From 3bc965107ac9d3d9e5c44757c501a591b9159034 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 22 Dec 2017 14:08:42 +0100 Subject: [PATCH 2/8] bpf: fix incorrect sign extension in check_alu_op() (CVE-2017-16995) --- debian/changelog | 1 + ...-incorrect-sign-extension-in-check_alu_op.patch | 50 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 52 insertions(+) create mode 100644 debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch diff --git a/debian/changelog b/debian/changelog index bd4089a73..8e8eb1cc1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -510,6 +510,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium * crypto: hmac - require that the underlying hash algorithm is unkeyed (CVE-2017-17806) * bpf/verifier: fix bounds calculation on BPF_RSH + * bpf: fix incorrect sign extension in check_alu_op() (CVE-2017-16995) [ Vagrant Cascadian ] * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i. diff --git a/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch b/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch new file mode 100644 index 000000000..73253f94d --- /dev/null +++ b/debian/patches/bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch @@ -0,0 +1,50 @@ +From: Jann Horn +Date: Mon, 18 Dec 2017 20:11:54 -0800 +Subject: bpf: fix incorrect sign extension in check_alu_op() +Origin: https://git.kernel.org/linus/95a762e2c8c942780948091f8f2a4f32fce1ac6f +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2017-16995 + +Distinguish between +BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) +and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); +only perform sign extension in the first case. + +Starting with v4.14, this is exploitable by unprivileged users as long as +the unprivileged_bpf_disabled sysctl isn't set. + +Debian assigned CVE-2017-16995 for this issue. + +v3: + - add CVE number (Ben Hutchings) + +Fixes: 484611357c19 ("bpf: allow access into map value arrays") +Signed-off-by: Jann Horn +Acked-by: Edward Cree +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +--- + kernel/bpf/verifier.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 625e358ca765..c086010ae51e 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2408,7 +2408,13 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) + * remember the value we stored into this reg + */ + regs[insn->dst_reg].type = SCALAR_VALUE; +- __mark_reg_known(regs + insn->dst_reg, insn->imm); ++ if (BPF_CLASS(insn->code) == BPF_ALU64) { ++ __mark_reg_known(regs + insn->dst_reg, ++ insn->imm); ++ } else { ++ __mark_reg_known(regs + insn->dst_reg, ++ (u32)insn->imm); ++ } + } + + } else if (opcode > BPF_END) { +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index cacead46e..7bfcc6581 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -130,6 +130,7 @@ bugfix/all/bluetooth-prevent-stack-info-leak-from-the-efs-element.patch bugfix/all/crypto-salsa20-fix-blkcipher_walk-API-usage.patch bugfix/all/crypto-hmac-require-that-the-underlying-hash-algorit.patch bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch +bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch -- 2.15.1