From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:49662 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756366AbdLVPrs (ORCPT ); Fri, 22 Dec 2017 10:47:48 -0500 Subject: Patch "[PATCH stable/4.14 07/14] bpf: fix incorrect sign extension in check_alu_op()" has been added to the 4.14-stable tree To: daniel@iogearbox.net, ast@kernel.org, ecree@solarflare.com, gregkh@linuxfoundation.org, jannh@google.com Cc: , From: Date: Fri, 22 Dec 2017 16:47:41 +0100 In-Reply-To: <20171222152312.2945-8-daniel@iogearbox.net> Message-ID: <1513957661108247@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled [PATCH stable/4.14 07/14] bpf: fix incorrect sign extension in check_alu_op() to the 4.14-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-fix-incorrect-sign-extension-in-check_alu_op.patch and it can be found in the queue-4.14 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Fri Dec 22 16:47:02 CET 2017 From: Daniel Borkmann Date: Fri, 22 Dec 2017 16:23:05 +0100 Subject: [PATCH stable/4.14 07/14] bpf: fix incorrect sign extension in check_alu_op() To: gregkh@linuxfoundation.org Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org Message-ID: <20171222152312.2945-8-daniel@iogearbox.net> From: Daniel Borkmann From: Jann Horn [ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ] Distinguish between BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); only perform sign extension in the first case. Starting with v4.14, this is exploitable by unprivileged users as long as the unprivileged_bpf_disabled sysctl isn't set. Debian assigned CVE-2017-16995 for this issue. v3: - add CVE number (Ben Hutchings) Fixes: 484611357c19 ("bpf: allow access into map value arrays") Signed-off-by: Jann Horn Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2374,7 +2374,13 @@ static int check_alu_op(struct bpf_verif * remember the value we stored into this reg */ regs[insn->dst_reg].type = SCALAR_VALUE; - __mark_reg_known(regs + insn->dst_reg, insn->imm); + if (BPF_CLASS(insn->code) == BPF_ALU64) { + __mark_reg_known(regs + insn->dst_reg, + insn->imm); + } else { + __mark_reg_known(regs + insn->dst_reg, + (u32)insn->imm); + } } } else if (opcode > BPF_END) { Patches currently in stable-queue which might be from daniel@iogearbox.net are queue-4.14/bpf-fix-integer-overflows.patch queue-4.14/bpf-fix-branch-pruning-logic.patch queue-4.14/bpf-s390x-do-not-reload-skb-pointers-in-non-skb-context.patch queue-4.14/bpf-sparc-fix-usage-of-wrong-reg-for-load_skb_regs-after-call.patch queue-4.14/bpf-fix-incorrect-tracking-of-register-size-truncation.patch queue-4.14/bpf-don-t-prune-branches-when-a-scalar-is-replaced-with-a-pointer.patch queue-4.14/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch queue-4.14/selftests-bpf-add-tests-for-recent-bugfixes.patch queue-4.14/bpf-fix-corruption-on-concurrent-perf_event_output-calls.patch queue-4.14/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch queue-4.14/bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-context.patch queue-4.14/bpf-fix-missing-error-return-in-check_stack_boundary.patch queue-4.14/bpf-force-strict-alignment-checks-for-stack-pointers.patch queue-4.14/bpf-fix-32-bit-alu-op-verification.patch queue-4.14/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_event.h.patch