From: Greg Kroah-Hartman Date: Fri, 29 Apr 2022 09:24:53 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.19.241~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7836c94f3c421a73764c4008d61d00d7ebd0c9b7;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch --- diff --git a/queue-5.15/selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch b/queue-5.15/selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch new file mode 100644 index 00000000000..a5c86881f5c --- /dev/null +++ b/queue-5.15/selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch @@ -0,0 +1,52 @@ +From 13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e Mon Sep 17 00:00:00 2001 +From: Kumar Kartikeya Dwivedi +Date: Sun, 20 Feb 2022 08:01:38 +0530 +Subject: selftests/bpf: Add test for reg2btf_ids out of bounds access + +From: Kumar Kartikeya Dwivedi + +commit 13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e upstream. + +This test tries to pass a PTR_TO_BTF_ID_OR_NULL to the release function, +which would trigger a out of bounds access without the fix in commit +45ce4b4f9009 ("bpf: Fix crash due to out of bounds access into reg2btf_ids.") +but after the fix, it should only index using base_type(reg->type), +which should be less than __BPF_REG_TYPE_MAX, and also not permit any +type flags to be set for the reg->type. + +Signed-off-by: Kumar Kartikeya Dwivedi +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/20220220023138.2224652-1-memxor@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/verifier/calls.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +--- a/tools/testing/selftests/bpf/verifier/calls.c ++++ b/tools/testing/selftests/bpf/verifier/calls.c +@@ -108,6 +108,25 @@ + .errstr = "R0 min value is outside of the allowed memory range", + }, + { ++ "calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX", ++ .insns = { ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), ++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8), ++ BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0), ++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_0), ++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, ++ .result = REJECT, ++ .errstr = "arg#0 pointer type STRUCT prog_test_ref_kfunc must point", ++ .fixup_kfunc_btf_id = { ++ { "bpf_kfunc_call_test_acquire", 3 }, ++ { "bpf_kfunc_call_test_release", 5 }, ++ }, ++}, ++{ + "calls: overlapping caller/callee", + .insns = { + BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0), diff --git a/queue-5.15/series b/queue-5.15/series index 79a632b3ff5..82b6d7faf06 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -30,3 +30,4 @@ gfs2-fix-mmap-page-fault-deadlocks-for-direct-i-o.patch btrfs-fix-deadlock-due-to-page-faults-during-direct-io-reads-and-writes.patch btrfs-fallback-to-blocking-mode-when-doing-async-dio-over-multiple-extents.patch mm-gup-make-fault_in_safe_writeable-use-fixup_user_fault.patch +selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch