From 0dd9081e5abc01f9073bf28e7bf01b6c4445e3c9 Mon Sep 17 00:00:00 2001 From: Salvatore Bonaccorso Date: Fri, 22 Dec 2017 14:35:18 +0100 Subject: [PATCH 7/8] bpf: don't prune branches when a scalar is replaced with a pointer --- debian/changelog | 1 + ...rune-branches-when-a-scalar-is-replaced-w.patch | 48 ++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 50 insertions(+) create mode 100644 debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch diff --git a/debian/changelog b/debian/changelog index 38780a7e1..40916d33b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -515,6 +515,7 @@ linux (4.14.7-1) UNRELEASED; urgency=medium * bpf: fix 32-bit ALU op verification * bpf: fix missing error return in check_stack_boundary() * bpf: force strict alignment checks for stack pointers + * bpf: don't prune branches when a scalar is replaced with a pointer [ Vagrant Cascadian ] * [armhf, arm64] Backport patches from 4.15.x to support dwmac-sun8i. diff --git a/debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch b/debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch new file mode 100644 index 000000000..620f47d26 --- /dev/null +++ b/debian/patches/bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch @@ -0,0 +1,48 @@ +From: Jann Horn +Date: Mon, 18 Dec 2017 20:11:59 -0800 +Subject: bpf: don't prune branches when a scalar is replaced with a pointer +Origin: https://git.kernel.org/linus/179d1c5602997fef5a940c6ddcf31212cbfebd14 + +This could be made safe by passing through a reference to env and checking +for env->allow_ptr_leaks, but it would only work one way and is probably +not worth the hassle - not doing it will not directly lead to program +rejection. + +Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") +Signed-off-by: Jann Horn +Signed-off-by: Alexei Starovoitov +Signed-off-by: Daniel Borkmann +--- + kernel/bpf/verifier.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 102c519836f6..982bd9ec721a 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3467,15 +3467,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur, + return range_within(rold, rcur) && + tnum_in(rold->var_off, rcur->var_off); + } else { +- /* if we knew anything about the old value, we're not +- * equal, because we can't know anything about the +- * scalar value of the pointer in the new value. ++ /* We're trying to use a pointer in place of a scalar. ++ * Even if the scalar was unbounded, this could lead to ++ * pointer leaks because scalars are allowed to leak ++ * while pointers are not. We could make this safe in ++ * special cases if root is calling us, but it's ++ * probably not worth the hassle. + */ +- return rold->umin_value == 0 && +- rold->umax_value == U64_MAX && +- rold->smin_value == S64_MIN && +- rold->smax_value == S64_MAX && +- tnum_is_unknown(rold->var_off); ++ return false; + } + case PTR_TO_MAP_VALUE: + /* If the new min/max/var_off satisfy the old ones and +-- +2.11.0 + diff --git a/debian/patches/series b/debian/patches/series index c6054c21e..a794a4b37 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -135,6 +135,7 @@ bugfix/all/bpf-fix-incorrect-tracking-of-register-size-truncati.patch bugfix/all/bpf-fix-32-bit-ALU-op-verification.patch bugfix/all/bpf-fix-missing-error-return-in-check_stack_boundary.patch bugfix/all/bpf-force-strict-alignment-checks-for-stack-pointers.patch +bugfix/all/bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch # Fix exported symbol versions bugfix/all/module-disable-matching-missing-version-crc.patch -- 2.15.1