diff options
Diffstat (limited to '0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch')
-rw-r--r-- | 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch b/0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch new file mode 100644 index 000000000000..dc6a4832e92a --- /dev/null +++ b/0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch @@ -0,0 +1,68 @@ +From 6f2896ad2981c70be7caf0e44e0adc25f76d9937 Mon Sep 17 00:00:00 2001 +From: Levente Polyak <levente@leventepolyak.net> +Date: Mon, 30 Mar 2020 20:42:07 +0200 +Subject: [PATCH] CVE-2020-8835: Revert "bpf: Provide better register bounds + after jmp32 instructions" + +This reverts commit b4de258dede528f88f401259aab3147fb6da1ddf which is a +backport of 581738a681b6. + +Manfred Paul, as part of the ZDI pwn2own competition, demonstrated +that a flaw existed in the bpf verifier for 32bit operations. This +was introduced in commit: + + 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") + +The result is that register bounds were improperly calculated, +allowing out-of-bounds reads and writes to occur. +--- + kernel/bpf/verifier.c | 19 ------------------- + 1 file changed, 19 deletions(-) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index b2817d0929b3..a0b76b360d6f 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -979,17 +979,6 @@ static void __reg_bound_offset(struct bpf_reg_state *reg) + reg->umax_value)); + } + +-static void __reg_bound_offset32(struct bpf_reg_state *reg) +-{ +- u64 mask = 0xffffFFFF; +- struct tnum range = tnum_range(reg->umin_value & mask, +- reg->umax_value & mask); +- struct tnum lo32 = tnum_cast(reg->var_off, 4); +- struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32); +- +- reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range)); +-} +- + /* Reset the min/max bounds of a register */ + static void __mark_reg_unbounded(struct bpf_reg_state *reg) + { +@@ -5452,10 +5441,6 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, + /* We might have learned some bits from the bounds. */ + __reg_bound_offset(false_reg); + __reg_bound_offset(true_reg); +- if (is_jmp32) { +- __reg_bound_offset32(false_reg); +- __reg_bound_offset32(true_reg); +- } + /* Intersecting with the old var_off might have improved our bounds + * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), + * then new var_off is (0; 0x7f...fc) which improves our umax. +@@ -5565,10 +5550,6 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, + /* We might have learned some bits from the bounds. */ + __reg_bound_offset(false_reg); + __reg_bound_offset(true_reg); +- if (is_jmp32) { +- __reg_bound_offset32(false_reg); +- __reg_bound_offset32(true_reg); +- } + /* Intersecting with the old var_off might have improved our bounds + * slightly. e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc), + * then new var_off is (0; 0x7f...fc) which improves our umax. +-- +2.26.0 + |