From: Greg Kroah-Hartman Date: Wed, 27 Dec 2017 20:04:48 +0000 (+0100) Subject: 4.9-stable patches X-Git-Tag: v4.9.73~1 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=07bafe1743ccaa6090fdc6bd637508a6b6d7d8d7;p=thirdparty%2Fkernel%2Fstable-queue.git 4.9-stable patches added patches: bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch --- diff --git a/queue-4.9/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch b/queue-4.9/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch new file mode 100644 index 00000000000..f8e7ce9a730 --- /dev/null +++ b/queue-4.9/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch @@ -0,0 +1,48 @@ +From ben@decadent.org.uk Wed Dec 27 21:04:06 2017 +From: Ben Hutchings +Date: Sat, 23 Dec 2017 02:26:17 +0000 +Subject: bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN +To: Greg Kroah-Hartman +Cc: stable@vger.kernel.org, netdev@vger.kernel.org, Edward Cree , Jann Horn , Alexei Starovoitov +Message-ID: <20171223022617.GO2971@decadent.org.uk> +Content-Disposition: inline + +From: Ben Hutchings + +An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless +pointer leaks are allowed. Therefore, states_equal() must not treat +a state with a pointer in a register as "equal" to a state with an +UNKNOWN_VALUE in that register. + +This was fixed differently upstream, but the code around here was +largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework +value tracking". The bug can be detected by the bpf/verifier sub-test +"pointer/scalar confusion in state equality check (way 1)". + +Signed-off-by: Ben Hutchings +Cc: Edward Cree +Cc: Jann Horn +Cc: Alexei Starovoitov +Cc: Daniel Borkmann + +--- + kernel/bpf/verifier.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2722,11 +2722,12 @@ static bool states_equal(struct bpf_veri + + /* If we didn't map access then again we don't care about the + * mismatched range values and it's ok if our old type was +- * UNKNOWN and we didn't go to a NOT_INIT'ed reg. ++ * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg. + */ + if (rold->type == NOT_INIT || + (!varlen_map_access && rold->type == UNKNOWN_VALUE && +- rcur->type != NOT_INIT)) ++ rcur->type != NOT_INIT && ++ !__is_pointer_value(env->allow_ptr_leaks, rcur))) + continue; + + /* Don't care about the reg->id in this case. */ diff --git a/queue-4.9/series b/queue-4.9/series index 583f46282f6..344af08f5a9 100644 --- a/queue-4.9/series +++ b/queue-4.9/series @@ -19,3 +19,4 @@ libnvdimm-pfn-fix-start_pad-handling-for-aligned-namespaces.patch net-mvneta-clear-interface-link-status-on-port-disable.patch net-mvneta-use-proper-rxq_number-in-loop-on-rx-queues.patch net-mvneta-eliminate-wrong-call-to-handle-rx-descriptor-error.patch +bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch