Strona główna Odkrywaj Pomoc
Zarejestruj się Zaloguj się
Apq
/
pve-edge-kernel
kopia lustrzana https://github.com/fabianishere/pve-edge-kernel.git
1
0
Forkuj 0
Pliki Problemy 0 Wiki
Drzewo: 7c7389df50
Gałęzie Tagi
pve-edge-kernel
/
patches
/
kernel
/
0227-bpf-fix-incorrect-sign-extension-in-check_alu_op.patch

0227-bpf-fix-incorrect-sign-extension-in-check_alu_op.patch 2.4 KB
Historia Czysty

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869 
  1. From 652c6cabaf30e4c75f7dc2c42a33a8f066d7df2c Mon Sep 17 00:00:00 2001
    2. 

  2. From: Jann Horn <[email protected]>
    3. 

  3. Date: Thu, 4 Jan 2018 08:01:22 -0600
    4. 

  4. Subject: [PATCH 227/232] bpf: fix incorrect sign extension in check_alu_op()
    5. 

  5. MIME-Version: 1.0
    6. 

  6. Content-Type: text/plain; charset=UTF-8
    7. 

  7. Content-Transfer-Encoding: 8bit
    8. 

  8. 

  9. [ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]
    10. 

  10. 

  11. Distinguish between
    12. 

  12. BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
    13. 

  13. and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
    14. 

  14. only perform sign extension in the first case.
    15. 

  15. 

  16. Starting with v4.14, this is exploitable by unprivileged users as long as
    17. 

  17. the unprivileged_bpf_disabled sysctl isn't set.
    18. 

  18. 

  19. Debian assigned CVE-2017-16995 for this issue.
    20. 

  20. 

  21. v3:
    22. 

  22.  - add CVE number (Ben Hutchings)
    23. 

  23. 

  24. Fixes: 484611357c19 ("bpf: allow access into map value arrays")
    25. 

  25. Signed-off-by: Jann Horn <[email protected]>
    26. 

  26. Acked-by: Edward Cree <[email protected]>
    27. 

  27. Signed-off-by: Alexei Starovoitov <[email protected]>
    28. 

  28. Signed-off-by: Daniel Borkmann <[email protected]>
    29. 

  29. CVE-2017-16995
    30. 

  30. Signed-off-by: Seth Forshee <[email protected]>
    31. 

  31. Signed-off-by: Andy Whitcroft <[email protected]>
    32. 

  32. Signed-off-by: Kleber Sacilotto de Souza <[email protected]>
    33. 

  33. (cherry picked from commit 868c88129c7567525dbde3cb6989a5acd478bd80)
    34. 

  34. Signed-off-by: Fabian Grünbichler <[email protected]>
    35. 

  35. ---
    36. 

  36.  kernel/bpf/verifier.c | 15 +++++++++++----
    37. 

  37.  1 file changed, 11 insertions(+), 4 deletions(-)
    38. 

  38. 

  39. diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
    40. 

  40. index 4321625fe32a..cdfa07a4ef27 100644
    41. 

  41. --- a/kernel/bpf/verifier.c
    42. 

  42. +++ b/kernel/bpf/verifier.c
    43. 

  43. @@ -2048,12 +2048,19 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
    44. 

  44.  			/* case: R = imm
    45. 

  45.  			 * remember the value we stored into this reg
    46. 

  46.  			 */
    47. 

  47. +			u64 imm;
    48. 

  48. +
    49. 

  49. +			if (BPF_CLASS(insn->code) == BPF_ALU64)
    50. 

  50. +				imm = insn->imm;
    51. 

  51. +			else
    52. 

  52. +				imm = (u32)insn->imm;
    53. 

  53. +
    54. 

  54.  			regs[insn->dst_reg].type = CONST_IMM;
    55. 

  55. -			regs[insn->dst_reg].imm = insn->imm;
    56. 

  56. +			regs[insn->dst_reg].imm = imm;
    57. 

  57.  			regs[insn->dst_reg].id = 0;
    58. 

  58. -			regs[insn->dst_reg].max_value = insn->imm;
    59. 

  59. -			regs[insn->dst_reg].min_value = insn->imm;
    60. 

  60. -			regs[insn->dst_reg].min_align = calc_align(insn->imm);
    61. 

  61. +			regs[insn->dst_reg].max_value = imm;
    62. 

  62. +			regs[insn->dst_reg].min_value = imm;
    63. 

  63. +			regs[insn->dst_reg].min_align = calc_align(imm);
    64. 

  64.  			regs[insn->dst_reg].value_from_signed = false;
    65. 

  65.  		}
    66. 

  66.  
    67. 

  67. -- 
    68. 

  68. 2.14.2
    69. 

  69.