[linux] 01/02: bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN
debian-kernel at lists.debian.org
debian-kernel at lists.debian.org
Sat Dec 23 02:52:24 UTC 2017
This is an automated email from the git hooks/post-receive script.
benh pushed a commit to branch stretch-security
in repository linux.
commit 0769fac5f7cf6a5860bcc23ab26f9332a758fadd
Author: Ben Hutchings <ben at decadent.org.uk>
Date: Sat Dec 23 00:39:06 2017 +0000
bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN
This appears to have been fixed in 4.14 by a much larger change.
---
debian/changelog | 1 +
...s_equal-comparison-of-pointer-and-unknown.patch | 36 ++++++++++++++++++++++
debian/patches/series | 1 +
3 files changed, 38 insertions(+)
diff --git a/debian/changelog b/debian/changelog
index 2b16a41..db7f1e0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -11,6 +11,7 @@ linux (4.9.65-3+deb9u1) UNRELEASED; urgency=high
- fix branch pruning logic
- reject out-of-bounds stack pointer calculation
- fix incorrect sign extension in check_alu_op() (CVE-2017-16995)
+ - Fix states_equal() comparison of pointer and UNKNOWN
* netfilter: nfnetlink_cthelper: Add missing permission checks
(CVE-2017-17448)
* netlink: Add netns check on taps (CVE-2017-17449)
diff --git a/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch b/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch
new file mode 100644
index 0000000..df70aee
--- /dev/null
+++ b/debian/patches/bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch
@@ -0,0 +1,36 @@
+From: Ben Hutchings <ben at decadent.org.uk>
+Date: Sat, 23 Dec 2017 00:29:56 +0000
+Subject: bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN
+
+An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless
+pointer leaks are allowed. Therefore, states_equal() must not treat
+a state with a pointer in a register as "equal" to a state with an
+UNKNOWN_VALUE in that register.
+
+This appears to have been fixed upstream as part of commit
+f1174f77b50c "bpf/verifier: rework value tracking", and can be
+detected by the bpf/verifier sub-test "pointer/scalar confusion in
+state equality check (way 1)" in mainline.
+
+Signed-off-by: Ben Hutchings <ben at decadent.org.uk>
+Cc: Edward Cree <ecree at solarflare.com>
+Cc: Jann Horn <jannh at google.com>
+Cc: Alexei Starovoitov <ast at kernel.org>
+---
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2722,11 +2722,12 @@ static bool states_equal(struct bpf_veri
+
+ /* If we didn't map access then again we don't care about the
+ * mismatched range values and it's ok if our old type was
+- * UNKNOWN and we didn't go to a NOT_INIT'ed reg.
++ * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
+ */
+ if (rold->type == NOT_INIT ||
+ (!varlen_map_access && rold->type == UNKNOWN_VALUE &&
+- rcur->type != NOT_INIT))
++ rcur->type != NOT_INIT &&
++ !__is_pointer_value(env->allow_ptr_leaks, rcur)))
+ continue;
+
+ /* Don't care about the reg->id in this case. */
diff --git a/debian/patches/series b/debian/patches/series
index 20f726d..171924b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -145,6 +145,7 @@ bugfix/all/bpf-adjust-insn_aux_data-when-patching-insns.patch
bugfix/all/bpf-fix-branch-pruning-logic.patch
bugfix/all/bpf-reject-out-of-bounds-stack-pointer-calculation.patch
bugfix/all/bpf-fix-incorrect-sign-extension-in-check_alu_op.patch
+bugfix/all/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch
bugfix/all/netfilter-nfnetlink_cthelper-add-missing-permission-.patch
bugfix/all/netlink-add-netns-check-on-taps.patch
bugfix/all/netfilter-xt_osf-add-missing-permission-checks.patch
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/kernel/linux.git
More information about the Kernel-svn-changes
mailing list