| From foo@baz Fri Mar 9 14:15:30 PST 2018 |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| Date: Thu, 8 Mar 2018 13:16:49 +0100 |
| Subject: bpf, ppc64: fix out of bounds access in tail call |
| To: gregkh@linuxfoundation.org |
| Cc: ast@kernel.org, daniel@iogearbox.net, stable@vger.kernel.org |
| Message-ID: <b1f767c847d0fdc55743d3c45f9bf65341ec3b0c.1520507630.git.daniel@iogearbox.net> |
| |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| |
| [ upstream commit d269176e766c71c998cb75b4ea8cbc321cc0019d ] |
| |
| While working on 16338a9b3ac3 ("bpf, arm64: fix out of bounds access in |
| tail call") I noticed that ppc64 JIT is partially affected as well. While |
| the bound checking is correctly performed as unsigned comparison, the |
| register with the index value however, is never truncated into 32 bit |
| space, so e.g. a index value of 0x100000000ULL with a map of 1 element |
| would pass with PPC_CMPLW() whereas we later on continue with the full |
| 64 bit register value. Therefore, as we do in interpreter and other JITs |
| truncate the value to 32 bit initially in order to fix access. |
| |
| Fixes: ce0761419fae ("powerpc/bpf: Implement support for tail calls") |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com> |
| Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| arch/powerpc/net/bpf_jit_comp64.c | 1 + |
| 1 file changed, 1 insertion(+) |
| |
| --- a/arch/powerpc/net/bpf_jit_comp64.c |
| +++ b/arch/powerpc/net/bpf_jit_comp64.c |
| @@ -242,6 +242,7 @@ static void bpf_jit_emit_tail_call(u32 * |
| * goto out; |
| */ |
| PPC_LWZ(b2p[TMP_REG_1], b2p_bpf_array, offsetof(struct bpf_array, map.max_entries)); |
| + PPC_RLWINM(b2p_index, b2p_index, 0, 0, 31); |
| PPC_CMPLW(b2p_index, b2p[TMP_REG_1]); |
| PPC_BCC(COND_GE, out); |
| |