Patch "[PATCH stable/4.14 11/14] bpf: force strict alignment checks for stack pointers" has been added to the 4.14-stable tree

[<gregkh@linuxfoundation.org>]

This is a note to let you know that I've just added the patch titled

    [PATCH stable/4.14 11/14] bpf: force strict alignment checks for stack pointers

to the 4.14-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-force-strict-alignment-checks-for-stack-pointers.patch
and it can be found in the queue-4.14 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.


>From foo@baz Fri Dec 22 16:47:02 CET 2017
From: Daniel Borkmann <daniel@iogearbox.net>
Date: Fri, 22 Dec 2017 16:23:09 +0100
Subject: [PATCH stable/4.14 11/14] bpf: force strict alignment checks for stack pointers
To: gregkh@linuxfoundation.org
Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org
Message-ID: <20171222152312.2945-12-daniel@iogearbox.net>

From: Daniel Borkmann <daniel@iogearbox.net>


From: Jann Horn <jannh@google.com>

[ Upstream commit a5ec6ae161d72f01411169a938fa5f8baea16e8f ]

Force strict alignment checks for stack pointers because the tracking of
stack spills relies on it; unaligned stack accesses can lead to corruption
of spilled registers, which is exploitable.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |    5 +++++
 1 file changed, 5 insertions(+)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1061,6 +1061,11 @@ static int check_ptr_alignment(struct bp
 		break;
 	case PTR_TO_STACK:
 		pointer_desc = "stack ";
+		/* The stack spill tracking logic in check_stack_write()
+		 * and check_stack_read() relies on stack accesses being
+		 * aligned.
+		 */
+		strict = true;
 		break;
 	default:
 		break;


Patches currently in stable-queue which might be from daniel@iogearbox.net are

queue-4.14/bpf-fix-integer-overflows.patch
queue-4.14/bpf-fix-branch-pruning-logic.patch
queue-4.14/bpf-s390x-do-not-reload-skb-pointers-in-non-skb-context.patch
queue-4.14/bpf-sparc-fix-usage-of-wrong-reg-for-load_skb_regs-after-call.patch
queue-4.14/bpf-fix-incorrect-tracking-of-register-size-truncation.patch
queue-4.14/bpf-don-t-prune-branches-when-a-scalar-is-replaced-with-a-pointer.patch
queue-4.14/bpf-verifier-fix-bounds-calculation-on-bpf_rsh.patch
queue-4.14/selftests-bpf-add-tests-for-recent-bugfixes.patch
queue-4.14/bpf-fix-corruption-on-concurrent-perf_event_output-calls.patch
queue-4.14/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
queue-4.14/bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-context.patch
queue-4.14/bpf-fix-missing-error-return-in-check_stack_boundary.patch
queue-4.14/bpf-force-strict-alignment-checks-for-stack-pointers.patch
queue-4.14/bpf-fix-32-bit-alu-op-verification.patch
queue-4.14/bpf-fix-build-issues-on-um-due-to-mising-bpf_perf_event.h.patch