From: <gregkh@linuxfoundation.org>
To: daniel@iogearbox.net, ast@kernel.org, ecree@solarflare.com,
gregkh@linuxfoundation.org, jannh@google.com
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "bpf: fix incorrect sign extension in check_alu_op()" has been added to the 4.9-stable tree
Date: Fri, 22 Dec 2017 16:58:03 +0100 [thread overview]
Message-ID: <1513958283238197@kroah.com> (raw)
In-Reply-To: <20171222152905.3455-5-daniel@iogearbox.net>
This is a note to let you know that I've just added the patch titled
bpf: fix incorrect sign extension in check_alu_op()
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Fri Dec 22 16:57:35 CET 2017
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Fri, 22 Dec 2017 16:29:05 +0100
Subject: bpf: fix incorrect sign extension in check_alu_op()
To: gregkh@linuxfoundation.org
Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org
Message-ID: <20171222152905.3455-5-daniel@iogearbox.net>
From: Daniel Borkmann <daniel@iogearbox.net>
From: Jann Horn <jannh@google.com>
[ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]
Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.
Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.
Debian assigned CVE-2017-16995 for this issue.
v3:
- add CVE number (Ben Hutchings)
Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1790,10 +1790,17 @@ static int check_alu_op(struct bpf_verif
/* case: R = imm
* remember the value we stored into this reg
*/
+ u64 imm;
+
+ if (BPF_CLASS(insn->code) == BPF_ALU64)
+ imm = insn->imm;
+ else
+ imm = (u32)insn->imm;
+
regs[insn->dst_reg].type = CONST_IMM;
- regs[insn->dst_reg].imm = insn->imm;
- regs[insn->dst_reg].max_value = insn->imm;
- regs[insn->dst_reg].min_value = insn->imm;
+ regs[insn->dst_reg].imm = imm;
+ regs[insn->dst_reg].max_value = imm;
+ regs[insn->dst_reg].min_value = imm;
}
} else if (opcode > BPF_END) {
Patches currently in stable-queue which might be from daniel@iogearbox.net are
queue-4.9/bpf-fix-branch-pruning-logic.patch
queue-4.9/bpf-adjust-insn_aux_data-when-patching-insns.patch
queue-4.9/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
queue-4.9/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
next prev parent reply other threads:[~2017-12-22 15:58 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-12-22 15:29 [PATCH stable/4.9 0/4] BPF stable patches for 4.9 Daniel Borkmann
2017-12-22 15:29 ` [PATCH stable/4.9 1/4] bpf: adjust insn_aux_data when patching insns Daniel Borkmann
2017-12-22 15:58 ` Patch "bpf: adjust insn_aux_data when patching insns" has been added to the 4.9-stable tree gregkh
2017-12-22 15:29 ` [PATCH stable/4.9 2/4] bpf: fix branch pruning logic Daniel Borkmann
2017-12-22 15:58 ` Patch "bpf: fix branch pruning logic" has been added to the 4.9-stable tree gregkh
2017-12-22 15:29 ` [PATCH stable/4.9 3/4] bpf: reject out-of-bounds stack pointer calculation Daniel Borkmann
2017-12-22 15:58 ` Patch "bpf: reject out-of-bounds stack pointer calculation" has been added to the 4.9-stable tree gregkh
2017-12-22 15:29 ` [PATCH stable/4.9 4/4] bpf: fix incorrect sign extension in check_alu_op() Daniel Borkmann
2017-12-22 15:58 ` gregkh [this message]
2017-12-22 16:04 ` [PATCH stable/4.9 0/4] BPF stable patches for 4.9 Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1513958283238197@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=ecree@solarflare.com \
--cc=jannh@google.com \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.