git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Thu, 27 May 2021 21:36:00 +0000 (23:36 +0200)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Fri, 28 May 2021 14:30:29 +0000 (16:30 +0200)
commit	9e86367ba51c537d4100bdab42da085a9a5bd301
tree	97dfd51ea270e7e54cac9fe381bb6de1923d76d3	tree
parent	46fb6257f298571fc6d5627537a60a45b81cec0c	commit \| diff

bpf: Fix mask direction swap upon off reg sign change

Masking direction as indicated via mask_to_left is considered to be
calculated once and then used to derive pointer limits. Thus, this
needs to be placed into bpf_sanitize_info instead so we can pass it
to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
corner case where the off reg causes masking direction change which
then results in an incorrect final aux->alu_limit.

Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
(cherry picked from commit bb01a1bba579b4b1c5566af24d95f1767859771e)
CVE-2021-33200
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Ian May <ian.may@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>