cacead46e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -129,6 +129,7 @@ bugfix/all/kvm-fix-stack-out-of-bounds-read-in-write_mmio.patch bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch +bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch -- 2.15.1