From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5FF8B5025E; Tue, 23 Jan 2024 01:52:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705974725; cv=none; b=sVgS6m1pOEqIKjjUgBcsXcES6Ov/b/rFyuCIr0xVuVU/nRWLGPDqJU2k9ZEYvD4pV4sMcGE9TPoViLir8dLmk0+kdrsRxR/A0acKrNu/Yud5qaGb0TYdAzVTsevbRawgqzK7UQ46GIc/y7442mAe5icqbzTy8DcQxTnL3Dta0OM= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1705974725; c=relaxed/simple; bh=ZIy0pMlgHXIvb8l9XZQ09wbLOAVdt7qMqpt4EJj2nfM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=f7svek0+lOGwv5gOVWIdvR7uJQa/s0CbX0K2kNe9UVqgYPpNCDJcF0QpNvx4uPU8WHCBiq6VlPbgnzeNDzyAeLyWrEeP+qtzuZg+Xu25VAVx4aADojmvCDQNpnoXKYNGGgOaLFUhS2vFtu8GxTxyhY8NFDvNUB7f4KFHeac3Lsc= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b=eyaAZTYF; arc=none smtp.client-ip=10.30.226.201 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linuxfoundation.org header.i=@linuxfoundation.org header.b="eyaAZTYF" Received: by smtp.kernel.org (Postfix) with ESMTPSA id 23ADEC433F1; Tue, 23 Jan 2024 01:52:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1705974725; bh=ZIy0pMlgHXIvb8l9XZQ09wbLOAVdt7qMqpt4EJj2nfM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eyaAZTYFYGnoc92o0WtAzeTcGPVMsTXZhlxLviZQY/liU7o3X84d/deVoBoARIefp IYN73KZ6PkivIYw95zFKOFc1n8MVBCHJJrqSxvcy3eRtbWWrYKpd9L1SKCKc2WcTL6 PM3Fsn2f54+ClOvvs0KC3yW2GrigORgd2jEE0MWc= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Andrii Nakryiko , Andrei Matei , Andrii Nakryiko , Sasha Levin Subject: [PATCH 6.6 144/583] bpf: Guard stack limits against 32bit overflow Date: Mon, 22 Jan 2024 15:53:15 -0800 Message-ID: <20240122235816.507741648@linuxfoundation.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240122235812.238724226@linuxfoundation.org> References: <20240122235812.238724226@linuxfoundation.org> User-Agent: quilt/0.67 X-stable: review X-Patchwork-Hint: ignore Precedence: bulk X-Mailing-List: stable@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit 6.6-stable review patch. If anyone has any objections, please let me know. ------------------ From: Andrei Matei [ Upstream commit 1d38a9ee81570c4bd61f557832dead4d6f816760 ] This patch promotes the arithmetic around checking stack bounds to be done in the 64-bit domain, instead of the current 32bit. The arithmetic implies adding together a 64-bit register with a int offset. The register was checked to be below 1<<29 when it was variable, but not when it was fixed. The offset either comes from an instruction (in which case it is 16 bit), from another register (in which case the caller checked it to be below 1<<29 [1]), or from the size of an argument to a kfunc (in which case it can be a u32 [2]). Between the register being inconsistently checked to be below 1<<29, and the offset being up to an u32, it appears that we were open to overflowing the `int`s which were currently used for arithmetic. [1] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L7494-L7498 [2] https://github.com/torvalds/linux/blob/815fb87b753055df2d9e50f6cd80eb10235fe3e9/kernel/bpf/verifier.c#L11904 Reported-by: Andrii Nakryiko Signed-off-by: Andrei Matei Signed-off-by: Andrii Nakryiko Acked-by: Andrii Nakryiko Link: https://lore.kernel.org/bpf/20231207041150.229139-4-andreimatei1@gmail.com Stable-dep-of: 6b4a64bafd10 ("bpf: Fix accesses to uninit stack slots") Signed-off-by: Sasha Levin --- kernel/bpf/verifier.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 76834ecc59a9..47599505cdf8 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -6371,7 +6371,7 @@ static int check_ptr_to_map_access(struct bpf_verifier_env *env, * The minimum valid offset is -MAX_BPF_STACK for writes, and * -state->allocated_stack for reads. */ -static int check_stack_slot_within_bounds(int off, +static int check_stack_slot_within_bounds(s64 off, struct bpf_func_state *state, enum bpf_access_type t) { @@ -6400,7 +6400,7 @@ static int check_stack_access_within_bounds( struct bpf_reg_state *regs = cur_regs(env); struct bpf_reg_state *reg = regs + regno; struct bpf_func_state *state = func(env, reg); - int min_off, max_off; + s64 min_off, max_off; int err; char *err_extra; @@ -6413,7 +6413,7 @@ static int check_stack_access_within_bounds( err_extra = " write to"; if (tnum_is_const(reg->var_off)) { - min_off = reg->var_off.value + off; + min_off = (s64)reg->var_off.value + off; max_off = min_off + access_size; } else { if (reg->smax_value >= BPF_MAX_VAR_OFF || -- 2.43.0