[kernel] r22876 - in dists/jessie-security/linux/debian: . patches patches/bugfix/x86
Ben Hutchings
benh at moszumanska.debian.org
Sat Aug 1 16:15:48 UTC 2015
Author: benh
Date: Sat Aug 1 16:15:48 2015
New Revision: 22876
Log:
[x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
Added:
dists/jessie-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
Modified:
dists/jessie-security/linux/debian/changelog
dists/jessie-security/linux/debian/patches/series
Modified: dists/jessie-security/linux/debian/changelog
==============================================================================
--- dists/jessie-security/linux/debian/changelog Sat Aug 1 16:13:52 2015 (r22875)
+++ dists/jessie-security/linux/debian/changelog Sat Aug 1 16:15:48 2015 (r22876)
@@ -4,6 +4,7 @@
* KEYS: ensure we free the assoc array edit if edit is valid (CVE-2015-1333)
* sctp: fix ASCONF list handling (CVE-2015-3212)
* [x86] kvm: fix kvm_apic_has_events to check for NULL pointer (CVE-2015-4692)
+ * [x86] bpf_jit: fix compilation of large bpf programs (CVE-2015-4700)
-- Ben Hutchings <ben at decadent.org.uk> Sun, 26 Jul 2015 20:37:03 +0100
Added: dists/jessie-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ dists/jessie-security/linux/debian/patches/bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch Sat Aug 1 16:15:48 2015 (r22876)
@@ -0,0 +1,41 @@
+From: Alexei Starovoitov <ast at plumgrid.com>
+Date: Fri, 22 May 2015 15:42:55 -0700
+Subject: x86: bpf_jit: fix compilation of large bpf programs
+Origin: https://git.kernel.org/linus/3f7352bf21f8fd7ba3e2fcef9488756f188e12be
+
+x86 has variable length encoding. x86 JIT compiler is trying
+to pick the shortest encoding for given bpf instruction.
+While doing so the jump targets are changing, so JIT is doing
+multiple passes over the program. Typical program needs 3 passes.
+Some very short programs converge with 2 passes. Large programs
+may need 4 or 5. But specially crafted bpf programs may hit the
+pass limit and if the program converges on the last iteration
+the JIT compiler will be producing an image full of 'int 3' insns.
+Fix this corner case by doing final iteration over bpf program.
+
+Fixes: 0a14842f5a3c ("net: filter: Just In Time compiler for x86-64")
+Reported-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: Alexei Starovoitov <ast at plumgrid.com>
+Tested-by: Daniel Borkmann <daniel at iogearbox.net>
+Acked-by: Daniel Borkmann <daniel at iogearbox.net>
+Signed-off-by: David S. Miller <davem at davemloft.net>
+---
+ arch/x86/net/bpf_jit_comp.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/arch/x86/net/bpf_jit_comp.c
++++ b/arch/x86/net/bpf_jit_comp.c
+@@ -906,7 +906,12 @@ void bpf_int_jit_compile(struct sk_filte
+ }
+ ctx.cleanup_addr = proglen;
+
+- for (pass = 0; pass < 10; pass++) {
++ /* JITed image shrinks with every pass and the loop iterates
++ * until the image stops shrinking. Very large bpf programs
++ * may converge on the last pass. In such case do one more
++ * pass to emit the final image
++ */
++ for (pass = 0; pass < 10 || image; pass++) {
+ proglen = do_jit(prog, addrs, image, oldproglen, &ctx);
+ if (proglen <= 0) {
+ image = NULL;
Modified: dists/jessie-security/linux/debian/patches/series
==============================================================================
--- dists/jessie-security/linux/debian/patches/series Sat Aug 1 16:13:52 2015 (r22875)
+++ dists/jessie-security/linux/debian/patches/series Sat Aug 1 16:15:48 2015 (r22876)
@@ -637,3 +637,4 @@
bugfix/all/keys-ensure-we-free-the-assoc-array-edit-if-edit-is-valid.patch
bugfix/all/sctp-fix-asconf-list-handling.patch
bugfix/x86/kvm-x86-fix-kvm_apic_has_events-to-check-for-null-po.patch
+bugfix/x86/x86-bpf_jit-fix-compilation-of-large-bpf-programs.patch
More information about the Kernel-svn-changes
mailing list