BPF Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH 4.14 0/2] fix BPF backports
@ 2021-05-01 18:05 Frank van der Linden
  2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Frank van der Linden @ 2021-05-01 18:05 UTC (permalink / raw)
  To: stable; +Cc: bpf, samjonas

These are the first two patches in https://lore.kernel.org/stable/20210501043014.33300-1-fllinden@amazon.com/

I will re-send the rest of that series as soon as the other bpf backports
hit the 4.19 branch.

This fixes errors in earlier bpf 4.14 backports. The verifier fix was
sent in earlier to bpf@ by Sam, and acked. I added the selftests
fix.

Essentially, together with the previous backports that had errors,
this produces correct backports of:

9d7eceede76 ("bpf: restrict unknown scalars of mixed signed bounds for
unprivileged")
80c9b2fae87b ("bpf: add various test cases to selftests")

Commits:

<4.14 only> ("bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged")
	This was sent in by Sam to bpf@ earlier, and acked by Yonghong Song,
	https://lore.kernel.org/bpf/20210419235641.5442-1-samjonas@amazon.com/T/#u

	I am including it so that it is 'formally' submitted it
	to -stable.

<4.14 only> ("bpf: fix up selftests after backports were fixed")
	This is a follow-up to the previous by me, to fix selftests. It's
	from 80c9b2fae87b ("bpf: add various test cases to selftests"), but
	since that one was already partially added to the 4.14 branch
	in 03f11a51a196 ("bpf: Fix selftests are changes for CVE 2019-7308"),
	it's not a "backport" as such. To avoid confusion, I created a
	separate commit for it, referencing the original commit
	in the message. I examined each individual changed test, and
	went through the history to see that the error message was indeed
	as expected.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged"
  2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden
@ 2021-05-01 18:05 ` Frank van der Linden
  2021-05-01 18:05 ` [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed Frank van der Linden
  2021-05-02 11:07 ` [PATCH 4.14 0/2] fix BPF backports Greg KH
  2 siblings, 0 replies; 4+ messages in thread
From: Frank van der Linden @ 2021-05-01 18:05 UTC (permalink / raw)
  To: stable; +Cc: bpf, samjonas

From: Samuel Mendoza-Jonas <samjonas@amazon.com>

The 4.14 backport of 9d7eceede ("bpf: restrict unknown scalars of mixed
signed bounds for unprivileged") adds the PTR_TO_MAP_VALUE check to the
wrong location in adjust_ptr_min_max_vals(), most likely because 4.14
doesn't include the commit that updates the if-statement to a
switch-statement (aad2eeaf4 "bpf: Simplify ptr_min_max_vals adjustment").

Move the check to the proper location in adjust_ptr_min_max_vals().

Fixes: 17efa65350c5a ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged")
Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com>
Reviewed-by: Frank van der Linden <fllinden@amazon.com>
Reviewed-by: Ethan Chen <yishache@amazon.com>
Acked-by: Yonghong Song <yhs@fb.com>
---
 kernel/bpf/verifier.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0c3a9302be93..9e9b7c076bcb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2204,6 +2204,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 				dst);
 		return -EACCES;
 	}
+	if (ptr_reg->type == PTR_TO_MAP_VALUE) {
+		if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
+			verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
+				off_reg == dst_reg ? dst : src);
+			return -EACCES;
+		}
+	}
 
 	/* In case of 'scalar += pointer', dst_reg inherits pointer type and id.
 	 * The id may be overwritten later if we create a new variable offset.
@@ -2349,13 +2356,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 			verbose("R%d bitwise operator %s on pointer prohibited\n",
 				dst, bpf_alu_string[opcode >> 4]);
 		return -EACCES;
-	case PTR_TO_MAP_VALUE:
-		if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
-			verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
-				off_reg == dst_reg ? dst : src);
-			return -EACCES;
-		}
-		/* fall-through */
 	default:
 		/* other operators (e.g. MUL,LSH) produce non-pointer results */
 		if (!env->allow_ptr_leaks)
-- 
2.23.3


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed
  2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden
  2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden
@ 2021-05-01 18:05 ` Frank van der Linden
  2021-05-02 11:07 ` [PATCH 4.14 0/2] fix BPF backports Greg KH
  2 siblings, 0 replies; 4+ messages in thread
From: Frank van der Linden @ 2021-05-01 18:05 UTC (permalink / raw)
  To: stable; +Cc: bpf, samjonas

After the backport of the changes to fix CVE 2019-7308, the
selftests also need to be fixed up, as was done originally
in mainline 80c9b2fae87b ("bpf: add various test cases to selftests").

4.14 commit 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308")
did that, but since there was an error in the backport, some
selftests did not change output. So, add them now that this error
has been fixed, and their output has actually changed as expected.

This adds the rest of the changed test outputs from 80c9b2fae87b.

Fixes: 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308")
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
---
 tools/testing/selftests/bpf/test_verifier.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index 9babb3fef8e2..9f7fc30d247d 100644
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -6207,6 +6207,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6231,6 +6232,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6257,6 +6259,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6282,6 +6285,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6330,6 +6334,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6401,6 +6406,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6452,6 +6458,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6479,6 +6486,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6505,6 +6513,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6534,6 +6543,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
@@ -6592,6 +6602,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "unbounded min value",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 		.result_unpriv = REJECT,
 	},
@@ -6644,6 +6655,7 @@ static struct bpf_test tests[] = {
 		},
 		.fixup_map1 = { 3 },
 		.errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
+		.errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
 		.result = REJECT,
 	},
 	{
-- 
2.23.3


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH 4.14 0/2] fix BPF backports
  2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden
  2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden
  2021-05-01 18:05 ` [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed Frank van der Linden
@ 2021-05-02 11:07 ` Greg KH
  2 siblings, 0 replies; 4+ messages in thread
From: Greg KH @ 2021-05-02 11:07 UTC (permalink / raw)
  To: Frank van der Linden; +Cc: stable, bpf, samjonas

On Sat, May 01, 2021 at 06:05:04PM +0000, Frank van der Linden wrote:
> These are the first two patches in https://lore.kernel.org/stable/20210501043014.33300-1-fllinden@amazon.com/
> 
> I will re-send the rest of that series as soon as the other bpf backports
> hit the 4.19 branch.
> 
> This fixes errors in earlier bpf 4.14 backports. The verifier fix was
> sent in earlier to bpf@ by Sam, and acked. I added the selftests
> fix.

Both of these here now queued up, thanks.

greg k-h

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-05-01 18:05 [PATCH 4.14 0/2] fix BPF backports Frank van der Linden
2021-05-01 18:05 ` [PATCH 4.14 1/2] bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" Frank van der Linden
2021-05-01 18:05 ` [PATCH 4.14 2/2] bpf: fix up selftests after backports were fixed Frank van der Linden
2021-05-02 11:07 ` [PATCH 4.14 0/2] fix BPF backports Greg KH

BPF Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/bpf/0 bpf/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 bpf bpf/ https://lore.kernel.org/bpf \
		bpf@vger.kernel.org
	public-inbox-index bpf

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.bpf


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git