diff options
Diffstat (limited to 'common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-fix-32-bit-divide-by-zero.patch')
-rw-r--r-- | common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-fix-32-bit-divide-by-zero.patch | 69 |
1 files changed, 69 insertions, 0 deletions
diff --git a/common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-fix-32-bit-divide-by-zero.patch b/common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-fix-32-bit-divide-by-zero.patch new file mode 100644 index 00000000..cb5d56f9 --- /dev/null +++ b/common/recipes-kernel/linux/linux-yocto-4.9.21/0102-bpf-fix-32-bit-divide-by-zero.patch @@ -0,0 +1,69 @@ +From b0ff2bf4aaae990e6b8ce98f581aab8042a7f3e3 Mon Sep 17 00:00:00 2001 +From: Alexei Starovoitov <ast@kernel.org> +Date: Mon, 29 Jan 2018 02:49:00 +0100 +Subject: [PATCH 102/103] bpf: fix 32-bit divide by zero + +[ upstream commit 68fda450a7df51cff9e5a4d4a4d9d0d5f2589153 ] + +due to some JITs doing if (src_reg == 0) check in 64-bit mode +for div/mod operations mask upper 32-bits of src register +before doing the check + +Fixes: 622582786c9e ("net: filter: x86: internal BPF JIT") +Fixes: 7a12b5031c6b ("sparc64: Add eBPF JIT.") +Reported-by: syzbot+48340bb518e88849e2e3@syzkaller.appspotmail.com +Signed-off-by: Alexei Starovoitov <ast@kernel.org> +Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/bpf/verifier.c | 18 ++++++++++++++++++ + net/core/filter.c | 4 ++++ + 2 files changed, 22 insertions(+) + +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 6caf0ff1..2dce3aa 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -3235,6 +3235,24 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) + + + for (i = 0; i < insn_cnt; i++, insn++) { ++ if (insn->code == (BPF_ALU | BPF_MOD | BPF_X) || ++ insn->code == (BPF_ALU | BPF_DIV | BPF_X)) { ++ /* due to JIT bugs clear upper 32-bits of src register ++ * before div/mod operation ++ */ ++ insn_buf[0] = BPF_MOV32_REG(insn->src_reg, insn->src_reg); ++ insn_buf[1] = *insn; ++ cnt = 2; ++ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt); ++ if (!new_prog) ++ return -ENOMEM; ++ ++ delta += cnt - 1; ++ env->prog = prog = new_prog; ++ insn = new_prog->insnsi + i + delta; ++ continue; ++ } ++ + if (insn->code != (BPF_JMP | BPF_CALL)) + continue; + +diff --git a/net/core/filter.c b/net/core/filter.c +index c066b00..615033b 100644 +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -441,6 +441,10 @@ static int bpf_convert_filter(struct sock_filter *prog, int len, + convert_bpf_extensions(fp, &insn)) + break; + ++ if (fp->code == (BPF_ALU | BPF_DIV | BPF_X) || ++ fp->code == (BPF_ALU | BPF_MOD | BPF_X)) ++ *insn++ = BPF_MOV32_REG(BPF_REG_X, BPF_REG_X); ++ + *insn = BPF_RAW_INSN(fp->code, BPF_REG_A, BPF_REG_X, 0, fp->k); + break; + +-- +2.7.4 + |