--- /dev/null
+From bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 10 Jan 2018 23:25:05 +0100
+Subject: bpf, array: fix overflow in max_entries and undefined behavior in index_mask
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1 upstream.
+
+syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
+and thus unprivileged. With the recently added logic in b2157399cc98
+("bpf: prevent out-of-bounds speculation") we round this up to the next
+power of two value for max_entries for unprivileged such that we can
+apply proper masking into potentially zeroed out map slots.
+
+However, this will generate an index_mask of 0xffffffff, and therefore
+a + 1 will let this overflow into new max_entries of 0. This will pass
+allocation, etc, and later on map access we still enforce on the original
+attr->max_entries value which was 0xfffffffd, therefore triggering GPF
+all over the place. Thus bail out on overflow in such case.
+
+Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
+since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
+space is undefined. Therefore, do this by hand in a 64 bit variable.
+
+This fixes all the issues triggered by syzkaller's reproducers.
+
+Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
+Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
+Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
+Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
+Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
+Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Cc: Jiri Slaby <jslaby@suse.cz>
+Cc: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/arraymap.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -53,7 +53,7 @@ static struct bpf_map *array_map_alloc(u
+ u32 elem_size, index_mask, max_entries;
+ bool unpriv = !capable(CAP_SYS_ADMIN);
+ struct bpf_array *array;
+- u64 array_size;
++ u64 array_size, mask64;
+
+ /* check sanity of attributes */
+ if (attr->max_entries == 0 || attr->key_size != 4 ||
+@@ -70,13 +70,25 @@ static struct bpf_map *array_map_alloc(u
+ elem_size = round_up(attr->value_size, 8);
+
+ max_entries = attr->max_entries;
+- index_mask = roundup_pow_of_two(max_entries) - 1;
+
+- if (unpriv)
++ /* On 32 bit archs roundup_pow_of_two() with max_entries that has
++ * upper most bit set in u32 space is undefined behavior due to
++ * resulting 1U << 32, so do it manually here in u64 space.
++ */
++ mask64 = fls_long(max_entries - 1);
++ mask64 = 1ULL << mask64;
++ mask64 -= 1;
++
++ index_mask = mask64;
++ if (unpriv) {
+ /* round up array size to nearest power of 2,
+ * since cpu will speculate within index_mask limits
+ */
+ max_entries = index_mask + 1;
++ /* Check for overflows. */
++ if (max_entries < attr->max_entries)
++ return ERR_PTR(-E2BIG);
++ }
+
+ array_size = sizeof(*array);
+ if (percpu)
--- /dev/null
+From 7891a87efc7116590eaba57acc3c422487802c6f Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 10 Jan 2018 20:04:37 +0100
+Subject: bpf: arsh is not supported in 32 bit alu thus reject it
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 7891a87efc7116590eaba57acc3c422487802c6f upstream.
+
+The following snippet was throwing an 'unknown opcode cc' warning
+in BPF interpreter:
+
+ 0: (18) r0 = 0x0
+ 2: (7b) *(u64 *)(r10 -16) = r0
+ 3: (cc) (u32) r0 s>>= (u32) r0
+ 4: (95) exit
+
+Although a number of JITs do support BPF_ALU | BPF_ARSH | BPF_{K,X}
+generation, not all of them do and interpreter does neither. We can
+leave existing ones and implement it later in bpf-next for the
+remaining ones, but reject this properly in verifier for the time
+being.
+
+Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
+Reported-by: syzbot+93c4904c5c70348a6890@syzkaller.appspotmail.com
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/verifier.c | 5 +++
+ tools/testing/selftests/bpf/test_verifier.c | 40 ++++++++++++++++++++++++++++
+ 2 files changed, 45 insertions(+)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2493,6 +2493,11 @@ static int check_alu_op(struct bpf_verif
+ return -EINVAL;
+ }
+
++ if (opcode == BPF_ARSH && BPF_CLASS(insn->code) != BPF_ALU64) {
++ verbose("BPF_ARSH not supported for 32 bit ALU\n");
++ return -EINVAL;
++ }
++
+ if ((opcode == BPF_LSH || opcode == BPF_RSH ||
+ opcode == BPF_ARSH) && BPF_SRC(insn->code) == BPF_K) {
+ int size = BPF_CLASS(insn->code) == BPF_ALU64 ? 64 : 32;
+--- a/tools/testing/selftests/bpf/test_verifier.c
++++ b/tools/testing/selftests/bpf/test_verifier.c
+@@ -273,6 +273,46 @@ static struct bpf_test tests[] = {
+ .result = REJECT,
+ },
+ {
++ "arsh32 on imm",
++ .insns = {
++ BPF_MOV64_IMM(BPF_REG_0, 1),
++ BPF_ALU32_IMM(BPF_ARSH, BPF_REG_0, 5),
++ BPF_EXIT_INSN(),
++ },
++ .result = REJECT,
++ .errstr = "BPF_ARSH not supported for 32 bit ALU",
++ },
++ {
++ "arsh32 on reg",
++ .insns = {
++ BPF_MOV64_IMM(BPF_REG_0, 1),
++ BPF_MOV64_IMM(BPF_REG_1, 5),
++ BPF_ALU32_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
++ BPF_EXIT_INSN(),
++ },
++ .result = REJECT,
++ .errstr = "BPF_ARSH not supported for 32 bit ALU",
++ },
++ {
++ "arsh64 on imm",
++ .insns = {
++ BPF_MOV64_IMM(BPF_REG_0, 1),
++ BPF_ALU64_IMM(BPF_ARSH, BPF_REG_0, 5),
++ BPF_EXIT_INSN(),
++ },
++ .result = ACCEPT,
++ },
++ {
++ "arsh64 on reg",
++ .insns = {
++ BPF_MOV64_IMM(BPF_REG_0, 1),
++ BPF_MOV64_IMM(BPF_REG_1, 5),
++ BPF_ALU64_REG(BPF_ARSH, BPF_REG_0, BPF_REG_1),
++ BPF_EXIT_INSN(),
++ },
++ .result = ACCEPT,
++ },
++ {
+ "no bpf_exit",
+ .insns = {
+ BPF_ALU64_REG(BPF_MOV, BPF_REG_0, BPF_REG_2),
projects / thirdparty / kernel / stable-queue.git / commitdiff
