From 862f42fcec7d91599e8279e4f095d13436feacd5 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 8 Apr 2021 20:43:10 +0200
Subject: [PATCH] 4.19-stable patches

added patches:
	bpf-x86-validate-computation-of-branch-displacements-for-x86-32.patch
	bpf-x86-validate-computation-of-branch-displacements-for-x86-64.patch
---
 ...n-of-branch-displacements-for-x86-32.patch | 60 +++++++++++++++++++
 ...n-of-branch-displacements-for-x86-64.patch | 60 +++++++++++++++++++
 queue-4.19/series                             |  2 +
 3 files changed, 122 insertions(+)
 create mode 100644 queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-32.patch
 create mode 100644 queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-64.patch

diff --git a/queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-32.patch b/queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-32.patch
new file mode 100644
index 00000000000..a6721a67940
--- /dev/null
+++ b/queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-32.patch
@@ -0,0 +1,60 @@
+From 26f55a59dc65ff77cd1c4b37991e26497fc68049 Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Tue, 6 Apr 2021 21:59:39 +0100
+Subject: bpf, x86: Validate computation of branch displacements for x86-32
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit 26f55a59dc65ff77cd1c4b37991e26497fc68049 upstream.
+
+The branch displacement logic in the BPF JIT compilers for x86 assumes
+that, for any generated branch instruction, the distance cannot
+increase between optimization passes.
+
+But this assumption can be violated due to how the distances are
+computed. Specifically, whenever a backward branch is processed in
+do_jit(), the distance is computed by subtracting the positions in the
+machine code from different optimization passes. This is because part
+of addrs[] is already updated for the current optimization pass, before
+the branch instruction is visited.
+
+And so the optimizer can expand blocks of machine code in some cases.
+
+This can confuse the optimizer logic, where it assumes that a fixed
+point has been reached for all machine code blocks once the total
+program size stops changing. And then the JIT compiler can output
+abnormal machine code containing incorrect branch displacements.
+
+To mitigate this issue, we assert that a fixed point is reached while
+populating the output image. This rejects any problematic programs.
+The issue affects both x86-32 and x86-64. We mitigate separately to
+ease backporting.
+
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/net/bpf_jit_comp32.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp32.c
++++ b/arch/x86/net/bpf_jit_comp32.c
+@@ -2201,7 +2201,16 @@ notyet:
+ 		}
+ 
+ 		if (image) {
+-			if (unlikely(proglen + ilen > oldproglen)) {
++			/*
++			 * When populating the image, assert that:
++			 *
++			 *  i) We do not write beyond the allocated space, and
++			 * ii) addrs[i] did not change from the prior run, in order
++			 *     to validate assumptions made for computing branch
++			 *     displacements.
++			 */
++			if (unlikely(proglen + ilen > oldproglen ||
++				     proglen + ilen != addrs[i])) {
+ 				pr_err("bpf_jit: fatal error\n");
+ 				return -EFAULT;
+ 			}
diff --git a/queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-64.patch b/queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-64.patch
new file mode 100644
index 00000000000..90ae3fa91d4
--- /dev/null
+++ b/queue-4.19/bpf-x86-validate-computation-of-branch-displacements-for-x86-64.patch
@@ -0,0 +1,60 @@
+From e4d4d456436bfb2fe412ee2cd489f7658449b098 Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Mon, 5 Apr 2021 22:52:15 +0100
+Subject: bpf, x86: Validate computation of branch displacements for x86-64
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit e4d4d456436bfb2fe412ee2cd489f7658449b098 upstream.
+
+The branch displacement logic in the BPF JIT compilers for x86 assumes
+that, for any generated branch instruction, the distance cannot
+increase between optimization passes.
+
+But this assumption can be violated due to how the distances are
+computed. Specifically, whenever a backward branch is processed in
+do_jit(), the distance is computed by subtracting the positions in the
+machine code from different optimization passes. This is because part
+of addrs[] is already updated for the current optimization pass, before
+the branch instruction is visited.
+
+And so the optimizer can expand blocks of machine code in some cases.
+
+This can confuse the optimizer logic, where it assumes that a fixed
+point has been reached for all machine code blocks once the total
+program size stops changing. And then the JIT compiler can output
+abnormal machine code containing incorrect branch displacements.
+
+To mitigate this issue, we assert that a fixed point is reached while
+populating the output image. This rejects any problematic programs.
+The issue affects both x86-32 and x86-64. We mitigate separately to
+ease backporting.
+
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Reviewed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/net/bpf_jit_comp.c |   11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -1019,7 +1019,16 @@ emit_jmp:
+ 		}
+ 
+ 		if (image) {
+-			if (unlikely(proglen + ilen > oldproglen)) {
++			/*
++			 * When populating the image, assert that:
++			 *
++			 *  i) We do not write beyond the allocated space, and
++			 * ii) addrs[i] did not change from the prior run, in order
++			 *     to validate assumptions made for computing branch
++			 *     displacements.
++			 */
++			if (unlikely(proglen + ilen > oldproglen ||
++				     proglen + ilen != addrs[i])) {
+ 				pr_err("bpf_jit: fatal error\n");
+ 				return -EFAULT;
+ 			}
diff --git a/queue-4.19/series b/queue-4.19/series
index 0a92c184d25..908cacb7a46 100644
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -12,3 +12,5 @@ ia64-mca-allocate-early-mca-with-gfp_atomic.patch
 ia64-fix-format-strings-for-err_inject.patch
 cifs-revalidate-mapping-when-we-open-files-for-smb1-.patch
 cifs-silently-ignore-unknown-oplock-break-handle.patch
+bpf-x86-validate-computation-of-branch-displacements-for-x86-64.patch
+bpf-x86-validate-computation-of-branch-displacements-for-x86-32.patch
-- 
2.47.3