From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Piotr Krysiuk <piotras@gmail.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 4.14 42/47] bpf: Fix mask direction swap upon off reg sign change
Date: Tue, 8 Jun 2021 20:27:25 +0200 [thread overview]
Message-ID: <20210608175931.863713046@linuxfoundation.org> (raw)
In-Reply-To: <20210608175930.477274100@linuxfoundation.org>
From: Daniel Borkmann <daniel@iogearbox.net>
commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream.
Masking direction as indicated via mask_to_left is considered to be
calculated once and then used to derive pointer limits. Thus, this
needs to be placed into bpf_sanitize_info instead so we can pass it
to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
corner case where the off reg causes masking direction change which
then results in an incorrect final aux->alu_limit.
Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 22 ++++++++++++----------
1 file changed, 12 insertions(+), 10 deletions(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2033,18 +2033,10 @@ enum {
};
static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg,
- const struct bpf_reg_state *off_reg,
- u32 *alu_limit, u8 opcode)
+ u32 *alu_limit, bool mask_to_left)
{
- bool off_is_neg = off_reg->smin_value < 0;
- bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
- (opcode == BPF_SUB && !off_is_neg);
u32 max = 0, ptr_limit = 0;
- if (!tnum_is_const(off_reg->var_off) &&
- (off_reg->smin_value < 0) != (off_reg->smax_value < 0))
- return REASON_BOUNDS;
-
switch (ptr_reg->type) {
case PTR_TO_STACK:
/* Offset 0 is out-of-bounds, but acceptable start for the
@@ -2112,6 +2104,7 @@ static bool sanitize_needed(u8 opcode)
struct bpf_sanitize_info {
struct bpf_insn_aux_data aux;
+ bool mask_to_left;
};
static int sanitize_ptr_alu(struct bpf_verifier_env *env,
@@ -2143,7 +2136,16 @@ static int sanitize_ptr_alu(struct bpf_v
if (vstate->speculative)
goto do_sim;
- err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode);
+ if (!commit_window) {
+ if (!tnum_is_const(off_reg->var_off) &&
+ (off_reg->smin_value < 0) != (off_reg->smax_value < 0))
+ return REASON_BOUNDS;
+
+ info->mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
+ (opcode == BPF_SUB && !off_is_neg);
+ }
+
+ err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left);
if (err < 0)
return err;
next prev parent reply other threads:[~2021-06-08 18:35 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-06-08 18:26 [PATCH 4.14 00/47] 4.14.236-rc1 review Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 01/47] net: usb: cdc_ncm: dont spew notifications Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 02/47] efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 03/47] efi: cper: fix snprintf() use in cper_dimm_err_location() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 04/47] vfio/pci: Fix error return code in vfio_ecap_init() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 05/47] vfio/pci: zap_vma_ptes() needs MMU Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 06/47] vfio/platform: fix module_put call in error flow Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 07/47] ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 08/47] HID: pidff: fix error return code in hid_pidff_init() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 09/47] HID: i2c-hid: fix format string mismatch Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 10/47] netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 11/47] ieee802154: fix error return code in ieee802154_add_iface() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 12/47] ieee802154: fix error return code in ieee802154_llsec_getparams() Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 13/47] Bluetooth: fix the erroneous flush_work() order Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 14/47] Bluetooth: use correct lock to prevent UAF of hdev object Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 15/47] net: caif: added cfserl_release function Greg Kroah-Hartman
2021-06-08 18:26 ` [PATCH 4.14 16/47] net: caif: add proper error handling Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 17/47] net: caif: fix memory leak in caif_device_notify Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 18/47] net: caif: fix memory leak in cfusbl_device_notify Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 19/47] ALSA: timer: Fix master timer notification Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 20/47] ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 21/47] pid: take a reference when initializing `cad_pid` Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 22/47] ocfs2: fix data corruption by fallocate Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 23/47] nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 24/47] btrfs: fix error handling in btrfs_del_csums Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 25/47] btrfs: fixup error handling in fixup_inode_link_counts Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 26/47] mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 27/47] bpf, selftests: Fix up some test_verifier cases for unprivileged Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 28/47] bpf: Move off_reg into sanitize_ptr_alu Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 29/47] bpf: Ensure off_reg has no mixed signed bounds for all types Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 30/47] bpf: Rework ptr_limit into alu_limit and add common error path Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 31/47] bpf: Improve verifier error messages for users Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 32/47] bpf: Refactor and streamline bounds check into helper Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 33/47] bpf: Move sanitize_val_alu out of op switch Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 34/47] bpf: Tighten speculative pointer arithmetic mask Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 35/47] bpf: Update selftests to reflect new error states Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 36/47] bpf: do not allow root to mangle valid pointers Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 37/47] bpf/verifier: disallow pointer subtraction Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 38/47] selftests/bpf: fix test_align Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 39/47] selftests/bpf: make dubious pointer arithmetic test useful Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 40/47] bpf: Fix leakage of uninitialized bpf stack under speculation Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 41/47] bpf: Wrap aux data inside bpf_sanitize_info container Greg Kroah-Hartman
2021-06-08 18:27 ` Greg Kroah-Hartman [this message]
2021-06-08 18:27 ` [PATCH 4.14 43/47] bpf: No need to simulate speculative domain for immediates Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 44/47] bnxt_en: Remove the setting of dev_port Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 45/47] KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 46/47] sched/fair: Optimize select_idle_cpu Greg Kroah-Hartman
2021-06-08 18:27 ` [PATCH 4.14 47/47] xen-pciback: redo VF placement in the virtual topology Greg Kroah-Hartman
2021-06-09 9:33 ` [PATCH 4.14 00/47] 4.14.236-rc1 review Jon Hunter
2021-06-09 11:25 ` Naresh Kamboju
2021-06-09 18:48 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210608175931.863713046@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=piotras@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).