From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: "Greg Kroah-Hartman" <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, "Maciej Żenczykowski" <maze@google.com>,
"John Stultz" <john.stultz@linaro.org>,
"Alexander Potapenko" <glider@google.com>,
"Alistair Delva" <adelva@google.com>,
"Daniel Borkmann" <daniel@iogearbox.net>,
"Yonghong Song" <yhs@fb.com>
Subject: [PATCH 5.5 12/30] bpf: Explicitly memset the bpf_attr structure
Date: Wed, 1 Apr 2020 18:17:16 +0200 [thread overview]
Message-ID: <20200401161425.424426025@linuxfoundation.org> (raw)
In-Reply-To: <20200401161414.345528747@linuxfoundation.org>
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8096f229421f7b22433775e928d506f0342e5907 upstream.
For the bpf syscall, we are relying on the compiler to properly zero out
the bpf_attr union that we copy userspace data into. Unfortunately that
doesn't always work properly, padding and other oddities might not be
correctly zeroed, and in some tests odd things have been found when the
stack is pre-initialized to other values.
Fix this by explicitly memsetting the structure to 0 before using it.
Reported-by: Maciej Żenczykowski <maze@google.com>
Reported-by: John Stultz <john.stultz@linaro.org>
Reported-by: Alexander Potapenko <glider@google.com>
Reported-by: Alistair Delva <adelva@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://android-review.googlesource.com/c/kernel/common/+/1235490
Link: https://lore.kernel.org/bpf/20200320094813.GA421650@kroah.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/syscall.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -2988,7 +2988,7 @@ out:
SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
{
- union bpf_attr attr = {};
+ union bpf_attr attr;
int err;
if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
@@ -3000,6 +3000,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf
size = min_t(u32, size, sizeof(attr));
/* copy attributes from user space, may be less than sizeof(bpf_attr) */
+ memset(&attr, 0, sizeof(attr));
if (copy_from_user(&attr, uattr, size) != 0)
return -EFAULT;
next prev parent reply other threads:[~2020-04-01 16:20 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-01 16:17 [PATCH 5.5 00/30] 5.5.15-rc1 review Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 01/30] bpf: update jmp32 test cases to fix range bound deduction Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 02/30] mac80211: Check port authorization in the ieee80211_tx_dequeue() case Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 03/30] mac80211: fix authentication with iwlwifi/mvm Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 04/30] serial: sprd: Fix a dereference warning Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 05/30] vt: selection, introduce vc_is_sel Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 06/30] vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 07/30] vt: switch vt_dont_switch to bool Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 08/30] vt: vt_ioctl: remove unnecessary console allocation checks Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 09/30] vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 10/30] vt: vt_ioctl: fix use-after-free in vt_in_use() Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 11/30] platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table Greg Kroah-Hartman
2020-04-01 16:17 ` Greg Kroah-Hartman [this message]
2020-04-01 16:17 ` [PATCH 5.5 13/30] bpf: Explicitly memset some bpf info structures declared on the stack Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 14/30] iwlwifi: dont send GEO_TX_POWER_LIMIT if no wgds table Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 15/30] gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 16/30] net: ks8851-ml: Fix IO operations, again Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 17/30] clk: imx: Align imx sc clock msg structs to 4 Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 18/30] clk: imx: Align imx sc clock parent " Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 19/30] clk: ti: am43xx: Fix clock parent for RTC clock Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 20/30] libceph: fix alloc_msg_with_page_vector() memory leaks Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 21/30] arm64: alternative: fix build with clang integrated assembler Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 22/30] perf map: Fix off by one in strncpy() size argument Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 23/30] ARM: dts: oxnas: Fix clear-mask property Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 24/30] ARM: dts: bcm283x: Fix vc4s firmware bus DMA limitations Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 25/30] ARM: bcm2835-rpi-zero-w: Add missing pinctrl name Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 26/30] ARM: dts: imx6: phycore-som: fix arm and soc minimum voltage Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 27/30] ARM: dts: N900: fix onenand timings Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 28/30] ARM: dts: sun8i: r40: Move AHCI device node based on address order Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 29/30] arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id Greg Kroah-Hartman
2020-04-01 16:17 ` [PATCH 5.5 30/30] arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode Greg Kroah-Hartman
2020-04-02 0:13 ` [PATCH 5.5 00/30] 5.5.15-rc1 review Guenter Roeck
2020-04-02 7:10 ` Jon Hunter
2020-04-02 9:29 ` Naresh Kamboju
2020-04-02 16:45 ` shuah
2020-04-02 18:43 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200401161425.424426025@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adelva@google.com \
--cc=daniel@iogearbox.net \
--cc=glider@google.com \
--cc=john.stultz@linaro.org \
--cc=linux-kernel@vger.kernel.org \
--cc=maze@google.com \
--cc=stable@vger.kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).