linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
	Piotr Krysiuk <piotras@gmail.com>,
	John Fastabend <john.fastabend@gmail.com>,
	Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 5.10 05/29] bpf: Fix masking negation logic upon negative dst register
Date: Wed,  5 May 2021 14:05:08 +0200	[thread overview]
Message-ID: <20210505112326.379826453@linuxfoundation.org> (raw)
In-Reply-To: <20210505112326.195493232@linuxfoundation.org>

From: Daniel Borkmann <daniel@iogearbox.net>

commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807 upstream.

The negation logic for the case where the off_reg is sitting in the
dst register is not correct given then we cannot just invert the add
to a sub or vice versa. As a fix, perform the final bitwise and-op
unconditionally into AX from the off_reg, then move the pointer from
the src to dst and finally use AX as the source for the original
pointer arithmetic operation such that the inversion yields a correct
result. The single non-AX mov in between is possible given constant
blinding is retaining it as it's not an immediate based operation.

Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 kernel/bpf/verifier.c |   12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11403,14 +11403,10 @@ static int fixup_bpf_calls(struct bpf_ve
 			*patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
 			*patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
 			*patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63);
-			if (issrc) {
-				*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX,
-							 off_reg);
-				insn->src_reg = BPF_REG_AX;
-			} else {
-				*patch++ = BPF_ALU64_REG(BPF_AND, off_reg,
-							 BPF_REG_AX);
-			}
+			*patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg);
+			if (!issrc)
+				*patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg);
+			insn->src_reg = BPF_REG_AX;
 			if (isneg)
 				insn->code = insn->code == code_add ?
 					     code_sub : code_add;



  parent reply	other threads:[~2021-05-05 12:09 UTC|newest]

Thread overview: 40+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-05 12:05 [PATCH 5.10 00/29] 5.10.35-rc1 review Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 01/29] mips: Do not include hi and lo in clobber list for R6 Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 02/29] netfilter: conntrack: Make global sysctls readonly in non-init netns Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 03/29] net: usb: ax88179_178a: initialize local variables before use Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 04/29] igb: Enable RSS for Intel I211 Ethernet Controller Greg Kroah-Hartman
2021-05-05 12:05 ` Greg Kroah-Hartman [this message]
2021-05-05 12:05 ` [PATCH 5.10 06/29] bpf: Fix leakage of uninitialized bpf stack under speculation Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 07/29] net: qrtr: Avoid potential use after free in MHI send Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 08/29] perf data: Fix error return code in perf_data__create_dir() Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 09/29] capabilities: require CAP_SETFCAP to map uid 0 Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 10/29] perf ftrace: Fix access to pid in array when setting a pid filter Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 11/29] tools/cgroup/slabinfo.py: updated to work on current kernel Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 12/29] driver core: add a min_align_mask field to struct device_dma_parameters Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 13/29] swiotlb: add a IO_TLB_SIZE define Greg Kroah-Hartman
2021-05-05 20:45   ` Yet another way to mark upstream commits was " Pavel Machek
2021-05-05 12:05 ` [PATCH 5.10 14/29] swiotlb: factor out an io_tlb_offset helper Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 15/29] swiotlb: factor out a nr_slots helper Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 16/29] swiotlb: clean up swiotlb_tbl_unmap_single Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 17/29] swiotlb: refactor swiotlb_tbl_map_single Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 18/29] swiotlb: dont modify orig_addr in swiotlb_tbl_sync_single Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 19/29] swiotlb: respect min_align_mask Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 20/29] nvme-pci: set min_align_mask Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 21/29] ovl: fix leaked dentry Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 22/29] ovl: allow upperdir inside lowerdir Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 23/29] ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 24/29] USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 25/29] USB: Add reset-resume quirk for WD19s Realtek Hub Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 26/29] ASoC: ak4458: Add MODULE_DEVICE_TABLE Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 27/29] ASoC: ak5558: " Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 28/29] platform/x86: thinkpad_acpi: Correct thermal sensor allocation Greg Kroah-Hartman
2021-05-05 12:05 ` [PATCH 5.10 29/29] perf/core: Fix unconditional security_locked_down() call Greg Kroah-Hartman
2021-05-05 15:04 ` [PATCH 5.10 00/29] 5.10.35-rc1 review Patrick Mccormick
2021-05-05 19:30 ` Florian Fainelli
2021-05-05 20:19 ` Fox Chen
2021-05-05 21:04 ` Shuah Khan
2021-05-06  1:50 ` Guenter Roeck
2021-05-06  2:52 ` Samuel Zou
2021-05-06  7:46 ` Naresh Kamboju
2021-05-06  8:57 ` Pavel Machek
2021-05-06 10:07 ` Sudip Mukherjee

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210505112326.379826453@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=john.fastabend@gmail.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=piotras@gmail.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).