57 lines
2.3 KiB
Diff
57 lines
2.3 KiB
Diff
From 9327cee21ebe7ca7a82c27c209e1fa3ac3d23232 Mon Sep 17 00:00:00 2001
|
|
From: Ben Hutchings <ben@decadent.org.uk>
|
|
Date: Thu, 4 Jan 2018 08:01:23 -0600
|
|
Subject: [PATCH 228/232] UBUNTU: SAUCE: bpf/verifier: Fix states_equal()
|
|
comparison of pointer and UNKNOWN
|
|
MIME-Version: 1.0
|
|
Content-Type: text/plain; charset=UTF-8
|
|
Content-Transfer-Encoding: 8bit
|
|
|
|
An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless
|
|
pointer leaks are allowed. Therefore, states_equal() must not treat
|
|
a state with a pointer in a register as "equal" to a state with an
|
|
UNKNOWN_VALUE in that register.
|
|
|
|
This was fixed differently upstream, but the code around here was
|
|
largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
|
|
value tracking". The bug can be detected by the bpf/verifier sub-test
|
|
"pointer/scalar confusion in state equality check (way 1)".
|
|
|
|
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
|
|
Cc: Edward Cree <ecree@solarflare.com>
|
|
Cc: Jann Horn <jannh@google.com>
|
|
Cc: Alexei Starovoitov <ast@kernel.org>
|
|
CVE-2017-17864
|
|
Link: https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch?h=stretch-security
|
|
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
|
|
Signed-off-by: Andy Whitcroft <apw@canonical.com>
|
|
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
|
|
(cherry picked from commit 3fb4378083def9b22f6ae222e75d880fc5c59048)
|
|
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
|
|
---
|
|
kernel/bpf/verifier.c | 5 +++--
|
|
1 file changed, 3 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
|
|
index cdfa07a4ef27..4ecb2e10c5e0 100644
|
|
--- a/kernel/bpf/verifier.c
|
|
+++ b/kernel/bpf/verifier.c
|
|
@@ -2980,11 +2980,12 @@ static bool states_equal(struct bpf_verifier_env *env,
|
|
|
|
/* If we didn't map access then again we don't care about the
|
|
* mismatched range values and it's ok if our old type was
|
|
- * UNKNOWN and we didn't go to a NOT_INIT'ed reg.
|
|
+ * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
|
|
*/
|
|
if (rold->type == NOT_INIT ||
|
|
(!varlen_map_access && rold->type == UNKNOWN_VALUE &&
|
|
- rcur->type != NOT_INIT))
|
|
+ rcur->type != NOT_INIT &&
|
|
+ !__is_pointer_value(env->allow_ptr_leaks, rcur)))
|
|
continue;
|
|
|
|
/* Don't care about the reg->id in this case. */
|
|
--
|
|
2.14.2
|
|
|