From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.kernel.org ([198.145.29.99]:47948 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726450AbeJHVNT (ORCPT ); Mon, 8 Oct 2018 17:13:19 -0400 Date: Mon, 8 Oct 2018 15:27:56 +0200 From: Greg KH To: Daniel Borkmann Cc: ast@kernel.org, jannh@google.com, stable@vger.kernel.org Subject: Re: [PATCH stable 4.14,4.18] bpf: 32-bit RSH verification must truncate input before the ALU op Message-ID: <20181008132756.GE20703@kroah.com> References: <85cc332c0d20db55f7619e681f459bdbb6aa4a7e.1538988801.git.daniel@iogearbox.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <85cc332c0d20db55f7619e681f459bdbb6aa4a7e.1538988801.git.daniel@iogearbox.net> Sender: stable-owner@vger.kernel.org List-ID: On Mon, Oct 08, 2018 at 10:59:33AM +0200, Daniel Borkmann wrote: > From: Jann Horn > > [ upstream commit b799207e1e1816b09e7a5920fbb2d5fcf6edd681 ] > > When I wrote commit 468f6eafa6c4 ("bpf: fix 32-bit ALU op verification"), I > assumed that, in order to emulate 64-bit arithmetic with 32-bit logic, it > is sufficient to just truncate the output to 32 bits; and so I just moved > the register size coercion that used to be at the start of the function to > the end of the function. > > That assumption is true for almost every op, but not for 32-bit right > shifts, because those can propagate information towards the least > significant bit. Fix it by always truncating inputs for 32-bit ops to 32 > bits. > > Also get rid of the coerce_reg_to_size() after the ALU op, since that has > no effect. Applied, thanks. greg k-h