From b86990f321cc963ba57772484ab8c1a526b6617a Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 22 Dec 2017 14:32:12 +0100 Subject: [PATCH 6/8] bpf: force strict alignment checks for stack pointers --- debian/changelog | 1 + ...trict-alignment-checks-for-stack-pointers.patch | 36 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 38 insertions(+) create mode 100644 debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch diff --git a/debian/changelog b/debian/changelog index be5cf78e2..38780a7e1 100644 --- a/debian/changelog +++ b/debian/changelog @@ -514,6 +514,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium * bpf: fix incorrect tracking of register size truncation (CVE-2017-16996) * bpf: fix 32-bit ALU op verification * bpf: fix missing error return in check_stack_boundary() + * bpf: force strict alignment checks for stack pointers [ Vagrant Cascadian ] * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i. diff --git a/debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch b/debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch new file mode 100644 index 000000000..d74e9d68f --- /dev/null +++ b/debian/patches/bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch @@ -0,0 +1,36 @@ +From: Jann Horn +Date: Mon, 18 Dec 2017 20:11:58 -0800 +Subject: bpf: force strict alignment checks for stack pointers +Origin: https://git.kernel.org/linus/a5ec6ae161d72f01411169a938fa5f8baea16e8f + +Force strict alignment checks for stack pointers because the tracking of +stack spills relies on it; unaligned stack accesses can lead to corruption +of spilled registers, which is exploitable. + +Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") +Signed-off-by: Jann Horn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +--- + kernel/bpf/verifier.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 77e4b5223867..102c519836f6 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -1059,6 +1059,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env, + break; + case PTR_TO_STACK: + pointer_desc = "stack "; ++ /* The stack spill tracking logic in check_stack_write() ++ * and check_stack_read() relies on stack accesses being ++ * aligned. ++ */ ++ strict = true; + break; + default: + break; +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index d6d4571e1..c6054c21e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -134,6 +134,7 @@ bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch bugfix/all/bpf-fix-32-bit-ALU-op-verification.patch bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch +bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch -- 2.15.1