From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 092/103] bpf: restrict stack pointer arithmetic for unprivileged
Date: Tue, 29 Jan 2019 12:36:09 +0100 [thread overview]
Message-ID: <20190129113207.058598277@linuxfoundation.org> (raw)
In-Reply-To: <20190129113159.567154026@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
[ commit e4298d25830a866cc0f427d4bccb858e76715859 upstream ]
Restrict stack pointer arithmetic for unprivileged users in that
arithmetic itself must not go out of bounds as opposed to the actual
access later on. Therefore after each adjust_ptr_min_max_vals() with
a stack pointer as a destination we simulate a check_stack_access()
of 1 byte on the destination and once that fails the program is
rejected for unprivileged program loads. This is analog to map
value pointer arithmetic and needed for masking later on.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 63 ++++++++++++++++++++++++++++---------------
1 file changed, 41 insertions(+), 22 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 110ca915cfb6..aa2944d54e7a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1238,6 +1238,31 @@ static int check_stack_read(struct bpf_verifier_env *env,
}
}
+static int check_stack_access(struct bpf_verifier_env *env,
+ const struct bpf_reg_state *reg,
+ int off, int size)
+{
+ /* Stack accesses must be at a fixed offset, so that we
+ * can determine what type of data were returned. See
+ * check_stack_read().
+ */
+ if (!tnum_is_const(reg->var_off)) {
+ char tn_buf[48];
+
+ tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
+ verbose(env, "variable stack access var_off=%s off=%d size=%d",
+ tn_buf, off, size);
+ return -EACCES;
+ }
+
+ if (off >= 0 || off < -MAX_BPF_STACK) {
+ verbose(env, "invalid stack off=%d size=%d\n", off, size);
+ return -EACCES;
+ }
+
+ return 0;
+}
+
/* check read/write into map element returned by bpf_map_lookup_elem() */
static int __check_map_access(struct bpf_verifier_env *env, u32 regno, int off,
int size, bool zero_size_allowed)
@@ -1736,24 +1761,10 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
}
} else if (reg->type == PTR_TO_STACK) {
- /* stack accesses must be at a fixed offset, so that we can
- * determine what type of data were returned.
- * See check_stack_read().
- */
- if (!tnum_is_const(reg->var_off)) {
- char tn_buf[48];
-
- tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off);
- verbose(env, "variable stack access var_off=%s off=%d size=%d",
- tn_buf, off, size);
- return -EACCES;
- }
off += reg->var_off.value;
- if (off >= 0 || off < -MAX_BPF_STACK) {
- verbose(env, "invalid stack off=%d size=%d\n", off,
- size);
- return -EACCES;
- }
+ err = check_stack_access(env, reg, off, size);
+ if (err)
+ return err;
state = func(env, reg);
err = update_stack_depth(env, state, off);
@@ -2884,11 +2895,19 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
/* For unprivileged we require that resulting offset must be in bounds
* in order to be able to sanitize access later on.
*/
- if (!env->allow_ptr_leaks && dst_reg->type == PTR_TO_MAP_VALUE &&
- check_map_access(env, dst, dst_reg->off, 1, false)) {
- verbose(env, "R%d pointer arithmetic of map value goes out of range, prohibited for !root\n",
- dst);
- return -EACCES;
+ if (!env->allow_ptr_leaks) {
+ if (dst_reg->type == PTR_TO_MAP_VALUE &&
+ check_map_access(env, dst, dst_reg->off, 1, false)) {
+ verbose(env, "R%d pointer arithmetic of map value goes out of range, "
+ "prohibited for !root\n", dst);
+ return -EACCES;
+ } else if (dst_reg->type == PTR_TO_STACK &&
+ check_stack_access(env, dst_reg, dst_reg->off +
+ dst_reg->var_off.value, 1)) {
+ verbose(env, "R%d stack pointer arithmetic goes out of range, "
+ "prohibited for !root\n", dst);
+ return -EACCES;
+ }
}
return 0;
--
2.19.1
next prev parent reply other threads:[~2019-01-29 12:00 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-29 11:34 [PATCH 4.19 000/103] 4.19.19-stable review Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 001/103] amd-xgbe: Fix mdio access for non-zero ports and clause 45 PHYs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 002/103] net: bridge: Fix ethernet header pointer before check skb forwardable Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 003/103] net: Fix usage of pskb_trim_rcsum Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 004/103] net: phy: marvell: Errata for mv88e6390 internal PHYs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 005/103] net: phy: mdio_bus: add missing device_del() in mdiobus_register() error handling Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 006/103] net: phy: phy driver features are mandatory Greg Kroah-Hartman
2019-01-29 15:50 ` Holger Hoffstätte
2019-01-29 16:05 ` Camelia Alexandra Groza
2019-01-29 16:33 ` Greg Kroah-Hartman
2019-01-29 16:57 ` Holger Hoffstätte
2019-01-29 17:22 ` Greg Kroah-Hartman
2019-01-29 17:03 ` Andrew Lunn
2019-01-29 16:34 ` Holger Hoffstätte
2019-01-29 16:07 ` Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 007/103] net/sched: act_tunnel_key: fix memory leak in case of action replace Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 008/103] net_sched: refetch skb protocol for each filter Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 009/103] openvswitch: Avoid OOB read when parsing flow nlattrs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 010/103] vhost: log dirty page correctly Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 011/103] mlxsw: pci: Increase PCI SW reset timeout Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 012/103] net: ipv4: Fix memory leak in network namespace dismantle Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 013/103] mlxsw: spectrum_fid: Update dummy FID index Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 014/103] mlxsw: pci: Ring CQs doorbell before RDQs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 015/103] net/sched: cls_flower: allocate mask dynamically in fl_change() Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 016/103] udp: with udp_segment release on error path Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 017/103] ip6_gre: fix tunnel list corruption for x-netns Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 018/103] erspan: build the header with the right proto according to erspan_ver Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 019/103] net: phy: marvell: Fix deadlock from wrong locking Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 020/103] ip6_gre: update version related info when changing link Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 021/103] tcp: allow MSG_ZEROCOPY transmission also in CLOSE_WAIT state Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 022/103] mei: me: mark LBG devices as having dma support Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 023/103] mei: me: add denverton innovation engine device IDs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 024/103] USB: leds: fix regression in usbport led trigger Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 025/103] USB: serial: simple: add Motorola Tetra TPG2200 device id Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 026/103] USB: serial: pl2303: add new PID to support PL2303TB Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 027/103] ceph: clear inode pointer when snap realm gets dropped by its inode Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 028/103] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 029/103] ASoC: rt5514-spi: Fix potential NULL pointer dereference Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 030/103] ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 031/103] clk: socfpga: stratix10: fix rate calculation for pll clocks Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 032/103] clk: socfpga: stratix10: fix naming convention for the fixed-clocks Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 033/103] inotify: Fix fd refcount leak in inotify_add_watch() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 034/103] ALSA: hda/realtek - Fix typo for ALC225 model Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 035/103] ALSA: hda - Add mute LED support for HP ProBook 470 G5 Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 036/103] ARCv2: lib: memeset: fix doing prefetchw outside of buffer Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 037/103] ARC: adjust memblock_reserve of kernel memory Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 038/103] ARC: perf: map generic branches to correct hardware condition Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 039/103] s390/mm: always force a load of the primary ASCE on context switch Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 040/103] s390/early: improve machine detection Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 041/103] s390/smp: fix CPU hotplug deadlock with CPU rescan Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 042/103] misc: ibmvsm: Fix potential NULL pointer dereference Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 043/103] char/mwave: fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 044/103] mmc: dw_mmc-bluefield: : Fix the license information Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 045/103] mmc: meson-gx: Free irq in release() callback Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 046/103] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 047/103] tty: Handle problem if line discipline does not have receive_buf Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 048/103] uart: Fix crash in uart_write and uart_put_char Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 049/103] tty/n_hdlc: fix __might_sleep warning Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 050/103] hv_balloon: avoid touching uninitialized struct page during tail onlining Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 051/103] Drivers: hv: vmbus: Check for ring when getting debug info Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 052/103] vgacon: unconfuse vc_origin when using soft scrollback Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 053/103] CIFS: Fix possible hang during async MTU reads and writes Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 054/103] CIFS: Fix credits calculations for reads with errors Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 055/103] CIFS: Fix credit calculation for encrypted " Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 056/103] CIFS: Do not reconnect TCP session in add_credits() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 057/103] smb3: add credits we receive from oplock/break PDUs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 058/103] Input: xpad - add support for SteelSeries Stratus Duo Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 059/103] Input: input_event - provide override for sparc64 Greg Kroah-Hartman
[not found] ` <A56950FD-7063-4955-8091-BE6690F6B430@gmail.com>
2019-01-29 13:32 ` Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 060/103] Input: uinput - fix undefined behavior in uinput_validate_absinfo() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 061/103] acpi/nfit: Block function zero DSMs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 062/103] acpi/nfit: Fix command-supported detection Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 063/103] scsi: ufs: Use explicit access size in ufshcd_dump_regs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 064/103] dm thin: fix passdown_double_checking_shared_status() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 065/103] dm crypt: fix parsing of extended IV arguments Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 066/103] drm/amdgpu: Add APTX quirk for Lenovo laptop Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 067/103] KVM: x86: Fix single-step debugging Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 068/103] KVM: x86: Fix PV IPIs for 32-bit KVM host Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 069/103] KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 070/103] kvm: x86/vmx: Use kzalloc for cached_vmcs12 Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 071/103] KVM/nVMX: Do not validate that posted_intr_desc_addr is page aligned Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 072/103] x86/pkeys: Properly copy pkey state at fork() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 073/103] x86/selftests/pkeys: Fork() to check for state being preserved Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 074/103] x86/kaslr: Fix incorrect i8254 outb() parameters Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 075/103] x86/entry/64/compat: Fix stack switching for XEN PV Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 076/103] posix-cpu-timers: Unbreak timer rearming Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 077/103] net: sun: cassini: Cleanup license conflict Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 078/103] irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 079/103] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 080/103] can: bcm: check timer values before ktime conversion Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 081/103] can: flexcan: fix NULL pointer exception during bringup Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 082/103] vt: make vt_console_print() compatible with the unicode screen buffer Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 083/103] vt: always call notifier with the console lock held Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 084/103] vt: invoke notifier on screen size change Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 085/103] drm/meson: Fix atomic mode switching regression Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 086/103] bpf: improve verifier branch analysis Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 087/103] bpf: add per-insn complexity limit Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 088/103] bpf: move {prev_,}insn_idx into verifier env Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 089/103] bpf: move tmp variable into ax register in interpreter Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 090/103] bpf: enable access to ax register also from verifier rewrite Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 091/103] bpf: restrict map value pointer arithmetic for unprivileged Greg Kroah-Hartman
2019-01-29 11:36 ` Greg Kroah-Hartman [this message]
2019-01-29 11:36 ` [PATCH 4.19 093/103] bpf: restrict unknown scalars of mixed signed bounds " Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 094/103] bpf: fix check_map_access smin_value test when pointer contains offset Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 095/103] bpf: prevent out of bounds speculation on pointer arithmetic Greg Kroah-Hartman
2019-02-01 14:00 ` Jann Horn
2019-02-01 14:08 ` Greg Kroah-Hartman
2019-02-01 14:45 ` Greg Kroah-Hartman
2019-02-01 17:38 ` Jann Horn
2019-02-01 20:12 ` Daniel Borkmann
2019-01-29 11:36 ` [PATCH 4.19 096/103] bpf: fix sanitation of alu op with pointer / scalar type from different paths Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 097/103] bpf: fix inner map masking to prevent oob under speculation Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 098/103] s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 099/103] nvmet-rdma: Add unlikely for response allocated check Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 100/103] nvmet-rdma: fix null dereference under heavy load Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 101/103] Revert "mm, memory_hotplug: initialize struct pages for the full memory section" Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 102/103] usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 103/103] ide: fix a typo in the settings proc file name Greg Kroah-Hartman
2019-01-29 17:28 ` [PATCH 4.19 000/103] 4.19.19-stable review Greg Kroah-Hartman
2019-01-30 4:39 ` shuah
2019-01-30 13:16 ` Naresh Kamboju
2019-01-30 22:14 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190129113207.058598277@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).