From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from mail.linuxfoundation.org ([140.211.169.12]:34302 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751302AbeBAIOS (ORCPT
        <rfc822;stable@vger.kernel.org>); Thu, 1 Feb 2018 03:14:18 -0500
Date: Thu, 1 Feb 2018 09:14:15 +0100
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>, stable@vger.kernel.org
Subject: Re: [PATCH v2 4.4 1/3] bpf: fix branch pruning logic
Message-ID: <20180201081415.GD15896@kroah.com>
References: <20180131180810.scwrljbrwtx5bgin@xylophone.i.decadent.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20180131180810.scwrljbrwtx5bgin@xylophone.i.decadent.org.uk>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Wed, Jan 31, 2018 at 06:08:10PM +0000, Ben Hutchings wrote:
> From: Alexei Starovoitov <ast@fb.com>
> 
> commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 upstream.
> 
> when the verifier detects that register contains a runtime constant
> and it's compared with another constant it will prune exploration
> of the branch that is guaranteed not to be taken at runtime.
> This is all correct, but malicious program may be constructed
> in such a way that it always has a constant comparison and
> the other branch is never taken under any conditions.
> In this case such path through the program will not be explored
> by the verifier. It won't be taken at run-time either, but since
> all instructions are JITed the malicious program may cause JITs
> to complain about using reserved fields, etc.
> To fix the issue we have to track the instructions explored by
> the verifier and sanitize instructions that are dead at run time
> with NOPs. We cannot reject such dead code, since llvm generates
> it for valid C code, since it doesn't do as much data flow
> analysis as the verifier does.
> 
> Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
> Signed-off-by: Alexei Starovoitov <ast@kernel.org>
> Acked-by: Daniel Borkmann <daniel@iogearbox.net>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> [bwh: Backported to 4.4:
>  - s/bpf_verifier_env/verifier_env/
>  - Adjust context]
> Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
> ---
> v2: Restore Alexei as author

All 3 of these are already queued up thanks to backport from Daniel.

greg k-h