From: <gregkh@linuxfoundation.org>
To: daniel@iogearbox.net, ast@kernel.org, gregkh@linuxfoundation.org
Cc: <stable@vger.kernel.org>, <stable-commits@vger.kernel.org>
Subject: Patch "bpf: fix 32-bit divide by zero" has been added to the 4.14-stable tree
Date: Mon, 29 Jan 2018 13:20:17 +0100 [thread overview]
Message-ID: <151722841712897@kroah.com> (raw)
In-Reply-To: <20180128233647.21154-5-daniel@iogearbox.net>
This is a note to let you know that I've just added the patch titled
bpf: fix 32-bit divide by zero
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
bpf-fix-32-bit-divide-by-zero.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Mon Jan 29 13:14:09 CET 2018
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon, 29 Jan 2018 00:36:45 +0100
Subject: bpf: fix 32-bit divide by zero
To: gregkh@linuxfoundation.org
Cc: ast@kernel.org, stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>
Message-ID: <20180128233647.21154-5-daniel@iogearbox.net>
From: Alexei Starovoitov <ast@kernel.org>
[ upstream commit 68fda450a7df51cff9e5a4d4a4d9d0d5f2589153 ]
due to some JITs doing if (src_reg == 0) check in 64-bit mode
for div/mod operations mask upper 32-bits of src register
before doing the check
Fixes: 622582786c9e ("net: filter: x86: internal BPF JIT")
Fixes: 7a12b5031c6b ("sparc64: Add eBPF JIT.")
Reported-by: syzbot+48340bb518e88849e2e3@syzkaller.appspotmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 18 ++++++++++++++++++
net/core/filter.c | 4 ++++
2 files changed, 22 insertions(+)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4304,6 +4304,24 @@ static int fixup_bpf_calls(struct bpf_ve
int i, cnt, delta = 0;
for (i = 0; i < insn_cnt; i++, insn++) {
+ if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) ||
+ insn->code == (BPF_ALU | BPF_DIV | BPF_X)) {
+ /* due to JIT bugs clear upper 32-bits of src register
+ * before div/mod operation
+ */
+ insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg);
+ insn_buf[1] = *insn;
+ cnt = 2;
+ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
+ if (!new_prog)
+ return -ENOMEM;
+
+ delta += cnt - 1;
+ env->prog = prog = new_prog;
+ insn = new_prog->insnsi + i + delta;
+ continue;
+ }
+
if (insn->code != (BPF_JMP | BPF_CALL))
continue;
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -457,6 +457,10 @@ do_pass:
convert_bpf_extensions(fp, &insn))
break;
+ if (fp->code == (BPF_ALU | BPF_DIV | BPF_X) ||
+ fp->code == (BPF_ALU | BPF_MOD | BPF_X))
+ *insn++ = BPF_MOV32_REG(BPF_REG_X, BPF_REG_X);
+
*insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k);
break;
Patches currently in stable-queue which might be from daniel@iogearbox.net are
queue-4.14/bpf-avoid-false-sharing-of-map-refcount-with-max_entries.patch
queue-4.14/bpf-reject-stores-into-ctx-via-st-and-xadd.patch
queue-4.14/bpf-fix-32-bit-divide-by-zero.patch
queue-4.14/bpf-fix-divides-by-zero.patch
queue-4.14/bpf-arm64-fix-stack_depth-tracking-in-combination-with-tail-calls.patch
queue-4.14/bpf-introduce-bpf_jit_always_on-config.patch
next prev parent reply other threads:[~2018-01-29 20:05 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-28 23:36 [PATCH stable 4.14 0/6] BPF stable patches Daniel Borkmann
2018-01-28 23:36 ` [PATCH stable 4.14 1/6] bpf: introduce BPF_JIT_ALWAYS_ON config Daniel Borkmann
2018-01-29 12:20 ` Patch "bpf: introduce BPF_JIT_ALWAYS_ON config" has been added to the 4.14-stable tree gregkh
2018-01-28 23:36 ` [PATCH stable 4.14 2/6] bpf: avoid false sharing of map refcount with max_entries Daniel Borkmann
2018-01-29 12:20 ` Patch "bpf: avoid false sharing of map refcount with max_entries" has been added to the 4.14-stable tree gregkh
2018-01-28 23:36 ` [PATCH stable 4.14 3/6] bpf: fix divides by zero Daniel Borkmann
2018-01-29 12:20 ` Patch "bpf: fix divides by zero" has been added to the 4.14-stable tree gregkh
2018-01-28 23:36 ` [PATCH stable 4.14 4/6] bpf: fix 32-bit divide by zero Daniel Borkmann
2018-01-29 12:20 ` gregkh [this message]
2018-01-28 23:36 ` [PATCH stable 4.14 5/6] bpf: reject stores into ctx via st and xadd Daniel Borkmann
2018-01-29 12:20 ` Patch "bpf: reject stores into ctx via st and xadd" has been added to the 4.14-stable tree gregkh
2018-01-28 23:36 ` [PATCH stable 4.14 6/6] bpf, arm64: fix stack_depth tracking in combination with tail calls Daniel Borkmann
2018-01-29 12:20 ` Patch "bpf, arm64: fix stack_depth tracking in combination with tail calls" has been added to the 4.14-stable tree gregkh
2018-01-29 12:21 ` [PATCH stable 4.14 0/6] BPF stable patches Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=151722841712897@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=stable-commits@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.