From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gregkh@linuxfoundation.org>
X-Google-Smtp-Source: AH8x227WB4Jop4EAzHanRyV0pp52pX3zuvTt9CaId1rzbgwECjvDfOYYvGXgT/kDCyHhKG/N7SXK
ARC-Seal: i=1; a=rsa-sha256; t=1517256888; cv=none;
        d=google.com; s=arc-20160816;
        b=jnvLuNCoec9nqcS+zQeZufBZLHQ1hSYIS58pVORJlvxGbbNPvAagtWAzmyOSdsh0ry
         Tz+1uvraWDrFUX6xu8LFLVGIChFPqT+PQ3k4pnvMiRt2CQKHA5V0lco6p0gzzghTRY98
         xnkwxYH+LxRxAohtvo9U54W+zHS58GS9gefIxyI2je0OVc5g8njsYazyk0UKPQcQKtxp
         +08nprj6YVldqBUOlvOGH/uN888ulVmpWvt6h6XyyRIHs+NtByHJ0Cyk0GzPR/HXl2Yi
         yCvIlbpXqhIShvAKx3AJ7BKSGPAyeiTslJo1PbfIjcniTktj3L1jgnCbcg3oFDvLzBCv
         MKZw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=mime-version:user-agent:references:in-reply-to:message-id:date
         :subject:cc:to:from:arc-authentication-results;
        bh=/jOLGG2HaFIy6cgxYyQbAFVNHwyxLbAEz9NvpuSkeUg=;
        b=PMvv3GN1ZkVCoRw17koHAKQhUs6QW/Q/YlrqDkGAywK4bvaoIfeEQArXOI6+xt00jL
         I27vA9KWDEdsaJGGjTXi73CAO2zzPrALJnCS3ByJ2D3OtfRDbODnWxAxngP8/AT5Kitc
         GKMrnFMxWHEbzoc3TJXsgGfeyzzhbHJnEDdFDFuP/dbwiTc+lZOJawIW2zKgE8P+GdkJ
         9lvb7axdJXFyfA2CxfmeO6AXUmDksVKljTU1DfMFwiZzejufdIm2NoMEQQWGp2cW3xE4
         QmR54peERXoS/je2Qzs/TydiqOSvM0aKP1yJKOGKtBCNGmp7VqRytxSaJxC4Dta4U2yu
         /0MA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org
Authentication-Results: mx.google.com;
       spf=softfail (google.com: domain of transitioning gregkh@linuxfoundation.org does not designate 90.92.71.90 as permitted sender) smtp.mailfrom=gregkh@linuxfoundation.org
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	"ast@kernel.org, stable@vger.kernel.org, Daniel Borkmann" <daniel@iogearbox.net>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH 4.9 66/66] bpf: reject stores into ctx via st and xadd
Date: Mon, 29 Jan 2018 13:57:30 +0100
Message-Id: <20180129123843.369270247@linuxfoundation.org>
X-Mailer: git-send-email 2.16.1
In-Reply-To: <20180129123839.842860149@linuxfoundation.org>
References: <20180129123839.842860149@linuxfoundation.org>
User-Agent: quilt/0.65
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-LABELS: =?utf-8?b?IlxcU2VudCI=?=
X-GMAIL-THRID: =?utf-8?q?1590959029855463752?=
X-GMAIL-MSGID: =?utf-8?q?1590959159037949616?=
X-Mailing-List: linux-kernel@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <daniel@iogearbox.net>

[ upstream commit f37a8cb84cce18762e8f86a70bd6a49a66ab964c ]

Alexei found that verifier does not reject stores into context
via BPF_ST instead of BPF_STX. And while looking at it, we
also should not allow XADD variant of BPF_STX.

The context rewriter is only assuming either BPF_LDX_MEM- or
BPF_STX_MEM-type operations, thus reject anything other than
that so that assumptions in the rewriter properly hold. Add
test cases as well for BPF selftests.

Fixes: d691f9e8d440 ("bpf: allow programs to write to certain skb fields")
Reported-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |   19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -702,6 +702,13 @@ static bool is_pointer_value(struct bpf_
 	return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]);
 }
 
+static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
+{
+	const struct bpf_reg_state *reg = &env->cur_state.regs[regno];
+
+	return reg->type == PTR_TO_CTX;
+}
+
 static int check_ptr_alignment(struct bpf_verifier_env *env,
 			       struct bpf_reg_state *reg, int off, int size)
 {
@@ -896,6 +903,12 @@ static int check_xadd(struct bpf_verifie
 		return -EACCES;
 	}
 
+	if (is_ctx_reg(env, insn->dst_reg)) {
+		verbose("BPF_XADD stores into R%d context is not allowed\n",
+			insn->dst_reg);
+		return -EACCES;
+	}
+
 	/* check whether atomic_add can read the memory */
 	err = check_mem_access(env, insn->dst_reg, insn->off,
 			       BPF_SIZE(insn->code), BPF_READ, -1);
@@ -3012,6 +3025,12 @@ static int do_check(struct bpf_verifier_
 			if (err)
 				return err;
 
+			if (is_ctx_reg(env, insn->dst_reg)) {
+				verbose("BPF_ST stores into R%d context is not allowed\n",
+					insn->dst_reg);
+				return -EACCES;
+			}
+
 			/* check that memory (dst_reg + off) is writeable */
 			err = check_mem_access(env, insn->dst_reg, insn->off,
 					       BPF_SIZE(insn->code), BPF_WRITE,