diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-reject-stores-into-ctx-via-st-and-xadd.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-reject-stores-into-ctx-via-st-and-xadd.patch | 72 |
1 files changed, 72 insertions, 0 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-reject-stores-into-ctx-via-st-and-xadd.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-reject-stores-into-ctx-via-st-and-xadd.patch new file mode 100644 index 00000000..0d68c397 --- /dev/null +++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-reject-stores-into-ctx-via-st-and-xadd.patch @@ -0,0 +1,72 @@ +From d78127ea6fb5f14cf2e3c1fa97ce60f2851703d7 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann <daniel@iogearbox.net> +Date: Mon, 29 Jan 2018 02:49:01 +0100 +Subject: [PATCH 102/102] bpf: reject stores into ctx via st and xadd + +[ upstream commit f37a8cb84cce18762e8f86a70bd6a49a66ab964c ] + +Alexei found that verifier does not reject stores into context +via BPF_ST instead of BPF_STX. And while looking at it, we +also should not allow XADD variant of BPF_STX. + +The context rewriter is only assuming either BPF_LDX_MEM- or +BPF_STX_MEM-type operations, thus reject anything other than +that so that assumptions in the rewriter properly hold. Add +test cases as well for BPF selftests. + +Fixes: d691f9e8d440 ("bpf: allow programs to write to certain skb fields") +Reported-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/bpf/verifier.c | 19 +++++++++++++++++++ + 1 file changed, 19 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 4e9ad02..9f9bad8 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -691,6 +691,13 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno) + return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); + } + ++static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) ++{ ++ const struct bpf_reg_state *reg = &env->cur_state.regs[regno]; ++ ++ return reg->type == PTR_TO_CTX; ++} ++ + static int check_ptr_alignment(struct bpf_verifier_env *env, + struct bpf_reg_state *reg, int off, int size) + { +@@ -885,6 +892,12 @@ static int check_xadd(struct bpf_verifier_env *env, struct bpf_insn *insn) + return -EACCES; + } + ++ if (is_ctx_reg(env, insn->dst_reg)) { ++ verbose("BPF_XADD stores into R%d context is not allowed\n", ++ insn->dst_reg); ++ return -EACCES; ++ } ++ + /* check whether atomic_add can read the memory */ + err = check_mem_access(env, insn->dst_reg, insn->off, + BPF_SIZE(insn->code), BPF_READ, -1); +@@ -2879,6 +2892,12 @@ static int do_check(struct bpf_verifier_env *env) + if (err) + return err; + ++ if (is_ctx_reg(env, insn->dst_reg)) { ++ verbose("BPF_ST stores into R%d context is not allowed\n", ++ insn->dst_reg); ++ return -EACCES; ++ } ++ + /* check that memory (dst_reg + off) is writeable */ + err = check_mem_access(env, insn->dst_reg, insn->off, + BPF_SIZE(insn->code), BPF_WRITE, +-- +2.7.4 + |