From 2d66e4e2b23785a189090a6affdb510ad65cd141 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 4 May 2021 13:36:15 +0200 Subject: [PATCH] 4.19-stable patches added patches: bpf-fix-masking-negation-logic-upon-negative-dst-register.patch --- ...ion-logic-upon-negative-dst-register.patch | 50 +++++++++++++++++++ queue-4.19/series | 1 + 2 files changed, 51 insertions(+) create mode 100644 queue-4.19/bpf-fix-masking-negation-logic-upon-negative-dst-register.patch diff --git a/queue-4.19/bpf-fix-masking-negation-logic-upon-negative-dst-register.patch b/queue-4.19/bpf-fix-masking-negation-logic-upon-negative-dst-register.patch new file mode 100644 index 00000000000..b3b348f9fd4 --- /dev/null +++ b/queue-4.19/bpf-fix-masking-negation-logic-upon-negative-dst-register.patch @@ -0,0 +1,50 @@ +From b9b34ddbe2076ade359cd5ce7537d5ed019e9807 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Fri, 30 Apr 2021 16:21:46 +0200 +Subject: bpf: Fix masking negation logic upon negative dst register + +From: Daniel Borkmann + +commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807 upstream. + +The negation logic for the case where the off_reg is sitting in the +dst register is not correct given then we cannot just invert the add +to a sub or vice versa. As a fix, perform the final bitwise and-op +unconditionally into AX from the off_reg, then move the pointer from +the src to dst and finally use AX as the source for the original +pointer arithmetic operation such that the inversion yields a correct +result. The single non-AX mov in between is possible given constant +blinding is retaining it as it's not an immediate based operation. + +Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") +Signed-off-by: Daniel Borkmann +Tested-by: Piotr Krysiuk +Reviewed-by: Piotr Krysiuk +Reviewed-by: John Fastabend +Acked-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -6099,14 +6099,10 @@ static int fixup_bpf_calls(struct bpf_ve + *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); + *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); + *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); +- if (issrc) { +- *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, +- off_reg); +- insn->src_reg = BPF_REG_AX; +- } else { +- *patch++ = BPF_ALU64_REG(BPF_AND, off_reg, +- BPF_REG_AX); +- } ++ *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); ++ if (!issrc) ++ *patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg); ++ insn->src_reg = BPF_REG_AX; + if (isneg) + insn->code = insn->code == code_add ? + code_sub : code_add; diff --git a/queue-4.19/series b/queue-4.19/series index c59604fd633..e2e26b2bf5d 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -4,3 +4,4 @@ acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch net-usb-ax88179_178a-initialize-local-variables-before-use.patch iwlwifi-fix-softirq-hardirq-disabling-in-iwl_pcie_enqueue_hcmd.patch mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch +bpf-fix-masking-negation-logic-upon-negative-dst-register.patch -- 2.47.3