From 99b01fcb53581f9fe22a1cc149550e1895de709c Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Fri, 22 Dec 2017 14:29:45 +0100
Subject: [PATCH 5/8] bpf: fix missing error return in check_stack_boundary()

---
 debian/changelog                                   |  1 +
 ...sing-error-return-in-check_stack_boundary.patch | 27 ++++++++++++++++++++++
 debian/patches/series                              |  1 +
 3 files changed, 29 insertions(+)
 create mode 100644 debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch

diff --git a/debian/changelog b/debian/changelog
index 223f64e37..be5cf78e2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -513,6 +513,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium
   * bpf: fix incorrect sign extension in check_alu_op() (CVE-2017-16995)
   * bpf: fix incorrect tracking of register size truncation (CVE-2017-16996)
   * bpf: fix 32-bit ALU op verification
+  * bpf: fix missing error return in check_stack_boundary()
 
   [ Vagrant Cascadian ]
   * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i.
diff --git a/debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch b/debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch
new file mode 100644
index 000000000..caf450d75
--- /dev/null
+++ b/debian/patches/bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch
@@ -0,0 +1,27 @@
+From: Jann Horn <jannh@google.com>
+Date: Mon, 18 Dec 2017 20:11:57 -0800
+Subject: bpf: fix missing error return in check_stack_boundary()
+Origin: https://git.kernel.org/linus/ea25f914dc164c8d56b36147ecc86bc65f83c469
+
+Prevent indirect stack accesses at non-constant addresses, which would
+permit reading and corrupting spilled pointers.
+
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+[carnil: backport for 4.14: adjust context]
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct b
+ 		tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
+ 		verbose("invalid variable stack read R%d var_off=%s\n",
+ 			regno, tn_buf);
++		return -EACCES;
+ 	}
+ 	off = regs[regno].off + regs[regno].var_off.value;
+ 	if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
diff --git a/debian/patches/series b/debian/patches/series
index e263b4ed0..d6d4571e1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -133,6 +133,7 @@ bugfix/all/bpf-verifier-fix-bounds-calculation-on-BPF_RSH.patch
 bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
 bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch
 bugfix/all/bpf-fix-32-bit-ALU-op-verification.patch
+bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch
 
 # Fix exported symbol versions
 bugfix/all/module-disable-matching-missing-version-crc.patch
-- 
2.15.1