From: Greg Kroah-Hartman Date: Mon, 29 Apr 2019 13:09:22 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.9.172~24 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e290414cc7b1489de8363ca9367a06cd3d89b89;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bpf-reject-wrong-sized-filters-earlier.patch --- diff --git a/queue-4.4/bpf-reject-wrong-sized-filters-earlier.patch b/queue-4.4/bpf-reject-wrong-sized-filters-earlier.patch new file mode 100644 index 00000000000..a5d48b2d33a --- /dev/null +++ b/queue-4.4/bpf-reject-wrong-sized-filters-earlier.patch @@ -0,0 +1,94 @@ +From f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Fri, 10 Jun 2016 21:19:07 +0200 +Subject: bpf: reject wrong sized filters earlier + +From: Daniel Borkmann + +commit f7bd9e36ee4a4ce38e1cddd7effe6c0d9943285b upstream. + +Add a bpf_check_basics_ok() and reject filters that are of invalid +size much earlier, so we don't do any useless work such as invoking +bpf_prog_alloc(). Currently, rejection happens in bpf_check_classic() +only, but it's really unnecessarily late and they should be rejected +at earliest point. While at it, also clean up one bpf_prog_size() to +make it consistent with the remaining invocations. + +Signed-off-by: Daniel Borkmann +Acked-by: Alexei Starovoitov +Signed-off-by: David S. Miller +Signed-off-by: Zubin Mithra +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -742,6 +742,17 @@ static bool chk_code_allowed(u16 code_to + return codes[code_to_probe]; + } + ++static bool bpf_check_basics_ok(const struct sock_filter *filter, ++ unsigned int flen) ++{ ++ if (filter == NULL) ++ return false; ++ if (flen == 0 || flen > BPF_MAXINSNS) ++ return false; ++ ++ return true; ++} ++ + /** + * bpf_check_classic - verify socket filter code + * @filter: filter to verify +@@ -762,9 +773,6 @@ static int bpf_check_classic(const struc + bool anc_found; + int pc; + +- if (flen == 0 || flen > BPF_MAXINSNS) +- return -EINVAL; +- + /* Check the filter code now */ + for (pc = 0; pc < flen; pc++) { + const struct sock_filter *ftest = &filter[pc]; +@@ -1057,7 +1065,7 @@ int bpf_prog_create(struct bpf_prog **pf + struct bpf_prog *fp; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + + fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); +@@ -1104,7 +1112,7 @@ int bpf_prog_create_from_user(struct bpf + int err; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + + fp = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); +@@ -1184,7 +1192,6 @@ int __sk_attach_filter(struct sock_fprog + bool locked) + { + unsigned int fsize = bpf_classic_proglen(fprog); +- unsigned int bpf_fsize = bpf_prog_size(fprog->len); + struct bpf_prog *prog; + int err; + +@@ -1192,10 +1199,10 @@ int __sk_attach_filter(struct sock_fprog + return -EPERM; + + /* Make sure new filter is there and in the right amounts. */ +- if (fprog->filter == NULL) ++ if (!bpf_check_basics_ok(fprog->filter, fprog->len)) + return -EINVAL; + +- prog = bpf_prog_alloc(bpf_fsize, 0); ++ prog = bpf_prog_alloc(bpf_prog_size(fprog->len), 0); + if (!prog) + return -ENOMEM; + diff --git a/queue-4.4/series b/queue-4.4/series index c5f6bcf2998..acdb2b3d1d7 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -70,3 +70,4 @@ nfs-forbid-setting-af_inet6-to-struct-sockaddr_in-sin_family.patch netfilter-ebtables-config_compat-drop-a-bogus-warn_on.patch tipc-check-bearer-name-with-right-length-in-tipc_nl_compat_bearer_enable.patch tipc-check-link-name-with-right-length-in-tipc_nl_compat_link_set.patch +bpf-reject-wrong-sized-filters-earlier.patch