diff options
Diffstat (limited to 'debian/patches/bugfix/all/bpf-Add-sanity-check-for-upper-ptr_limit.patch')
| -rw-r--r-- | debian/patches/bugfix/all/bpf-Add-sanity-check-for-upper-ptr_limit.patch | 60 |
1 files changed, 60 insertions, 0 deletions
diff --git a/debian/patches/bugfix/all/bpf-Add-sanity-check-for-upper-ptr_limit.patch b/debian/patches/bugfix/all/bpf-Add-sanity-check-for-upper-ptr_limit.patch new file mode 100644 index 000000000..a68458999 --- /dev/null +++ b/debian/patches/bugfix/all/bpf-Add-sanity-check-for-upper-ptr_limit.patch @@ -0,0 +1,60 @@ +From: Piotr Krysiuk <piotras@gmail.com> +Date: Tue, 16 Mar 2021 09:47:02 +0100 +Subject: bpf: Add sanity check for upper ptr_limit +Origin: https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit?id=1b1597e64e1a610c7a96710fc4717158e98a08b3 + +Given we know the max possible value of ptr_limit at the time of retrieving +the latter, add basic assertions, so that the verifier can bail out if +anything looks odd and reject the program. Nothing triggered this so far, +but it also does not hurt to have these. + +Signed-off-by: Piotr Krysiuk <piotras@gmail.com> +Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Acked-by: Alexei Starovoitov <ast@kernel.org> +--- + kernel/bpf/verifier.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index d16722a99b61..44e4ec1640f1 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5861,10 +5861,14 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, + { + bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || + (opcode == BPF_SUB && !off_is_neg); +- u32 off; ++ u32 off, max; + + switch (ptr_reg->type) { + case PTR_TO_STACK: ++ /* Offset 0 is out-of-bounds, but acceptable start for the ++ * left direction, see BPF_REG_FP. ++ */ ++ max = MAX_BPF_STACK + mask_to_left; + /* Indirect variable offset stack access is prohibited in + * unprivileged mode so it's not handled here. + */ +@@ -5873,15 +5877,16 @@ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, + *ptr_limit = MAX_BPF_STACK + off; + else + *ptr_limit = -off - 1; +- return 0; ++ return *ptr_limit >= max ? -ERANGE : 0; + case PTR_TO_MAP_VALUE: ++ max = ptr_reg->map_ptr->value_size; + if (mask_to_left) { + *ptr_limit = ptr_reg->umax_value + ptr_reg->off; + } else { + off = ptr_reg->smin_value + ptr_reg->off; + *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; + } +- return 0; ++ return *ptr_limit >= max ? -ERANGE : 0; + default: + return -EINVAL; + } +-- +2.31.0 + |