From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.19 094/103] bpf: fix check_map_access smin_value test when pointer contains offset
Date: Tue, 29 Jan 2019 12:36:11 +0100 [thread overview]
Message-ID: <20190129113207.164685192@linuxfoundation.org> (raw)
In-Reply-To: <20190129113159.567154026@linuxfoundation.org>
4.19-stable review patch. If anyone has any objections, please let me know.
------------------
[ commit b7137c4eab85c1cf3d46acdde90ce1163b28c873 upstream ]
In check_map_access() we probe actual bounds through __check_map_access()
with offset of reg->smin_value + off for lower bound and offset of
reg->umax_value + off for the upper bound. However, even though the
reg->smin_value could have a negative value, the final result of the
sum with off could be positive when pointer arithmetic with known and
unknown scalars is combined. In this case we reject the program with
an error such as "R<x> min value is negative, either use unsigned index
or do a if (index >=0) check." even though the access itself would be
fine. Therefore extend the check to probe whether the actual resulting
reg->smin_value + off is less than zero.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index fbaa3b9e1d71..f9d5aea4891d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1294,13 +1294,17 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
*/
if (env->log.level)
print_verifier_state(env, state);
+
/* The minimum value is only important with signed
* comparisons where we can't assume the floor of a
* value is 0. If we are using signed variables for our
* index'es we need to make sure that whatever we use
* will have a set floor within our range.
*/
- if (reg->smin_value < 0) {
+ if (reg->smin_value < 0 &&
+ (reg->smin_value == S64_MIN ||
+ (off + reg->smin_value != (s64)(s32)(off + reg->smin_value)) ||
+ reg->smin_value + off < 0)) {
verbose(env, "R%d min value is negative, either use unsigned index or do a if (index >=0) check.\n",
regno);
return -EACCES;
--
2.19.1
next prev parent reply other threads:[~2019-01-29 11:59 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-29 11:34 [PATCH 4.19 000/103] 4.19.19-stable review Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 001/103] amd-xgbe: Fix mdio access for non-zero ports and clause 45 PHYs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 002/103] net: bridge: Fix ethernet header pointer before check skb forwardable Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 003/103] net: Fix usage of pskb_trim_rcsum Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 004/103] net: phy: marvell: Errata for mv88e6390 internal PHYs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 005/103] net: phy: mdio_bus: add missing device_del() in mdiobus_register() error handling Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 006/103] net: phy: phy driver features are mandatory Greg Kroah-Hartman
2019-01-29 15:50 ` Holger Hoffstätte
2019-01-29 16:05 ` Camelia Alexandra Groza
2019-01-29 16:33 ` Greg Kroah-Hartman
2019-01-29 16:57 ` Holger Hoffstätte
2019-01-29 17:22 ` Greg Kroah-Hartman
2019-01-29 17:03 ` Andrew Lunn
2019-01-29 16:34 ` Holger Hoffstätte
2019-01-29 16:07 ` Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 007/103] net/sched: act_tunnel_key: fix memory leak in case of action replace Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 008/103] net_sched: refetch skb protocol for each filter Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 009/103] openvswitch: Avoid OOB read when parsing flow nlattrs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 010/103] vhost: log dirty page correctly Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 011/103] mlxsw: pci: Increase PCI SW reset timeout Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 012/103] net: ipv4: Fix memory leak in network namespace dismantle Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 013/103] mlxsw: spectrum_fid: Update dummy FID index Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 014/103] mlxsw: pci: Ring CQs doorbell before RDQs Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 015/103] net/sched: cls_flower: allocate mask dynamically in fl_change() Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 016/103] udp: with udp_segment release on error path Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 017/103] ip6_gre: fix tunnel list corruption for x-netns Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 018/103] erspan: build the header with the right proto according to erspan_ver Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 019/103] net: phy: marvell: Fix deadlock from wrong locking Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 020/103] ip6_gre: update version related info when changing link Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 021/103] tcp: allow MSG_ZEROCOPY transmission also in CLOSE_WAIT state Greg Kroah-Hartman
2019-01-29 11:34 ` [PATCH 4.19 022/103] mei: me: mark LBG devices as having dma support Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 023/103] mei: me: add denverton innovation engine device IDs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 024/103] USB: leds: fix regression in usbport led trigger Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 025/103] USB: serial: simple: add Motorola Tetra TPG2200 device id Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 026/103] USB: serial: pl2303: add new PID to support PL2303TB Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 027/103] ceph: clear inode pointer when snap realm gets dropped by its inode Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 028/103] ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 029/103] ASoC: rt5514-spi: Fix potential NULL pointer dereference Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 030/103] ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 031/103] clk: socfpga: stratix10: fix rate calculation for pll clocks Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 032/103] clk: socfpga: stratix10: fix naming convention for the fixed-clocks Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 033/103] inotify: Fix fd refcount leak in inotify_add_watch() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 034/103] ALSA: hda/realtek - Fix typo for ALC225 model Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 035/103] ALSA: hda - Add mute LED support for HP ProBook 470 G5 Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 036/103] ARCv2: lib: memeset: fix doing prefetchw outside of buffer Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 037/103] ARC: adjust memblock_reserve of kernel memory Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 038/103] ARC: perf: map generic branches to correct hardware condition Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 039/103] s390/mm: always force a load of the primary ASCE on context switch Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 040/103] s390/early: improve machine detection Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 041/103] s390/smp: fix CPU hotplug deadlock with CPU rescan Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 042/103] misc: ibmvsm: Fix potential NULL pointer dereference Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 043/103] char/mwave: fix potential Spectre v1 vulnerability Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 044/103] mmc: dw_mmc-bluefield: : Fix the license information Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 045/103] mmc: meson-gx: Free irq in release() callback Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 046/103] staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 047/103] tty: Handle problem if line discipline does not have receive_buf Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 048/103] uart: Fix crash in uart_write and uart_put_char Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 049/103] tty/n_hdlc: fix __might_sleep warning Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 050/103] hv_balloon: avoid touching uninitialized struct page during tail onlining Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 051/103] Drivers: hv: vmbus: Check for ring when getting debug info Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 052/103] vgacon: unconfuse vc_origin when using soft scrollback Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 053/103] CIFS: Fix possible hang during async MTU reads and writes Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 054/103] CIFS: Fix credits calculations for reads with errors Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 055/103] CIFS: Fix credit calculation for encrypted " Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 056/103] CIFS: Do not reconnect TCP session in add_credits() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 057/103] smb3: add credits we receive from oplock/break PDUs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 058/103] Input: xpad - add support for SteelSeries Stratus Duo Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 059/103] Input: input_event - provide override for sparc64 Greg Kroah-Hartman
[not found] ` <A56950FD-7063-4955-8091-BE6690F6B430@gmail.com>
2019-01-29 13:32 ` Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 060/103] Input: uinput - fix undefined behavior in uinput_validate_absinfo() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 061/103] acpi/nfit: Block function zero DSMs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 062/103] acpi/nfit: Fix command-supported detection Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 063/103] scsi: ufs: Use explicit access size in ufshcd_dump_regs Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 064/103] dm thin: fix passdown_double_checking_shared_status() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 065/103] dm crypt: fix parsing of extended IV arguments Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 066/103] drm/amdgpu: Add APTX quirk for Lenovo laptop Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 067/103] KVM: x86: Fix single-step debugging Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 068/103] KVM: x86: Fix PV IPIs for 32-bit KVM host Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 069/103] KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 070/103] kvm: x86/vmx: Use kzalloc for cached_vmcs12 Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 071/103] KVM/nVMX: Do not validate that posted_intr_desc_addr is page aligned Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 072/103] x86/pkeys: Properly copy pkey state at fork() Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 073/103] x86/selftests/pkeys: Fork() to check for state being preserved Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 074/103] x86/kaslr: Fix incorrect i8254 outb() parameters Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 075/103] x86/entry/64/compat: Fix stack switching for XEN PV Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 076/103] posix-cpu-timers: Unbreak timer rearming Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 077/103] net: sun: cassini: Cleanup license conflict Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 078/103] irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 079/103] can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 080/103] can: bcm: check timer values before ktime conversion Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 081/103] can: flexcan: fix NULL pointer exception during bringup Greg Kroah-Hartman
2019-01-29 11:35 ` [PATCH 4.19 082/103] vt: make vt_console_print() compatible with the unicode screen buffer Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 083/103] vt: always call notifier with the console lock held Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 084/103] vt: invoke notifier on screen size change Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 085/103] drm/meson: Fix atomic mode switching regression Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 086/103] bpf: improve verifier branch analysis Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 087/103] bpf: add per-insn complexity limit Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 088/103] bpf: move {prev_,}insn_idx into verifier env Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 089/103] bpf: move tmp variable into ax register in interpreter Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 090/103] bpf: enable access to ax register also from verifier rewrite Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 091/103] bpf: restrict map value pointer arithmetic for unprivileged Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 092/103] bpf: restrict stack " Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 093/103] bpf: restrict unknown scalars of mixed signed bounds " Greg Kroah-Hartman
2019-01-29 11:36 ` Greg Kroah-Hartman [this message]
2019-01-29 11:36 ` [PATCH 4.19 095/103] bpf: prevent out of bounds speculation on pointer arithmetic Greg Kroah-Hartman
2019-02-01 14:00 ` Jann Horn
2019-02-01 14:08 ` Greg Kroah-Hartman
2019-02-01 14:45 ` Greg Kroah-Hartman
2019-02-01 17:38 ` Jann Horn
2019-02-01 20:12 ` Daniel Borkmann
2019-01-29 11:36 ` [PATCH 4.19 096/103] bpf: fix sanitation of alu op with pointer / scalar type from different paths Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 097/103] bpf: fix inner map masking to prevent oob under speculation Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 098/103] s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 099/103] nvmet-rdma: Add unlikely for response allocated check Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 100/103] nvmet-rdma: fix null dereference under heavy load Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 101/103] Revert "mm, memory_hotplug: initialize struct pages for the full memory section" Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 102/103] usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup Greg Kroah-Hartman
2019-01-29 11:36 ` [PATCH 4.19 103/103] ide: fix a typo in the settings proc file name Greg Kroah-Hartman
2019-01-29 17:28 ` [PATCH 4.19 000/103] 4.19.19-stable review Greg Kroah-Hartman
2019-01-30 4:39 ` shuah
2019-01-30 13:16 ` Naresh Kamboju
2019-01-30 22:14 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190129113207.164685192@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).