[pve-kernel.git] / patches / kernel / 0228-UBUNTU-SAUCE-bpf-verifier-Fix-states_equal-compariso.patch

From 9327cee21ebe7ca7a82c27c209e1fa3ac3d23232 Mon Sep 17 00:00:00 2001
From: Ben Hutchings <ben@decadent.org.uk>
Date: Thu, 4 Jan 2018 08:01:23 -0600
Subject: [PATCH 228/233] UBUNTU: SAUCE: bpf/verifier: Fix states_equal()
 comparison of pointer and UNKNOWN
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless
pointer leaks are allowed.  Therefore, states_equal() must not treat
a state with a pointer in a register as "equal" to a state with an
UNKNOWN_VALUE in that register.

This was fixed differently upstream, but the code around here was
largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
value tracking".  The bug can be detected by the bpf/verifier sub-test
"pointer/scalar confusion in state equality check (way 1)".

Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Cc: Edward Cree <ecree@solarflare.com>
Cc: Jann Horn <jannh@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
CVE-2017-17864
Link: https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch?h=stretch-security
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
(cherry picked from commit 3fb4378083def9b22f6ae222e75d880fc5c59048)
Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
---
 kernel/bpf/verifier.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index cdfa07a4ef27..4ecb2e10c5e0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2980,11 +2980,12 @@ static bool states_equal(struct bpf_verifier_env *env,
 
 		/* If we didn't map access then again we don't care about the
 		 * mismatched range values and it's ok if our old type was
-		 * UNKNOWN and we didn't go to a NOT_INIT'ed reg.
+		 * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
 		 */
 		if (rold->type == NOT_INIT ||
 		    (!varlen_map_access && rold->type == UNKNOWN_VALUE &&
-		     rcur->type != NOT_INIT))
+		     rcur->type != NOT_INIT &&
+		     !__is_pointer_value(env->allow_ptr_leaks, rcur)))
 			continue;
 
 		/* Don't care about the reg->id in this case. */
-- 
2.14.2
Commit	Line	Data
321d628a FG	1	From 9327cee21ebe7ca7a82c27c209e1fa3ac3d23232 Mon Sep 17 00:00:00 2001
	2	From: Ben Hutchings <ben@decadent.org.uk>
	3	Date: Thu, 4 Jan 2018 08:01:23 -0600
b378f209	4	Subject: [PATCH 228/233] UBUNTU: SAUCE: bpf/verifier: Fix states_equal()
321d628a FG	5	comparison of pointer and UNKNOWN
	6	MIME-Version: 1.0
	7	Content-Type: text/plain; charset=UTF-8
	8	Content-Transfer-Encoding: 8bit
	9
	10	An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless
	11	pointer leaks are allowed. Therefore, states_equal() must not treat
	12	a state with a pointer in a register as "equal" to a state with an
	13	UNKNOWN_VALUE in that register.
	14
	15	This was fixed differently upstream, but the code around here was
	16	largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
	17	value tracking". The bug can be detected by the bpf/verifier sub-test
	18	"pointer/scalar confusion in state equality check (way 1)".
	19
	20	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	21	Cc: Edward Cree <ecree@solarflare.com>
	22	Cc: Jann Horn <jannh@google.com>
	23	Cc: Alexei Starovoitov <ast@kernel.org>
	24	CVE-2017-17864
	25	Link: https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch?h=stretch-security
	26	Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
	27	Signed-off-by: Andy Whitcroft <apw@canonical.com>
	28	Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	29	(cherry picked from commit 3fb4378083def9b22f6ae222e75d880fc5c59048)
	30	Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
	31	---
	32	kernel/bpf/verifier.c \| 5 +++--
	33	1 file changed, 3 insertions(+), 2 deletions(-)
	34
	35	diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
	36	index cdfa07a4ef27..4ecb2e10c5e0 100644
	37	--- a/kernel/bpf/verifier.c
	38	+++ b/kernel/bpf/verifier.c
	39	@@ -2980,11 +2980,12 @@ static bool states_equal(struct bpf_verifier_env *env,
	40
	41	/* If we didn't map access then again we don't care about the
	42	* mismatched range values and it's ok if our old type was
	43	- * UNKNOWN and we didn't go to a NOT_INIT'ed reg.
	44	+ * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
	45	*/
	46	if (rold->type == NOT_INIT \|\|
	47	(!varlen_map_access && rold->type == UNKNOWN_VALUE &&
	48	- rcur->type != NOT_INIT))
	49	+ rcur->type != NOT_INIT &&
	50	+ !__is_pointer_value(env->allow_ptr_leaks, rcur)))
	51	continue;
	52
	53	/* Don't care about the reg->id in this case. */
	54	--
	55	2.14.2
	56