linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
	Piotr Krysiuk <piotras@gmail.com>,
	John Fastabend <john.fastabend@gmail.com>,
	Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.12 05/17] bpf: Fix masking negation logic upon negative dst register
Date: Wed,  5 May 2021 14:06:00 +0200	[thread overview]
Message-ID: <20210505112325.126024016@linuxfoundation.org> (raw)
In-Reply-To: <20210505112324.956720416@linuxfoundation.org>

From: Daniel Borkmann <daniel@iogearbox.net>

commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807 upstream.

The negation logic for the case where the off_reg is sitting in the
dst register is not correct given then we cannot just invert the add
to a sub or vice versa. As a fix, perform the final bitwise and-op
unconditionally into AX from the off_reg, then move the pointer from
the src to dst and finally use AX as the source for the original
pointer arithmetic operation such that the inversion yields a correct
result. The single non-AX mov in between is possible given constant
blinding is retaining it as it's not an immediate based operation.

Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |   12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11760,14 +11760,10 @@ static int fixup_bpf_calls(struct bpf_ve
 			*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
 			*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
 			*patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
-			if (issrc) {
-				*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
-							 off_reg);
-				insn->src_reg = BPF_REG_AX;
-			} else {
-				*patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
-							 BPF_REG_AX);
-			}
+			*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg);
+			if (!issrc)
+				*patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg);
+			insn->src_reg = BPF_REG_AX;
 			if (isneg)
 				insn->code = insn->code == code_add ?
 					     code_sub : code_add;



  parent reply	other threads:[~2021-05-05 12:12 UTC|newest]

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-05 12:05 [PATCH 5.12 00/17] 5.12.2-rc1 review Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 01/17] mips: Do not include hi and lo in clobber list for R6 Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 02/17] netfilter: conntrack: Make global sysctls readonly in non-init netns Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 03/17] net: usb: ax88179_178a: initialize local variables before use Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.12 04/17] drm/i915: Disable runtime power management during shutdown Greg Kroah-Hartman
2021-05-05 12:06 ` Greg Kroah-Hartman [this message]
2021-05-05 12:06 ` [PATCH 5.12 06/17] bpf: Fix leakage of uninitialized bpf stack under speculation Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 07/17] net: qrtr: Avoid potential use after free in MHI send Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 08/17] ovl: fix leaked dentry Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 09/17] ovl: allow upperdir inside lowerdir Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 10/17] ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 11/17] ALSA: usb-audio: Fix implicit sync clearance at stopping stream Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 12/17] USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 13/17] USB: Add reset-resume quirk for WD19s Realtek Hub Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 14/17] ASoC: ak4458: Add MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 15/17] ASoC: ak5558: " Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 16/17] platform/x86: thinkpad_acpi: Correct thermal sensor allocation Greg Kroah-Hartman
2021-05-05 12:06 ` [PATCH 5.12 17/17] perf/core: Fix unconditional security_locked_down() call Greg Kroah-Hartman
2021-05-05 17:52 ` [PATCH 5.12 00/17] 5.12.2-rc1 review Fox Chen
2021-05-05 19:09 ` Naresh Kamboju
2021-05-05 19:44 ` Florian Fainelli
2021-05-06  1:59 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210505112325.126024016@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=john.fastabend@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=piotras@gmail.com \
    --cc=stable@vger.kernel.org \
    --subject='Re: [PATCH 5.12 05/17] bpf: Fix masking negation logic upon negative dst register' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).