diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0103-bpf-reject-stores-into-ctx-via-st-and-xadd.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0103-bpf-reject-stores-into-ctx-via-st-and-xadd.patch | 72 |
1 files changed, 0 insertions, 72 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0103-bpf-reject-stores-into-ctx-via-st-and-xadd.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0103-bpf-reject-stores-into-ctx-via-st-and-xadd.patch deleted file mode 100644 index b5f74b5c..00000000 --- a/common/recipes-kernel/linux/linux-yocto-4.9.21/0103-bpf-reject-stores-into-ctx-via-st-and-xadd.patch +++ /dev/null @@ -1,72 +0,0 @@ -From a17dcc431d2b2a6fcba9666df94abc5a1e14d1be Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann <daniel@iogearbox.net> -Date: Mon, 29 Jan 2018 02:49:01 +0100 -Subject: [PATCH 103/103] bpf: reject stores into ctx via st and xadd - -[ upstream commit f37a8cb84cce18762e8f86a70bd6a49a66ab964c ] - -Alexei found that verifier does not reject stores into context -via BPF_ST instead of BPF_STX. And while looking at it, we -also should not allow XADD variant of BPF_STX. - -The context rewriter is only assuming either BPF_LDX_MEM- or -BPF_STX_MEM-type operations, thus reject anything other than -that so that assumptions in the rewriter properly hold. Add -test cases as well for BPF selftests. - -Fixes: d691f9e8d440 ("bpf: allow programs to write to certain skb fields") -Reported-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> ---- - kernel/bpf/verifier.c | 19 +++++++++++++++++++ - 1 file changed, 19 insertions(+) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 2dce3aa..a58bb9e 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -691,6 +691,13 @@ static bool is_pointer_value(struct bpf_verifier_env *env, int regno) - return __is_pointer_value(env->allow_ptr_leaks, &env->cur_state.regs[regno]); - } - -+static bool is_ctx_reg(struct bpf_verifier_env *env, int regno) -+{ -+ const struct bpf_reg_state *reg = &env->cur_state.regs[regno]; -+ -+ return reg->type == PTR_TO_CTX; -+} -+ - static int check_ptr_alignment(struct bpf_verifier_env *env, - struct bpf_reg_state *reg, int off, int size) - { -@@ -885,6 +892,12 @@ static int check_xadd(struct bpf_verifier_env *env, struct bpf_insn *insn) - return -EACCES; - } - -+ if (is_ctx_reg(env, insn->dst_reg)) { -+ verbose("BPF_XADD stores into R%d context is not allowed\n", -+ insn->dst_reg); -+ return -EACCES; -+ } -+ - /* check whether atomic_add can read the memory */ - err = check_mem_access(env, insn->dst_reg, insn->off, - BPF_SIZE(insn->code), BPF_READ, -1); -@@ -2879,6 +2892,12 @@ static int do_check(struct bpf_verifier_env *env) - if (err) - return err; - -+ if (is_ctx_reg(env, insn->dst_reg)) { -+ verbose("BPF_ST stores into R%d context is not allowed\n", -+ insn->dst_reg); -+ return -EACCES; -+ } -+ - /* check that memory (dst_reg + off) is writeable */ - err = check_mem_access(env, insn->dst_reg, insn->off, - BPF_SIZE(insn->code), BPF_WRITE, --- -2.7.4 - |