From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-13.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 73F50C43216 for ; Mon, 30 Aug 2021 18:32:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5B37960F3A for ; Mon, 30 Aug 2021 18:32:39 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238572AbhH3Sdc (ORCPT ); Mon, 30 Aug 2021 14:33:32 -0400 Received: from smtp-relay-canonical-1.canonical.com ([185.125.188.121]:35872 "EHLO smtp-relay-canonical-1.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238250AbhH3Sdb (ORCPT ); Mon, 30 Aug 2021 14:33:31 -0400 Received: from mussarela.. (201-69-234-220.dial-up.telesp.net.br [201.69.234.220]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-1.canonical.com (Postfix) with ESMTPSA id 6CBED3F109; Mon, 30 Aug 2021 18:32:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1630348351; bh=0J6hFeRkXyHR9OferU36F/qgV5W29XtBL5moT2YFh34=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=QlJcGBQsQ1+UBWskj2M0Ztxsx4Il5Ez6T+4hYsmNZslzBQqcqgaYjM9rmgFdGYNlA qXuGgEQb5zEjSfKRWih+U9I4Y5QKiQ9BJHK0drLiNriIGCEtOeY/QRkJnyBhMdBJ9v B24c/yIXq5f0AqQ32w0XYqoM63btrdCQUBx/yq89+uCTfubb70g5D1vf4bHwChyaBM AxaaZCbFOV5SBCYpIWfGsYJhjYehCO6gLaBVQAbNKZAqHgLNtozr6J0ApSeD4W5TJk iiXFza4pC1Zv1HUXKX2F004DPoUkdipjS7llJZ/RRc98vksWy+5seGYrGmD/xfF4Bt EXGLhHQ/QCeHw== From: Thadeu Lima de Souza Cascardo To: stable@vger.kernel.org Cc: bpf@vger.kernel.org, Daniel Borkmann , Alexei Starovoitov , John Fastabend , Pavel Machek , Thadeu Lima de Souza Cascardo Subject: [PATCH 4.14 0/4] BPF fixes for CVE-2021-3444 and CVE-2021-3600 Date: Mon, 30 Aug 2021 15:32:07 -0300 Message-Id: <20210830183211.339054-1-cascardo@canonical.com> X-Mailer: git-send-email 2.30.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org The upstream changes necessary to fix these CVEs rely on the presence of JMP32, which is not a small backport and brings its own potential set of necessary follow-ups. Daniel Borkmann, John Fastabend and Alexei Starovoitov came up with a fix involving the use of the AX register. This has been tested against the test_verifier in 4.14.y tree and some tests specific to the two referred CVEs. The test_bpf module was also tested. Daniel Borkmann (4): bpf: Do not use ax register in interpreter on div/mod bpf: fix subprog verifier bypass by div/mod by 0 exception bpf: Fix 32 bit src register truncation on div/mod bpf: Fix truncation handling for mod32 dst reg wrt zero include/linux/filter.h | 24 ++++++++++++++++++++++++ kernel/bpf/core.c | 40 +++++++++++++++------------------------- kernel/bpf/verifier.c | 39 +++++++++++++++++++++++++++++++-------- net/core/filter.c | 9 ++++++++- 4 files changed, 78 insertions(+), 34 deletions(-) -- 2.30.2