--- /dev/null
+From 049c4e13714ecbca567b4d5f6d563f05d431c80e Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Mon, 10 May 2021 13:10:44 +0000
+Subject: bpf: Fix alu32 const subreg bound tracking on bitwise operations
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit 049c4e13714ecbca567b4d5f6d563f05d431c80e upstream.
+
+Fix a bug in the verifier's scalar32_min_max_*() functions which leads to
+incorrect tracking of 32 bit bounds for the simulation of and/or/xor bitops.
+When both the src & dst subreg is a known constant, then the assumption is
+that scalar_min_max_*() will take care to update bounds correctly. However,
+this is not the case, for example, consider a register R2 which has a tnum
+of 0xffffffff00000000, meaning, lower 32 bits are known constant and in this
+case of value 0x00000001. R2 is then and'ed with a register R3 which is a
+64 bit known constant, here, 0x100000002.
+
+What can be seen in line '10:' is that 32 bit bounds reach an invalid state
+where {u,s}32_min_value > {u,s}32_max_value. The reason is scalar32_min_max_*()
+delegates 32 bit bounds updates to scalar_min_max_*(), however, that really
+only takes place when both the 64 bit src & dst register is a known constant.
+Given scalar32_min_max_*() is intended to be designed as closely as possible
+to scalar_min_max_*(), update the 32 bit bounds in this situation through
+__mark_reg32_known() which will set all {u,s}32_{min,max}_value to the correct
+constant, which is 0x00000000 after the fix (given 0x00000001 & 0x00000002 in
+32 bit space). This is possible given var32_off already holds the final value
+as dst_reg->var_off is updated before calling scalar32_min_max_*().
+
+Before fix, invalid tracking of R2:
+
+ [...]
+ 9: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=-9223372036854775807 (0x8000000000000001),smax_value=9223372032559808513 (0x7fffffff00000001),umin_value=1,umax_value=0xffffffff00000001,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_min_value=1,u32_max_value=1) R3_w=inv4294967298 R10=fp0
+ 9: (5f) r2 &= r3
+ 10: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=0,smax_value=4294967296 (0x100000000),umin_value=0,umax_value=0x100000000,var_off=(0x0; 0x100000000),s32_min_value=1,s32_max_value=0,u32_min_value=1,u32_max_value=0) R3_w=inv4294967298 R10=fp0
+ [...]
+
+After fix, correct tracking of R2:
+
+ [...]
+ 9: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=-9223372036854775807 (0x8000000000000001),smax_value=9223372032559808513 (0x7fffffff00000001),umin_value=1,umax_value=0xffffffff00000001,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_min_value=1,u32_max_value=1) R3_w=inv4294967298 R10=fp0
+ 9: (5f) r2 &= r3
+ 10: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=0,smax_value=4294967296 (0x100000000),umin_value=0,umax_value=0x100000000,var_off=(0x0; 0x100000000),s32_min_value=0,s32_max_value=0,u32_min_value=0,u32_max_value=0) R3_w=inv4294967298 R10=fp0
+ [...]
+
+Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
+Fixes: 2921c90d4718 ("bpf: Fix a verifier failure with xor")
+Reported-by: Manfred Paul (@_manfp)
+Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 22 +++++++++-------------
+ 1 file changed, 9 insertions(+), 13 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -6341,11 +6341,10 @@ static void scalar32_min_max_and(struct
+ s32 smin_val = src_reg->s32_min_value;
+ u32 umax_val = src_reg->u32_max_value;
+
+- /* Assuming scalar64_min_max_and will be called so its safe
+- * to skip updating register for known 32-bit case.
+- */
+- if (src_known && dst_known)
++ if (src_known && dst_known) {
++ __mark_reg32_known(dst_reg, var32_off.value);
+ return;
++ }
+
+ /* We get our minimum from the var_off, since that's inherently
+ * bitwise. Our maximum is the minimum of the operands' maxima.
+@@ -6365,7 +6364,6 @@ static void scalar32_min_max_and(struct
+ dst_reg->s32_min_value = dst_reg->u32_min_value;
+ dst_reg->s32_max_value = dst_reg->u32_max_value;
+ }
+-
+ }
+
+ static void scalar_min_max_and(struct bpf_reg_state *dst_reg,
+@@ -6412,11 +6410,10 @@ static void scalar32_min_max_or(struct b
+ s32 smin_val = src_reg->s32_min_value;
+ u32 umin_val = src_reg->u32_min_value;
+
+- /* Assuming scalar64_min_max_or will be called so it is safe
+- * to skip updating register for known case.
+- */
+- if (src_known && dst_known)
++ if (src_known && dst_known) {
++ __mark_reg32_known(dst_reg, var32_off.value);
+ return;
++ }
+
+ /* We get our maximum from the var_off, and our minimum is the
+ * maximum of the operands' minima
+@@ -6481,11 +6478,10 @@ static void scalar32_min_max_xor(struct
+ struct tnum var32_off = tnum_subreg(dst_reg->var_off);
+ s32 smin_val = src_reg->s32_min_value;
+
+- /* Assuming scalar64_min_max_xor will be called so it is safe
+- * to skip updating register for known case.
+- */
+- if (src_known && dst_known)
++ if (src_known && dst_known) {
++ __mark_reg32_known(dst_reg, var32_off.value);
+ return;
++ }
+
+ /* We get both minimum and maximum from the var32_off. */
+ dst_reg->u32_min_value = var32_off.value;
--- /dev/null
+From 04ea3086c4d73da7009de1e84962a904139af219 Mon Sep 17 00:00:00 2001
+From: Andrii Nakryiko <andrii@kernel.org>
+Date: Tue, 4 May 2021 16:38:00 -0700
+Subject: bpf: Prevent writable memory-mapping of read-only ringbuf pages
+
+From: Andrii Nakryiko <andrii@kernel.org>
+
+commit 04ea3086c4d73da7009de1e84962a904139af219 upstream.
+
+Only the very first page of BPF ringbuf that contains consumer position
+counter is supposed to be mapped as writeable by user-space. Producer
+position is read-only and can be modified only by the kernel code. BPF ringbuf
+data pages are read-only as well and are not meant to be modified by
+user-code to maintain integrity of per-record headers.
+
+This patch allows to map only consumer position page as writeable and
+everything else is restricted to be read-only. remap_vmalloc_range()
+internally adds VM_DONTEXPAND, so all the established memory mappings can't be
+extended, which prevents any future violations through mremap()'ing.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Reported-by: Ryota Shiga (Flatt Security)
+Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/ringbuf.c | 21 ++++++++-------------
+ 1 file changed, 8 insertions(+), 13 deletions(-)
+
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -240,25 +240,20 @@ static int ringbuf_map_get_next_key(stru
+ return -ENOTSUPP;
+ }
+
+-static size_t bpf_ringbuf_mmap_page_cnt(const struct bpf_ringbuf *rb)
+-{
+- size_t data_pages = (rb->mask + 1) >> PAGE_SHIFT;
+-
+- /* consumer page + producer page + 2 x data pages */
+- return RINGBUF_POS_PAGES + 2 * data_pages;
+-}
+-
+ static int ringbuf_map_mmap(struct bpf_map *map, struct vm_area_struct *vma)
+ {
+ struct bpf_ringbuf_map *rb_map;
+- size_t mmap_sz;
+
+ rb_map = container_of(map, struct bpf_ringbuf_map, map);
+- mmap_sz = bpf_ringbuf_mmap_page_cnt(rb_map->rb) << PAGE_SHIFT;
+-
+- if (vma->vm_pgoff * PAGE_SIZE + (vma->vm_end - vma->vm_start) > mmap_sz)
+- return -EINVAL;
+
++ if (vma->vm_flags & VM_WRITE) {
++ /* allow writable mapping for the consumer_pos only */
++ if (vma->vm_pgoff != 0 || vma->vm_end - vma->vm_start != PAGE_SIZE)
++ return -EPERM;
++ } else {
++ vma->vm_flags &= ~VM_MAYWRITE;
++ }
++ /* remap_vmalloc_range() checks size and offset constraints */
+ return remap_vmalloc_range(vma, rb_map->rb,
+ vma->vm_pgoff + RINGBUF_PGOFF);
+ }
--- /dev/null
+From 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea Mon Sep 17 00:00:00 2001
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Date: Tue, 27 Apr 2021 10:12:12 -0300
+Subject: bpf, ringbuf: Deny reserve of buffers larger than ringbuf
+
+From: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+
+commit 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea upstream.
+
+A BPF program might try to reserve a buffer larger than the ringbuf size.
+If the consumer pointer is way ahead of the producer, that would be
+successfully reserved, allowing the BPF program to read or write out of
+the ringbuf allocated area.
+
+Reported-by: Ryota Shiga (Flatt Security)
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/ringbuf.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/kernel/bpf/ringbuf.c
++++ b/kernel/bpf/ringbuf.c
+@@ -334,6 +334,9 @@ static void *__bpf_ringbuf_reserve(struc
+ return NULL;
+
+ len = round_up(size + BPF_RINGBUF_HDR_SZ, 8);
++ if (len > rb->mask + 1)
++ return NULL;
++
+ cons_pos = smp_load_acquire(&rb->consumer_pos);
+
+ if (in_nmi()) {
projects / thirdparty / kernel / stable-queue.git / commitdiff
