From: Greg Kroah-Hartman Date: Fri, 14 Dec 2018 11:49:27 +0000 (+0100) Subject: 4.19-stable patches X-Git-Tag: v4.19.10~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=05e3fe533f3caf21b12d6dbe49ff6d0ba5c3fa32;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: bpf-fix-off-by-one-error-in-adjust_subprog_starts.patch --- diff --git a/queue-4.19/bpf-fix-off-by-one-error-in-adjust_subprog_starts.patch b/queue-4.19/bpf-fix-off-by-one-error-in-adjust_subprog_starts.patch new file mode 100644 index 00000000000..294e4360246 --- /dev/null +++ b/queue-4.19/bpf-fix-off-by-one-error-in-adjust_subprog_starts.patch @@ -0,0 +1,65 @@ +From afd594240806acc138cf696c09f2f4829d55d02f Mon Sep 17 00:00:00 2001 +From: Edward Cree +Date: Fri, 16 Nov 2018 12:00:07 +0000 +Subject: bpf: fix off-by-one error in adjust_subprog_starts + +From: Edward Cree + +commit afd594240806acc138cf696c09f2f4829d55d02f upstream. + +When patching in a new sequence for the first insn of a subprog, the start + of that subprog does not change (it's the first insn of the sequence), so + adjust_subprog_starts should check start <= off (rather than < off). +Also added a test to test_verifier.c (it's essentially the syz reproducer). + +Fixes: cc8b0b92a169 ("bpf: introduce function calls (function boundaries)") +Reported-by: syzbot+4fc427c7af994b0948be@syzkaller.appspotmail.com +Signed-off-by: Edward Cree +Acked-by: Yonghong Song +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/bpf/verifier.c | 2 +- + tools/testing/selftests/bpf/test_verifier.c | 19 +++++++++++++++++++ + 2 files changed, 20 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5283,7 +5283,7 @@ static void adjust_subprog_starts(struct + return; + /* NOTE: fake 'exit' subprog should be updated as well. */ + for (i = 0; i <= env->subprog_cnt; i++) { +- if (env->subprog_info[i].start < off) ++ if (env->subprog_info[i].start <= off) + continue; + env->subprog_info[i].start += len - 1; + } +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -12511,6 +12511,25 @@ static struct bpf_test tests[] = { + .prog_type = BPF_PROG_TYPE_SCHED_CLS, + .result = ACCEPT, + }, ++ { ++ "calls: ctx read at start of subprog", ++ .insns = { ++ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 5), ++ BPF_JMP_REG(BPF_JSGT, BPF_REG_0, BPF_REG_0, 0), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_6), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 2), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), ++ BPF_EXIT_INSN(), ++ BPF_LDX_MEM(BPF_B, BPF_REG_9, BPF_REG_1, 0), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .prog_type = BPF_PROG_TYPE_SOCKET_FILTER, ++ .errstr_unpriv = "function calls to other bpf functions are allowed for root only", ++ .result_unpriv = REJECT, ++ .result = ACCEPT, ++ }, + }; + + static int probe_filter_length(const struct bpf_insn *fp) diff --git a/queue-4.19/series b/queue-4.19/series index 2036e930f24..783c176e5f2 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -139,3 +139,4 @@ alsa-hda-realtek-enable-audio-jacks-of-asus-ux533fd-with-alc294.patch alsa-hda-realtek-enable-audio-jacks-of-asus-ux433fn-ux333fa-with-alc294.patch alsa-hda-realtek-fix-the-mute-led-regresion-on-lenovo-x1-carbon.patch ib-hfi1-fix-an-out-of-bounds-access-in-get_hw_stats.patch +bpf-fix-off-by-one-error-in-adjust_subprog_starts.patch