From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Piotr Krysiuk <piotras@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.10 2/9] bpf: Fix mask direction swap upon off reg sign change
Date: Thu, 27 May 2021 17:12:54 +0200 [thread overview]
Message-ID: <20210527151139.321814981@linuxfoundation.org> (raw)
In-Reply-To: <20210527151139.242182390@linuxfoundation.org>
From: Daniel Borkmann <daniel@iogearbox.net>
commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream.
Masking direction as indicated via mask_to_left is considered to be
calculated once and then used to derive pointer limits. Thus, this
needs to be placed into bpf_sanitize_info instead so we can pass it
to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
corner case where the off reg causes masking direction change which
then results in an incorrect final aux->alu_limit.
Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -5666,18 +5666,10 @@ enum {
};
static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
- const struct bpf_reg_state *off_reg,
- u32 *alu_limit, u8 opcode)
+ u32 *alu_limit, bool mask_to_left)
{
- bool off_is_neg = off_reg->smin_value < 0;
- bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
- (opcode == BPF_SUB && !off_is_neg);
u32 max = 0, ptr_limit = 0;
- if (!tnum_is_const(off_reg->var_off) &&
- (off_reg->smin_value < 0) != (off_reg->smax_value < 0))
- return REASON_BOUNDS;
-
switch (ptr_reg->type) {
case PTR_TO_STACK:
/* Offset 0 is out-of-bounds, but acceptable start for the
@@ -5745,6 +5737,7 @@ static bool sanitize_needed(u8 opcode)
struct bpf_sanitize_info {
struct bpf_insn_aux_data aux;
+ bool mask_to_left;
};
static int sanitize_ptr_alu(struct bpf_verifier_env *env,
@@ -5776,7 +5769,16 @@ static int sanitize_ptr_alu(struct bpf_v
if (vstate->speculative)
goto do_sim;
- err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode);
+ if (!commit_window) {
+ if (!tnum_is_const(off_reg->var_off) &&
+ (off_reg->smin_value < 0) != (off_reg->smax_value < 0))
+ return REASON_BOUNDS;
+
+ info->mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
+ (opcode == BPF_SUB && !off_is_neg);
+ }
+
+ err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left);
if (err < 0)
return err;
next prev parent reply other threads:[~2021-05-27 15:13 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-27 15:12 [PATCH 5.10 0/9] 5.10.41-rc1 review Greg Kroah-Hartman
2021-05-27 15:12 ` [PATCH 5.10 1/9] bpf: Wrap aux data inside bpf_sanitize_info container Greg Kroah-Hartman
2021-05-27 15:12 ` Greg Kroah-Hartman [this message]
2021-05-27 15:12 ` [PATCH 5.10 3/9] bpf: No need to simulate speculative domain for immediates Greg Kroah-Hartman
2021-05-27 15:12 ` [PATCH 5.10 4/9] context_tracking: Move guest exit context tracking to separate helpers Greg Kroah-Hartman
2021-05-27 15:12 ` [PATCH 5.10 5/9] context_tracking: Move guest exit vtime accounting " Greg Kroah-Hartman
2021-05-27 15:12 ` [PATCH 5.10 6/9] KVM: x86: Defer vtime accounting til after IRQ handling Greg Kroah-Hartman
2021-05-27 15:12 ` [PATCH 5.10 7/9] perf unwind: Fix separate debug info files when using elfutils libdws unwinder Greg Kroah-Hartman
2021-05-27 15:13 ` [PATCH 5.10 8/9] perf unwind: Set userdata for all __report_module() paths Greg Kroah-Hartman
2021-05-27 15:13 ` [PATCH 5.10 9/9] NFC: nci: fix memory leak in nci_allocate_device Greg Kroah-Hartman
2021-05-27 19:03 ` [PATCH 5.10 0/9] 5.10.41-rc1 review Jon Hunter
2021-05-27 19:57 ` Fox Chen
2021-05-27 20:34 ` Pavel Machek
2021-05-28 0:01 ` Shuah Khan
2021-05-28 3:08 ` Florian Fainelli
2021-05-28 6:00 ` Guenter Roeck
2021-05-28 6:22 ` Naresh Kamboju
2021-05-28 16:51 ` Sudip Mukherjee
2021-05-29 0:42 ` Samuel Zou
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210527151139.321814981@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=piotras@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.