1 files changed, 83 insertions, 0 deletions

diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch
new file mode 100644
index 00000000..ef530214
--- /dev/null
+++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0046-bpf-array-fix-overflow-in-max_entries-and-undefined-.patch
@@ -0,0 +1,83 @@
+From 5583fb3990982a52cfdcc0d1bb0cc991bee429b6 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 10 Jan 2018 23:25:05 +0100
+Subject: [PATCH 046/103] bpf, array: fix overflow in max_entries and undefined
+ behavior in index_mask
+
+commit bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1 upstream.
+
+syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
+and thus unprivileged. With the recently added logic in b2157399cc98
+("bpf: prevent out-of-bounds speculation") we round this up to the next
+power of two value for max_entries for unprivileged such that we can
+apply proper masking into potentially zeroed out map slots.
+
+However, this will generate an index_mask of 0xffffffff, and therefore
+a + 1 will let this overflow into new max_entries of 0. This will pass
+allocation, etc, and later on map access we still enforce on the original
+attr->max_entries value which was 0xfffffffd, therefore triggering GPF
+all over the place. Thus bail out on overflow in such case.
+
+Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
+since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
+space is undefined. Therefore, do this by hand in a 64 bit variable.
+
+This fixes all the issues triggered by syzkaller's reproducers.
+
+Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
+Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
+Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
+Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
+Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
+Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/arraymap.c | 18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/arraymap.c b/kernel/bpf/arraymap.c
+index eeb7f1b..c6c0b62 100644
+--- a/kernel/bpf/arraymap.c
++++ b/kernel/bpf/arraymap.c
+@@ -50,7 +50,7 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
+ 	u32 elem_size, index_mask, max_entries;
+ 	bool unpriv = !capable(CAP_SYS_ADMIN);
+ 	struct bpf_array *array;
+-	u64 array_size;
++	u64 array_size, mask64;
+ 
+ 	/* check sanity of attributes */
+ 	if (attr->max_entries == 0 || attr->key_size != 4 ||
+@@ -66,13 +66,25 @@ static struct bpf_map *array_map_alloc(union bpf_attr *attr)
+ 	elem_size = round_up(attr->value_size, 8);
+ 
+ 	max_entries = attr->max_entries;
+-	index_mask = roundup_pow_of_two(max_entries) - 1;
+ 
+-	if (unpriv)
++	/* On 32 bit archs roundup_pow_of_two() with max_entries that has
++	 * upper most bit set in u32 space is undefined behavior due to
++	 * resulting 1U << 32, so do it manually here in u64 space.
++	 */
++	mask64 = fls_long(max_entries - 1);
++	mask64 = 1ULL << mask64;
++	mask64 -= 1;
++
++	index_mask = mask64;
++	if (unpriv) {
+ 		/* round up array size to nearest power of 2,
+ 		 * since cpu will speculate within index_mask limits
+ 		 */
+ 		max_entries = index_mask + 1;
++		/* Check for overflows. */
++		if (max_entries < attr->max_entries)
++			return ERR_PTR(-E2BIG);
++	}
+ 
+ 	array_size = sizeof(*array);
+ 	if (percpu)
+-- 
+2.7.4
+