releases/4.9.72/bpf-reject-out-of-bounds-stack-pointer-calculation.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Fri Dec 22 16:57:35 CET 2017
 From: Daniel Borkmann <daniel@iogearbox.net>
 Date: Fri, 22 Dec 2017 16:29:04 +0100
 Subject: bpf: reject out-of-bounds stack pointer calculation
 To: gregkh@linuxfoundation.org
 Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org
 Message-ID: <20171222152905.3455-4-daniel@iogearbox.net>

 From: Daniel Borkmann <daniel@iogearbox.net>


 From: Jann Horn <jannh@google.com>

 Reject programs that compute wildly out-of-bounds stack pointers.
 Otherwise, pointers can be computed with an offset that doesn't fit into an
 `int`, causing security issues in the stack memory access check (as well as
 signed integer overflow during offset addition).

 This is a fix specifically for the v4.9 stable tree because the mainline
 code looks very different at this point.

 Fixes: 7bca0a9702edf ("bpf: enhance verifier to understand stack pointer arithmetic")
 Signed-off-by: Jann Horn <jannh@google.com>
 Acked-by: Daniel Borkmann <daniel@iogearbox.net>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  kernel/bpf/verifier.c |   22 ++++++++++++++++++++--
  1 file changed, 20 insertions(+), 2 deletions(-)

 --- a/kernel/bpf/verifier.c
 +++ b/kernel/bpf/verifier.c
 @@ -1861,10 +1861,28 @@ static int check_alu_op(struct bpf_verif
  			   ((BPF_SRC(insn->code) == BPF_X &&
  			     regs[insn->src_reg].type == CONST_IMM) ||
  			    BPF_SRC(insn->code) == BPF_K)) {
 -			if (BPF_SRC(insn->code) == BPF_X)
 +			if (BPF_SRC(insn->code) == BPF_X) {
 +				/* check in case the register contains a big
 +				 * 64-bit value
 +				 */
 +				if (regs[insn->src_reg].imm < -MAX_BPF_STACK ||
 +				    regs[insn->src_reg].imm > MAX_BPF_STACK) {
 +					verbose("R%d value too big in R%d pointer arithmetic\n",
 +						insn->src_reg, insn->dst_reg);
 +					return -EACCES;
 +				}
  				dst_reg->imm += regs[insn->src_reg].imm;
 -			else
 +			} else {
 +				/* safe against overflow: addition of 32-bit
 +				 * numbers in 64-bit representation
 +				 */
  				dst_reg->imm += insn->imm;
 +			}
 +			if (dst_reg->imm > 0 || dst_reg->imm < -MAX_BPF_STACK) {
 +				verbose("R%d out-of-bounds pointer arithmetic\n",
 +					insn->dst_reg);
 +				return -EACCES;
 +			}
  			return 0;
  		} else if (opcode == BPF_ADD &&
  			   BPF_CLASS(insn->code) == BPF_ALU64 &&
	From foo@baz Fri Dec 22 16:57:35 CET 2017
	From: Daniel Borkmann <daniel@iogearbox.net>
	Date: Fri, 22 Dec 2017 16:29:04 +0100
	Subject: bpf: reject out-of-bounds stack pointer calculation
	To: gregkh@linuxfoundation.org
	Cc: ast@kernel.org, daniel@iogearbox.net, jannh@google.com, stable@vger.kernel.org
	Message-ID: <20171222152905.3455-4-daniel@iogearbox.net>

	From: Daniel Borkmann <daniel@iogearbox.net>


	From: Jann Horn <jannh@google.com>

	Reject programs that compute wildly out-of-bounds stack pointers.
	Otherwise, pointers can be computed with an offset that doesn't fit into an
	`int`, causing security issues in the stack memory access check (as well as
	signed integer overflow during offset addition).

	This is a fix specifically for the v4.9 stable tree because the mainline
	code looks very different at this point.

	Fixes: 7bca0a9702edf ("bpf: enhance verifier to understand stack pointer arithmetic")
	Signed-off-by: Jann Horn <jannh@google.com>
	Acked-by: Daniel Borkmann <daniel@iogearbox.net>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	kernel/bpf/verifier.c \| 22 ++++++++++++++++++++--
	1 file changed, 20 insertions(+), 2 deletions(-)

	--- a/kernel/bpf/verifier.c
	+++ b/kernel/bpf/verifier.c
	@@ -1861,10 +1861,28 @@ static int check_alu_op(struct bpf_verif
	((BPF_SRC(insn->code) == BPF_X &&
	regs[insn->src_reg].type == CONST_IMM) \|\|
	BPF_SRC(insn->code) == BPF_K)) {
	- if (BPF_SRC(insn->code) == BPF_X)
	+ if (BPF_SRC(insn->code) == BPF_X) {
	+ /* check in case the register contains a big
	+ * 64-bit value
	+ */
	+ if (regs[insn->src_reg].imm < -MAX_BPF_STACK \|\|
	+ regs[insn->src_reg].imm > MAX_BPF_STACK) {
	+ verbose("R%d value too big in R%d pointer arithmetic\n",
	+ insn->src_reg, insn->dst_reg);
	+ return -EACCES;
	+ }
	dst_reg->imm += regs[insn->src_reg].imm;
	- else
	+ } else {
	+ /* safe against overflow: addition of 32-bit
	+ * numbers in 64-bit representation
	+ */
	dst_reg->imm += insn->imm;
	+ }
	+ if (dst_reg->imm > 0 \|\| dst_reg->imm < -MAX_BPF_STACK) {
	+ verbose("R%d out-of-bounds pointer arithmetic\n",
	+ insn->dst_reg);
	+ return -EACCES;
	+ }
	return 0;
	} else if (opcode == BPF_ADD &&
	BPF_CLASS(insn->code) == BPF_ALU64 &&