* [PATCH 4.14 0/2] fix BPF backports
@ 2021-05-01 18:05 Frank van der Linden
2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Frank van der Linden @ 2021-05-01 18:05 UTC (permalink / raw)
To: stable; +Cc: bpf, samjonas
These are the first two patches in https://lore.kernel.org/stable/20210501043014.33300-1-fllinden@amazon.com/
I will re-send the rest of that series as soon as the other bpf backports
hit the 4.19 branch.
This fixes errors in earlier bpf 4.14 backports. The verifier fix was
sent in earlier to bpf@ by Sam, and acked. I added the selftests
fix.
Essentially, together with the previous backports that had errors,
this produces correct backports of:
9d7eceede76 ("bpf: restrict unknown scalars of mixed signed bounds for
unprivileged")
80c9b2fae87b ("bpf: add various test cases to selftests")
Commits:
<4.14 only> ("bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged")
This was sent in by Sam to bpf@ earlier, and acked by Yonghong Song,
https://lore.kernel.org/bpf/20210419235641.5442-1-samjonas@amazon.com/T/#u
I am including it so that it is 'formally' submitted it
to -stable.
<4.14 only> ("bpf: fix up selftests after backports were fixed")
This is a follow-up to the previous by me, to fix selftests. It's
from 80c9b2fae87b ("bpf: add various test cases to selftests"), but
since that one was already partially added to the 4.14 branch
in 03f11a51a196 ("bpf: Fix selftests are changes for CVE 2019-7308"),
it's not a "backport" as such. To avoid confusion, I created a
separate commit for it, referencing the original commit
in the message. I examined each individual changed test, and
went through the history to see that the error message was indeed
as expected.
^ permalink raw reply [flat|nested] 4+ messages in thread* [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" 2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden @ 2021-05-01 18:05 ` Frank van der Linden 2021-05-01 18:05 ` [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed Frank van der Linden 2021-05-02 11:07 ` [PATCH 4.14 0/2] fix BPF backports Greg KH 2 siblings, 0 replies; 4+ messages in thread From: Frank van der Linden @ 2021-05-01 18:05 UTC (permalink / raw) To: stable; +Cc: bpf, samjonas From: Samuel Mendoza-Jonas <samjonas@amazon.com> The 4.14 backport of 9d7eceede ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") adds the PTR_TO_MAP_VALUE check to the wrong location in adjust_ptr_min_max_vals(), most likely because 4.14 doesn't include the commit that updates the if-statement to a switch-statement (aad2eeaf4 "bpf: Simplify ptr_min_max_vals adjustment"). Move the check to the proper location in adjust_ptr_min_max_vals(). Fixes: 17efa65350c5a ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com> Reviewed-by: Frank van der Linden <fllinden@amazon.com> Reviewed-by: Ethan Chen <yishache@amazon.com> Acked-by: Yonghong Song <yhs@fb.com> --- kernel/bpf/verifier.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 0c3a9302be93..9e9b7c076bcb 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2204,6 +2204,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst); return -EACCES; } + if (ptr_reg->type == PTR_TO_MAP_VALUE) { + if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { + verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", + off_reg == dst_reg ? dst : src); + return -EACCES; + } + } /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. * The id may be overwritten later if we create a new variable offset. @@ -2349,13 +2356,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, verbose("R%d bitwise operator %s on pointer prohibited\n", dst, bpf_alu_string[opcode >> 4]); return -EACCES; - case PTR_TO_MAP_VALUE: - if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { - verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", - off_reg == dst_reg ? dst : src); - return -EACCES; - } - /* fall-through */ default: /* other operators (e.g. MUL,LSH) produce non-pointer results */ if (!env->allow_ptr_leaks) -- 2.23.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed 2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden 2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden @ 2021-05-01 18:05 ` Frank van der Linden 2021-05-02 11:07 ` [PATCH 4.14 0/2] fix BPF backports Greg KH 2 siblings, 0 replies; 4+ messages in thread From: Frank van der Linden @ 2021-05-01 18:05 UTC (permalink / raw) To: stable; +Cc: bpf, samjonas After the backport of the changes to fix CVE 2019-7308, the selftests also need to be fixed up, as was done originally in mainline 80c9b2fae87b ("bpf: add various test cases to selftests"). 4.14 commit 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308") did that, but since there was an error in the backport, some selftests did not change output. So, add them now that this error has been fixed, and their output has actually changed as expected. This adds the rest of the changed test outputs from 80c9b2fae87b. Fixes: 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308") Signed-off-by: Frank van der Linden <fllinden@amazon.com> --- tools/testing/selftests/bpf/test_verifier.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 9babb3fef8e2..9f7fc30d247d 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -6207,6 +6207,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6231,6 +6232,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6257,6 +6259,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6282,6 +6285,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6330,6 +6334,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6401,6 +6406,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6452,6 +6458,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6479,6 +6486,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6505,6 +6513,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6534,6 +6543,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6592,6 +6602,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, .result_unpriv = REJECT, }, @@ -6644,6 +6655,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { -- 2.23.3 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH 4.14 0/2] fix BPF backports 2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden 2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden 2021-05-01 18:05 ` [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed Frank van der Linden @ 2021-05-02 11:07 ` Greg KH 2 siblings, 0 replies; 4+ messages in thread From: Greg KH @ 2021-05-02 11:07 UTC (permalink / raw) To: Frank van der Linden; +Cc: stable, bpf, samjonas On Sat, May 01, 2021 at 06:05:04PM +0000, Frank van der Linden wrote: > These are the first two patches in https://lore.kernel.org/stable/20210501043014.33300-1-fllinden@amazon.com/ > > I will re-send the rest of that series as soon as the other bpf backports > hit the 4.19 branch. > > This fixes errors in earlier bpf 4.14 backports. The verifier fix was > sent in earlier to bpf@ by Sam, and acked. I added the selftests > fix. Both of these here now queued up, thanks. greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-05-02 11:07 UTC | newest] Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden 2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden 2021-05-01 18:05 ` [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed Frank van der Linden 2021-05-02 11:07 ` [PATCH 4.14 0/2] fix BPF backports Greg KH
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).