]>
Commit | Line | Data |
---|---|---|
321d628a FG |
1 | From 9327cee21ebe7ca7a82c27c209e1fa3ac3d23232 Mon Sep 17 00:00:00 2001 |
2 | From: Ben Hutchings <ben@decadent.org.uk> | |
3 | Date: Thu, 4 Jan 2018 08:01:23 -0600 | |
b378f209 | 4 | Subject: [PATCH 228/233] UBUNTU: SAUCE: bpf/verifier: Fix states_equal() |
321d628a FG |
5 | comparison of pointer and UNKNOWN |
6 | MIME-Version: 1.0 | |
7 | Content-Type: text/plain; charset=UTF-8 | |
8 | Content-Transfer-Encoding: 8bit | |
9 | ||
10 | An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless | |
11 | pointer leaks are allowed. Therefore, states_equal() must not treat | |
12 | a state with a pointer in a register as "equal" to a state with an | |
13 | UNKNOWN_VALUE in that register. | |
14 | ||
15 | This was fixed differently upstream, but the code around here was | |
16 | largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework | |
17 | value tracking". The bug can be detected by the bpf/verifier sub-test | |
18 | "pointer/scalar confusion in state equality check (way 1)". | |
19 | ||
20 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | |
21 | Cc: Edward Cree <ecree@solarflare.com> | |
22 | Cc: Jann Horn <jannh@google.com> | |
23 | Cc: Alexei Starovoitov <ast@kernel.org> | |
24 | CVE-2017-17864 | |
25 | Link: https://anonscm.debian.org/cgit/kernel/linux.git/tree/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch?h=stretch-security | |
26 | Signed-off-by: Seth Forshee <seth.forshee@canonical.com> | |
27 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
28 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
29 | (cherry picked from commit 3fb4378083def9b22f6ae222e75d880fc5c59048) | |
30 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
31 | --- | |
32 | kernel/bpf/verifier.c | 5 +++-- | |
33 | 1 file changed, 3 insertions(+), 2 deletions(-) | |
34 | ||
35 | diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c | |
36 | index cdfa07a4ef27..4ecb2e10c5e0 100644 | |
37 | --- a/kernel/bpf/verifier.c | |
38 | +++ b/kernel/bpf/verifier.c | |
39 | @@ -2980,11 +2980,12 @@ static bool states_equal(struct bpf_verifier_env *env, | |
40 | ||
41 | /* If we didn't map access then again we don't care about the | |
42 | * mismatched range values and it's ok if our old type was | |
43 | - * UNKNOWN and we didn't go to a NOT_INIT'ed reg. | |
44 | + * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg. | |
45 | */ | |
46 | if (rold->type == NOT_INIT || | |
47 | (!varlen_map_access && rold->type == UNKNOWN_VALUE && | |
48 | - rcur->type != NOT_INIT)) | |
49 | + rcur->type != NOT_INIT && | |
50 | + !__is_pointer_value(env->allow_ptr_leaks, rcur))) | |
51 | continue; | |
52 | ||
53 | /* Don't care about the reg->id in this case. */ | |
54 | -- | |
55 | 2.14.2 | |
56 |