From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 80EDDC47254 for ; Fri, 1 May 2020 13:47:21 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 561782051A for ; Fri, 1 May 2020 13:47:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588340841; bh=vHcalEBLMutUMRD2FIfDoqpmbNja+3/JedzvGyfkonk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-ID:From; b=hPnCmXCNS36j37zgnGDROprjgIVXtGUs9pkJo34DZBQpL7TEKgSx0429EWCjYVM13 fbjk0DMChdRNFPtVKOEHN5CsEsywx3UoxyZObIbhnPR+rcBBYPBAQa3OYizFtRT2mr 33WkReRWfrIJ8eGD6J0NlXdAMlrYmR9d1Cv1aV4E= Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731672AbgEANnt (ORCPT ); Fri, 1 May 2020 09:43:49 -0400 Received: from mail.kernel.org ([198.145.29.99]:44772 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731670AbgEANns (ORCPT ); Fri, 1 May 2020 09:43:48 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1B89820757; Fri, 1 May 2020 13:43:46 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1588340627; bh=vHcalEBLMutUMRD2FIfDoqpmbNja+3/JedzvGyfkonk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R7Q8LUABIV83YW+3S6ZPJvw3cqPok3lNTkv8vCnhohBtd8VocNxNetAn6ng92nvnk WUUvcOfwBQDdW6opWvJVuSigwhn80QFIixBefUuO0bWN1G9K73w68m1uB+oErxGVfI 34dE6gUppV2mQd50phb8puQ5aYh+R8sLbtahHkTc= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jann Horn , Alexei Starovoitov Subject: [PATCH 5.6 059/106] bpf: Fix handling of XADD on BTF memory Date: Fri, 1 May 2020 15:23:32 +0200 Message-Id: <20200501131550.708315300@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200501131543.421333643@linuxfoundation.org> References: <20200501131543.421333643@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: stable-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Jann Horn commit 8ff3571f7e1bf3f293cc5e3dc14f2943f4fa7fcf upstream. check_xadd() can cause check_ptr_to_btf_access() to be executed with atype==BPF_READ and value_regno==-1 (meaning "just check whether the access is okay, don't tell me what type it will result in"). Handle that case properly and skip writing type information, instead of indexing into the registers at index -1 and writing into out-of-bounds memory. Note that at least at the moment, you can't actually write through a BTF pointer, so check_xadd() will reject the program after calling check_ptr_to_btf_access with atype==BPF_WRITE; but that's after the verifier has already corrupted memory. This patch assumes that BTF pointers are not available in unprivileged programs. Fixes: 9e15db66136a ("bpf: Implement accurate raw_tp context access via BTF") Signed-off-by: Jann Horn Signed-off-by: Alexei Starovoitov Link: https://lore.kernel.org/bpf/20200417000007.10734-2-jannh@google.com Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2885,7 +2885,7 @@ static int check_ptr_to_btf_access(struc if (ret < 0) return ret; - if (atype == BPF_READ) { + if (atype == BPF_READ && value_regno >= 0) { if (ret == SCALAR_VALUE) { mark_reg_unknown(env, regs, value_regno); return 0;