From patchwork Thu Mar 14 19:46:15 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1912223 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TwdDg5CZNz23rx for ; Fri, 15 Mar 2024 06:46:42 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rkr21-0007CM-A1; Thu, 14 Mar 2024 19:46:25 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rkr1w-0007Bp-IB for kernel-team@lists.ubuntu.com; Thu, 14 Mar 2024 19:46:20 +0000 Received: from mail-io1-f69.google.com (mail-io1-f69.google.com [209.85.166.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 417EA3F120 for ; Thu, 14 Mar 2024 19:46:20 +0000 (UTC) Received: by mail-io1-f69.google.com with SMTP id ca18e2360f4ac-7c86ecb5b37so114497139f.2 for ; Thu, 14 Mar 2024 12:46:20 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1710445579; x=1711050379; h=content-transfer-encoding:mime-version:message-id:date:subject:to :from:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=ZwFm+0wK0CeUeCo5cPMfKMdSerhrrr3juUhHt8OQ1ok=; b=SZIGXut2nslupzScQDJp6nPCjGDijA6rp1esAWz0amleuEbzzXFTxvgJETXyIMtdX0 sQRQJUy48hFu92HCF9K5LqCLc66XB/SR6cb2Opu6aNZIB3PhZilKf+FvIVErE+Zn2bsq ujLTRginX2xwlymfjFZNnwhWrQLBMfT6VSs+zhbMQWrosz8a0vLiiSqTNF0UVHGevhs4 gwWoSmCBmljd3W99Wc0THkN46nzVK9b3pFnjYBPLUSAF5HX6lkwulyFfrbtHPVst5q7c cymxelbXnn3koAwk2iMpdWkoSB/1MiqZXGllLGjOYKHjgAH52si72ngnNdfse8tyDKat HtRw== X-Gm-Message-State: AOJu0Ywg+8WkOlCNPS0g8Lr3BjvvjsSI7qsH+xL7jsPF0qjxc8BOqKQV I3dMTeRnT85aImH6TY6MwO3AEuKR46JT2LlGjt6y3L7n6bd5D16KRmvP8J7Anua6Wu4V8/2kjSc eOJOAdP3mSG616e1uEGNZq4oarA6Ca4jxTbTmMraXq46t1x+k3C4jayylsJlRrJM0GxAA18Vja2 mlAFPW85hNYQ== X-Received: by 2002:a6b:5c15:0:b0:7c8:c922:202b with SMTP id z21-20020a6b5c15000000b007c8c922202bmr3155138ioh.7.1710445579013; Thu, 14 Mar 2024 12:46:19 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHPccxenvnw5nhoRgVyWDy994bCSNjwabTZvElg9PD/JK218XkwIQMd0gLKpLgNOox3MrlNcg== X-Received: by 2002:a6b:5c15:0:b0:7c8:c922:202b with SMTP id z21-20020a6b5c15000000b007c8c922202bmr3155124ioh.7.1710445578674; Thu, 14 Mar 2024 12:46:18 -0700 (PDT) Received: from smtp.gmail.com (104-218-69-129.dynamic.lnk.ne.allofiber.net. [104.218.69.129]) by smtp.gmail.com with ESMTPSA id g64-20020a028546000000b0047726b17979sm325561jai.50.2024.03.14.12.46.18 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 14 Mar 2024 12:46:18 -0700 (PDT) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][M/F][PATCH 0/1] CVE-2024-26589 Date: Thu, 14 Mar 2024 14:46:15 -0500 Message-Id: <20240314194617.42266-1-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" [Impact] In the Linux kernel, the following vulnerability has been resolved: bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS For PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off for validation. However, variable offset ptr alu is not prohibited for this ptr kind. So the variable offset is not checked. The following prog is accepted: func#0 @0 0: R1=ctx() R10=fp0 0: (bf) r6 = r1 ; R1=ctx() R6_w=ctx() 1: (79) r7 = *(u64 *)(r6 +144) ; R6_w=ctx() R7_w=flow_keys() 2: (b7) r8 = 1024 ; R8_w=1024 3: (37) r8 /= 1 ; R8_w=scalar() 4: (57) r8 &= 1024 ; R8_w=scalar(smin=smin32=0, smax=umax=smax32=umax32=1024,var_off=(0x0; 0x400)) 5: (0f) r7 += r8 mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1 mark_precise: frame0: regs=r8 stack= before 4: (57) r8 &= 1024 mark_precise: frame0: regs=r8 stack= before 3: (37) r8 /= 1 mark_precise: frame0: regs=r8 stack= before 2: (b7) r8 = 1024 6: R7_w=flow_keys(smin=smin32=0,smax=umax=smax32=umax32=1024,var_off =(0x0; 0x400)) R8_w=scalar(smin=smin32=0,smax=umax=smax32=umax32=1024, var_off=(0x0; 0x400)) 6: (79) r0 = *(u64 *)(r7 +0) ; R0_w=scalar() 7: (95) exit This prog loads flow_keys to r7, and adds the variable offset r8 to r7, and finally causes out-of-bounds access: BUG: unable to handle page fault for address: ffffc90014c80038 [...] Call Trace: bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline] __bpf_prog_run include/linux/filter.h:651 [inline] bpf_prog_run include/linux/filter.h:658 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline] bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991 bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359 bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline] __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475 __do_sys_bpf kernel/bpf/syscall.c:5561 [inline] __se_sys_bpf kernel/bpf/syscall.c:5559 [inline] __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x63/0x6b Fix this by rejecting ptr alu with variable offset on flow_keys. Applying the patch rejects the program with "R7 pointer arithmetic on flow_keys prohibited". [Fix] Mantic: Clean cherry-pick. Focal: Backport - Upstream moved a case statement out of the 'switch (ptr_reg->type)' switch block to an if block right before the switch. Functionally, it doesn't matter if that code exists before or at the beginning of the switch block as the logic isn't affected. Focal keeps the case statement inside the switch statement and cherry-picking my way to merge upstream and Focal wasn't feasible. I kept Focal as is and added the change from the fix commit (an additional case statement inside the 'switch (ptr_reg->type' switch block). [Test Case] Compile and boot tested. [Where problems could occur] This will affect those who use bpf, this has some risk of regression because of the manual backporting that was requried. Hao Sun (1): bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+) Acked-by: Stefan Bader Acked-by: Cengiz Can