From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail.linuxfoundation.org ([140.211.169.12]:50850 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752666AbdLVP6P (ORCPT ); Fri, 22 Dec 2017 10:58:15 -0500 Subject: Patch "bpf: fix incorrect sign extension in check_alu_op()" has been added to the 4.9-stable tree To: daniel@iogearbox.net, ast@kernel.org, ecree@solarflare.com, gregkh@linuxfoundation.org, jannh@google.com Cc: , From: Date: Fri, 22 Dec 2017 16:58:03 +0100 In-Reply-To: <20171222152905.3455-5-daniel@iogearbox.net> Message-ID: <1513958283238197@kroah.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ANSI_X3.4-1968 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org List-ID: This is a note to let you know that I've just added the patch titled bpf: fix incorrect sign extension in check_alu_op() to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-fix-incorrect-sign-extension-in-check_alu_op.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let know about it. >>From foo@baz Fri Dec 22 16:57:35 CET 2017 From: Daniel Borkmann Date: Fri, 22 Dec 2017 16:29:05 +0100 Subject: bpf: fix incorrect sign extension in check_alu_op() To: gregkh@linuxfoundation.org Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org Message-ID: <20171222152905.3455-5-daniel@iogearbox.net> From: Daniel Borkmann From: Jann Horn [ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ] Distinguish between BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); only perform sign extension in the first case. Starting with v4.14, this is exploitable by unprivileged users as long as the unprivileged_bpf_disabled sysctl isn't set. Debian assigned CVE-2017-16995 for this issue. v3: - add CVE number (Ben Hutchings) Fixes: 484611357c19 ("bpf: allow access into map value arrays") Signed-off-by: Jann Horn Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1790,10 +1790,17 @@ static int check_alu_op(struct bpf_verif /* case: R = imm * remember the value we stored into this reg */ + u64 imm; + + if (BPF_CLASS(insn->code) == BPF_ALU64) + imm = insn->imm; + else + imm = (u32)insn->imm; + regs[insn->dst_reg].type = CONST_IMM; - regs[insn->dst_reg].imm = insn->imm; - regs[insn->dst_reg].max_value = insn->imm; - regs[insn->dst_reg].min_value = insn->imm; + regs[insn->dst_reg].imm = imm; + regs[insn->dst_reg].max_value = imm; + regs[insn->dst_reg].min_value = imm; } } else if (opcode > BPF_END) { Patches currently in stable-queue which might be from daniel@iogearbox.net are queue-4.9/bpf-fix-branch-pruning-logic.patch queue-4.9/bpf-adjust-insn_aux_data-when-patching-insns.patch queue-4.9/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch queue-4.9/bpf-reject-out-of-bounds-stack-pointer-calculation.patch