stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Hao Luo <haoluo@google.com>
To: Greg KH <gregkh@linuxfoundation.org>
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	laura@labbott.name, stable@vger.kernel.org,
	Hao Luo <haoluo@google.com>
Subject: [PATCH stable linux-5.16.y 0/9] Fix bpf mem read/write vulnerability.
Date: Wed, 16 Feb 2022 14:52:00 -0800	[thread overview]
Message-ID: <20220216225209.2196865-1-haoluo@google.com> (raw)

Hi Greg,

Please consider cherry-pick this patch series into 5.16.x stable. It
includes a fix to a bug in 5.16 stable which allows a user with cap_bpf
privileges to get root privileges. The patch that fixes the bug is

 patch 7/9: bpf: Make per_cpu_ptr return rdonly

The rest are the depedences required by the fix patch. This patchset has
been merged in mainline v5.17. The patches were not planned to backport
because of its complex dependences.

Tested by compile, build and run through a subset of bpf test_progs.

Hao Luo (9):
  bpf: Introduce composable reg, ret and arg types.
  bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL
  bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL
  bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL
  bpf: Introduce MEM_RDONLY flag
  bpf: Convert PTR_TO_MEM_OR_NULL to composable types.
  bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.
  bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.
  bpf/selftests: Test PTR_TO_RDONLY_MEM

 include/linux/bpf.h                           | 101 +++-
 include/linux/bpf_verifier.h                  |  17 +
 kernel/bpf/btf.c                              |  12 +-
 kernel/bpf/cgroup.c                           |   2 +-
 kernel/bpf/helpers.c                          |  12 +-
 kernel/bpf/map_iter.c                         |   4 +-
 kernel/bpf/ringbuf.c                          |   2 +-
 kernel/bpf/syscall.c                          |   2 +-
 kernel/bpf/verifier.c                         | 488 +++++++++---------
 kernel/trace/bpf_trace.c                      |  26 +-
 net/core/bpf_sk_storage.c                     |   2 +-
 net/core/filter.c                             |  64 +--
 net/core/sock_map.c                           |   2 +-
 .../selftests/bpf/prog_tests/ksyms_btf.c      |  14 +
 .../bpf/progs/test_ksyms_btf_write_check.c    |  29 ++
 15 files changed, 444 insertions(+), 333 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c

-- 
2.35.1.265.g69c8d7142f-goog


             reply	other threads:[~2022-02-16 22:52 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-02-16 22:52 Hao Luo [this message]
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 1/9] bpf: Introduce composable reg, ret and arg types Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 2/9] bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 3/9] bpf: Replace RET_XXX_OR_NULL with RET_XXX " Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 4/9] bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX " Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 5/9] bpf: Introduce MEM_RDONLY flag Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 6/9] bpf: Convert PTR_TO_MEM_OR_NULL to composable types Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 7/9] bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 8/9] bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem Hao Luo
2022-02-16 22:52 ` [PATCH stable linux-5.16.y 9/9] bpf/selftests: Test PTR_TO_RDONLY_MEM Hao Luo
2022-02-17 19:05 ` [PATCH stable linux-5.16.y 0/9] Fix bpf mem read/write vulnerability Greg KH
2022-02-17 19:59   ` Hao Luo

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20220216225209.2196865-1-haoluo@google.com \
    --to=haoluo@google.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=gregkh@linuxfoundation.org \
    --cc=laura@labbott.name \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).