From patchwork Thu Jan 4 14:01:18 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 855600 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3zC8c668xYz9t44; Fri, 5 Jan 2018 01:01:41 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1eX65Q-0004v4-5U; Thu, 04 Jan 2018 14:01:36 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.86_2) (envelope-from ) id 1eX65O-0004tu-Gn for kernel-team@lists.ubuntu.com; Thu, 04 Jan 2018 14:01:34 +0000 Received: from mail-it0-f69.google.com ([209.85.214.69]) by youngberry.canonical.com with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1eX65O-0002Ai-5c for kernel-team@lists.ubuntu.com; Thu, 04 Jan 2018 14:01:34 +0000 Received: by mail-it0-f69.google.com with SMTP id g69so1932758ita.9 for ; Thu, 04 Jan 2018 06:01:34 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=m2Y517h8k69gutCJM8ssvBn3eGLQ6tlBRIJUDUYi13I=; b=kqjnwvR4BV3UhhyJtaf+MHppMjZ2Wibl0fBhJtjWOV0Y78ojCkjq+HvMDD5ZVJ2Iop fwHkzoU/3x2OLYhdGGZbU20rFgRla9cOQBCKVDJrSKribFPxb+BrV21p2yNllb6KfiPm u30xxOUG6VPNlAGBt7OCO2INZgvK+ZSDR5yAje259WoFotxIw0GWzv/oqz7p5FJdKdqT ikc56mzCmYb/slMXB/DjPC/0CZEgjGROLBImLmZ1qCjK5+NQjeIdXir673WpGdOxnrEd zv5UCEuoTfXLvpz9Al3yGasjj8TTolkyQTLsfBuM9J5cjaNITPj3+zrotzwOJ1U4raXB pNPA== X-Gm-Message-State: AKGB3mKYd/ibAWNmAKnh/WyWv+wNXQDGRwP1IsBadwmL2Dm9GASbqfp9 lFdqXbw//E4Rtn2Ceg5PCKF38cf2VE63thgiNiCLlt4E8mymxGcASrGqx8fYw0pJJTfjObJKXIu OSf4cjmFHmf69YlyvdVkLvqTTZyxZ6CRro4gI1a0VHw== X-Received: by 10.36.211.4 with SMTP id n4mr6275883itg.88.1515074492874; Thu, 04 Jan 2018 06:01:32 -0800 (PST) X-Google-Smtp-Source: ACJfBos2DsURdGSyBZxue7f3ccYRH5mz126xepGp/PcV6VfxU74ThGZFmM5RVUEIhvNVmrntrXlzhw== X-Received: by 10.36.211.4 with SMTP id n4mr6275850itg.88.1515074492581; Thu, 04 Jan 2018 06:01:32 -0800 (PST) Received: from localhost ([2605:a601:aae:1b20:6cc2:cccd:da95:a96c]) by smtp.gmail.com with ESMTPSA id d3sm2118918itf.39.2018.01.04.06.01.31 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 04 Jan 2018 06:01:31 -0800 (PST) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 2/4][Z] bpf: fix incorrect sign extension in check_alu_op() Date: Thu, 4 Jan 2018 08:01:18 -0600 Message-Id: <20180104140124.2515-5-seth.forshee@canonical.com> X-Mailer: git-send-email 2.14.1 In-Reply-To: <20180104140124.2515-1-seth.forshee@canonical.com> References: <20180104140124.2515-1-seth.forshee@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Jann Horn [ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ] Distinguish between BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); only perform sign extension in the first case. Starting with v4.14, this is exploitable by unprivileged users as long as the unprivileged_bpf_disabled sysctl isn't set. Debian assigned CVE-2017-16995 for this issue. v3: - add CVE number (Ben Hutchings) Fixes: 484611357c19 ("bpf: allow access into map value arrays") Signed-off-by: Jann Horn Acked-by: Edward Cree Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann CVE-2017-16995 [ saf: Backport to 4.10 ] Signed-off-by: Seth Forshee --- kernel/bpf/verifier.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index b741b616e935..edc885b3c157 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1723,10 +1723,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn) /* case: R = imm * remember the value we stored into this reg */ + u64 imm; + + if (BPF_CLASS(insn->code) == BPF_ALU64) + imm = insn->imm; + else + imm = (u32)insn->imm; + regs[insn->dst_reg].type = CONST_IMM; - regs[insn->dst_reg].imm = insn->imm; - regs[insn->dst_reg].max_value = insn->imm; - regs[insn->dst_reg].min_value = insn->imm; + regs[insn->dst_reg].imm = imm; + regs[insn->dst_reg].max_value = imm; + regs[insn->dst_reg].min_value = imm; } } else if (opcode > BPF_END) {