From mboxrd@z Thu Jan  1 00:00:00 1970
From: Ben Hutchings <ben@decadent.org.uk>
Subject: [PATCH 4.9] bpf/verifier: Fix states_equal() comparison of pointer
 and UNKNOWN
Date: Sat, 23 Dec 2017 02:26:17 +0000
Message-ID: <20171223022617.GO2971@decadent.org.uk>
Mime-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
        protocol="application/pgp-signature"; boundary="DFFMAMYvrfM3lt66"
Cc: stable@vger.kernel.org, netdev@vger.kernel.org,
        Edward Cree <ecree@solarflare.com>,
        Jann Horn <jannh@google.com>,
        Alexei Starovoitov <ast@kernel.org>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Return-path: <netdev-owner@vger.kernel.org>
Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:49913 "EHLO
        shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK)
        by vger.kernel.org with ESMTP id S1756885AbdLWC0T (ORCPT
        <rfc822;netdev@vger.kernel.org>); Fri, 22 Dec 2017 21:26:19 -0500
Content-Disposition: inline
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>


--DFFMAMYvrfM3lt66
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless
pointer leaks are allowed.  Therefore, states_equal() must not treat
a state with a pointer in a register as "equal" to a state with an
UNKNOWN_VALUE in that register.

This was fixed differently upstream, but the code around here was
largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
value tracking".  The bug can be detected by the bpf/verifier sub-test
"pointer/scalar confusion in state equality check (way 1)".

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Edward Cree <ecree@solarflare.com>
Cc: Jann Horn <jannh@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
---
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2722,11 +2722,12 @@ static bool states_equal(struct bpf_veri
=20
 		/* If we didn't map access then again we don't care about the
 		 * mismatched range values and it's ok if our old type was
-		 * UNKNOWN and we didn't go to a NOT_INIT'ed reg.
+		 * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
 		 */
 		if (rold->type =3D=3D NOT_INIT ||
 		    (!varlen_map_access && rold->type =3D=3D UNKNOWN_VALUE &&
-		     rcur->type !=3D NOT_INIT))
+		     rcur->type !=3D NOT_INIT &&
+		     !__is_pointer_value(env->allow_ptr_leaks, rcur)))
 			continue;
=20
 		/* Don't care about the reg->id in this case. */

--DFFMAMYvrfM3lt66
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBWj2+yOe/yOyVhhEJAQqoSg//U2hmAZNu0EPfND/YuQuhH9wpXNsf1jf/
Tey2AEWXSHYh0u3ofBsHwTyn8K7fo99IarUmb65PAlfg4Ua7nfGpASG/gKBQIehQ
0R+LYUEOMI/A/6p4Mh2uG6JrVkYavIo6j3dK+tkHVzMyA50qhkvSpU3lwz9TzdzN
fHksKMR03oUt1useUe4hchiH2UEo0kiQuAhOl9RvloAYntYzN+6l/li3itpb7NYQ
X+VEAM22vaWYusSN3CQWAdV/k6TM8yNjUuTqtv/A9cffPOYSqAw4LanwLlLzlrUQ
FzieaQS6sJeXmZFx8WiPLZkPFo9k4hSEYvJV8d2M0rbMamKTR+PTFeOePTcam2UW
tE2DQ1E0VZr2fBAP3NV0/oCKDZhf/XcbD5TDQbC7xGmqSA+hsagvV3CnTtw1SI5z
ndAHAuo89hyf8kERUxGs49GtY96mrx55QHPrHcEGPH/iJFPeD/Th8A98UQAIw9uy
YbW4zaKO05PnM7t7zytmMGXB9RjdzJ/tRRxbj5c/tOH3zZNC9JiMYaNQZbltVYjv
H6Dzc43h0a5iM7MBJhDQKDKE4TEHvSxWNSK5iflEnsQ3otxkoDvUY4Cz48AuRKdp
UPA3wQFLa/Nm/wIixAxlcJbY1qF1hTIm+rEpvkrir6e/40Lbdfy27X9hU1LJ3IUG
uDQdKL4veQE=
=DFzs
-----END PGP SIGNATURE-----

--DFFMAMYvrfM3lt66--