BPF Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 5.4 0/8] BPF backports for CVE-2021-29155
@ 2021-04-29 22:08 Frank van der Linden
  2021-04-29 22:08 ` [PATCH 5.4 1/8] bpf: Move off_reg into sanitize_ptr_alu Frank van der Linden
                   ` (8 more replies)
  0 siblings, 9 replies; 14+ messages in thread
From: Frank van der Linden @ 2021-04-29 22:08 UTC (permalink / raw)
  To: stable; +Cc: bpf

This is a backport of the BPF verifier fixes for CVE-2021-29155. Original
series was part of the pull request here: https://lore.kernel.org/bpf/20210416223700.15611-1-daniel@iogearbox.net/T/

This wasn't a complicated backport, but copying bpf@ to see if
there are any concerns.

5.4 verifier selftests are clean with this backport:
	Summary: 1566 PASSED, 0 SKIPPED, 0 FAILED

The individual commits:

960114839252 ("bpf: Use correct permission flag for mixed signed bounds arithmetic")
	* Not applicable to 5.4, as 5.4 does not have
	  2c78ee898d8f ("bpf: Implement CAP_BPF").

6f55b2f2a117 ("bpf: Move off_reg into sanitize_ptr_alu")
	* Clean cherry-pick.

24c109bb1537 ("bpf: Ensure off_reg has no mixed signed bounds for all types")
	* Conflict: allow_ptr_leaks was replaced by bypass_spec_v1 in the
	  deleted PTR_TO_MAP_VALUE switch case by
	  2c78ee898d8f ("bpf: Implement CAP_BPF"). Resolution is easy,
	  the case statement gets deleted either way.

b658bbb844e2 ("bpf: Rework ptr_limit into alu_limit and add common error path")
	* Clean cherry-pick.

a6aaece00a57 ("bpf: Improve verifier error messages for users")
	* Resolved simple contextual conflict in adjust_scalar_min_max_vals().
	  because of a var declaration that was added by this post-5.4 commit:
	  3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking").

073815b756c5 ("bpf: Refactor and streamline bounds check into helper")
	* Conflict: another allow_ptr_leaks that was replaced with
	  bypass_spec_v1 after 2c78ee898d8f.
	* Conflict: Post-5.4 commit
	  01f810ace9ed ("bpf: Allow variable-offset stack access")
	  changed the call to check_stack_access to a new function,
	  check_stack_access_for_ptr_arithmetic(), and moved/changed an
	  error message.
	* Since this commit just factors out some code from
	  adjust_ptr_min_max_vals() in to a new function, do the same
  	  with the corresponding block in 5.4 that doesn't have the
	  changes listed above from post-5.4 commits.
	
f528819334 ("bpf: Move sanitize_val_alu out of op switch")
	* Contextual conflict from post-5.4 commit
	  3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking"),
	  that added a comment on top of the switch referenced in the commit
	  message.

7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
	* Contextual conflict post-5.4 commit:
	  3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
	  added a call to a new function just above the switch statement in
	  adjust_ptr_min_max_vals. This doesn't affect the lines that were
	  actually changed.

d7a509135175 ("bpf: Update selftests to reflect new error states")
	* The bounds.c tests have undergone several changes since 5.4, related
	  to commits that were not backported (like e.g. the ALU32 changes).
	  The error messages for those tests will remain the same on 5.4.

=====

Daniel Borkmann (8):
  bpf: Move off_reg into sanitize_ptr_alu
  bpf: Ensure off_reg has no mixed signed bounds for all types
  bpf: Rework ptr_limit into alu_limit and add common error path
  bpf: Improve verifier error messages for users
  bpf: Refactor and streamline bounds check into helper
  bpf: Move sanitize_val_alu out of op switch
  bpf: Tighten speculative pointer arithmetic mask
  bpf: Update selftests to reflect new error states

 kernel/bpf/verifier.c                         | 233 ++++++++++++------
 .../selftests/bpf/verifier/bounds_deduction.c |  21 +-
 .../bpf/verifier/bounds_mix_sign_unsign.c     |  13 -
 tools/testing/selftests/bpf/verifier/unpriv.c |   2 +-
 .../selftests/bpf/verifier/value_ptr_arith.c  |   6 +-
 5 files changed, 173 insertions(+), 102 deletions(-)

-- 
2.23.3


^ permalink raw reply	[flat|nested] 14+ messages in thread
[parent not found: <20210430141911.137473863@linuxfoundation.org>]

end of thread, back to index

Thread overview: 14+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-29 22:08 [PATCH 5.4 0/8] BPF backports for CVE-2021-29155 Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 1/8] bpf: Move off_reg into sanitize_ptr_alu Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 2/8] bpf: Ensure off_reg has no mixed signed bounds for all types Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 3/8] bpf: Rework ptr_limit into alu_limit and add common error path Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 4/8] bpf: Improve verifier error messages for users Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 5/8] bpf: Refactor and streamline bounds check into helper Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 6/8] bpf: Move sanitize_val_alu out of op switch Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 7/8] bpf: Tighten speculative pointer arithmetic mask Frank van der Linden
2021-04-29 22:08 ` [PATCH 5.4 8/8] bpf: Update selftests to reflect new error states Frank van der Linden
2021-04-30 13:38 ` [PATCH 5.4 0/8] BPF backports for CVE-2021-29155 Greg KH
2021-04-30 16:38   ` van der Linden, Frank
2021-05-01  6:05     ` Greg KH
2021-05-01 17:54       ` van der Linden, Frank
     [not found] <20210430141911.137473863@linuxfoundation.org>
2021-04-30 14:20 ` [PATCH 5.4 8/8] bpf: Update selftests to reflect new error states Greg Kroah-Hartman

BPF Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
		bpf@vger.kernel.org
	public-inbox-index bpf

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.bpf


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git