From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:50834 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752666AbdLVP6M (ORCPT ); Fri, 22 Dec 2017 10:58:12 -0500 Subject: Patch "bpf: reject out-of-bounds stack pointer calculation" has been added to the 4.9-stable tree To: daniel@iogearbox.net, gregkh@linuxfoundation.org, jannh@google.com Cc: , From: Date: Fri, 22 Dec 2017 16:58:03 +0100 In-Reply-To: <20171222152905.3455-4-daniel@iogearbox.net> Message-ID: <1513958283180161@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled bpf: reject out-of-bounds stack pointer calculation to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-reject-out-of-bounds-stack-pointer-calculation.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Fri Dec 22 16:57:35 CET 2017 From: Daniel Borkmann Date: Fri, 22 Dec 2017 16:29:04 +0100 Subject: bpf: reject out-of-bounds stack pointer calculation To: gregkh@linuxfoundation.org Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org Message-ID: <20171222152905.3455-4-daniel@iogearbox.net> From: Daniel Borkmann From: Jann Horn Reject programs that compute wildly out-of-bounds stack pointers. Otherwise, pointers can be computed with an offset that doesn't fit into an `int`, causing security issues in the stack memory access check (as well as signed integer overflow during offset addition). This is a fix specifically for the v4.9 stable tree because the mainline code looks very different at this point. Fixes: 7bca0a9702edf ("bpf: enhance verifier to understand stack pointer arithmetic") Signed-off-by: Jann Horn Acked-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1861,10 +1861,28 @@ static int check_alu_op(struct bpf_verif ((BPF_SRC(insn->code) == BPF_X && regs[insn->src_reg].type == CONST_IMM) || BPF_SRC(insn->code) == BPF_K)) { - if (BPF_SRC(insn->code) == BPF_X) + if (BPF_SRC(insn->code) == BPF_X) { + /* check in case the register contains a big + * 64-bit value + */ + if (regs[insn->src_reg].imm < -MAX_BPF_STACK || + regs[insn->src_reg].imm > MAX_BPF_STACK) { + verbose("R%d value too big in R%d pointer arithmetic\n", + insn->src_reg, insn->dst_reg); + return -EACCES; + } dst_reg->imm += regs[insn->src_reg].imm; - else + } else { + /* safe against overflow: addition of 32-bit + * numbers in 64-bit representation + */ dst_reg->imm += insn->imm; + } + if (dst_reg->imm > 0 || dst_reg->imm < -MAX_BPF_STACK) { + verbose("R%d out-of-bounds pointer arithmetic\n", + insn->dst_reg); + return -EACCES; + } return 0; } else if (opcode == BPF_ADD && BPF_CLASS(insn->code) == BPF_ALU64 && Patches currently in stable-queue which might be from daniel@iogearbox.net are queue-4.9/bpf-fix-branch-pruning-logic.patch queue-4.9/bpf-adjust-insn_aux_data-when-patching-insns.patch queue-4.9/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch queue-4.9/bpf-reject-out-of-bounds-stack-pointer-calculation.patch