git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/commit

author	Alexei Starovoitov <ast@fb.com>
	Thu, 4 Jan 2018 14:01:24 +0000 (08:01 -0600)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Sat, 6 Jan 2018 12:23:57 +0000 (13:23 +0100)
commit	2df70878d072d06f5bad0db3f2ee1ed47179dff8
tree	36de8551cd862331c5306c03476ee740d2c1e965	tree
parent	3fb4378083def9b22f6ae222e75d880fc5c59048	commit \| diff

bpf: fix branch pruning logic

when the verifier detects that register contains a runtime constant
and it's compared with another constant it will prune exploration
of the branch that is guaranteed not to be taken at runtime.
This is all correct, but malicious program may be constructed
in such a way that it always has a constant comparison and
the other branch is never taken under any conditions.
In this case such path through the program will not be explored
by the verifier. It won't be taken at run-time either, but since
all instructions are JITed the malicious program may cause JITs
to complain about using reserved fields, etc.
To fix the issue we have to track the instructions explored by
the verifier and sanitize instructions that are dead at run time
with NOPs. We cannot reject such dead code, since llvm generates
it for valid C code, since it doesn't do as much data flow
analysis as the verifier does.

Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
(cherry picked from commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467)
CVE-2017-17862
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

include/linux/bpf_verifier.h		diff \| blob \| blame \| history
kernel/bpf/verifier.c		diff \| blob \| blame \| history