net: bpf: reject invalid shifts

commit 229394e8e62a4191d592842cf67e80c62a492937 upstream.

On ARM64, a BUG() is triggered in the eBPF JIT if a filter with a
constant shift that can't be encoded in the immediate field of the
UBFM/SBFM instructions is passed to the JIT.  Since these shifts
amounts, which are negative or >= regsize, are invalid, reject them in
the eBPF verifier and the classic BPF filter checker, for all
architectures.

Signed-off-by: Rabin Vincent <rabin@rab.in>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ luis: backported to 3.16:
  - drop changes to eBPF verifier, only added in 3.18 kernel
  - function rename: bpf_check_classic() -> sk_chk_filter() ]
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>

diff --git a/net/core/filter.c b/net/core/filter.c
index 3139f966a17811b003813198e91e9f48fc7d21fd..dfc5f31dc5a1853f8ee2584941de3677e8ab18fc 100644 (file)
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -1251,6 +1251,11 @@ int sk_chk_filter(struct sock_filter *filter, unsigned int flen)
                        if (ftest->k == 0)
                                return -EINVAL;
                        break;
+               case BPF_ALU | BPF_LSH | BPF_K:
+               case BPF_ALU | BPF_RSH | BPF_K:
+                       if (ftest->k >= 32)
+                               return -EINVAL;
+                       break;
                case BPF_LD | BPF_MEM:
                case BPF_LDX | BPF_MEM:
                case BPF_ST: