This is a backport of the BPF verifier fixes for CVE-2021-29155. Original series was part of the pull request here: https://lore.kernel.org/bpf/20210416223700.15611-1-daniel@iogearbox.net/T/
This wasn't a complicated backport, but copying bpf@ to see if there are any concerns.
5.4 verifier selftests are clean with this backport: Summary: 1566 PASSED, 0 SKIPPED, 0 FAILED
The individual commits:
960114839252 ("bpf: Use correct permission flag for mixed signed bounds arithmetic") * Not applicable to 5.4, as 5.4 does not have 2c78ee898d8f ("bpf: Implement CAP_BPF").
6f55b2f2a117 ("bpf: Move off_reg into sanitize_ptr_alu") * Clean cherry-pick.
24c109bb1537 ("bpf: Ensure off_reg has no mixed signed bounds for all types") * Conflict: allow_ptr_leaks was replaced by bypass_spec_v1 in the deleted PTR_TO_MAP_VALUE switch case by 2c78ee898d8f ("bpf: Implement CAP_BPF"). Resolution is easy, the case statement gets deleted either way.
b658bbb844e2 ("bpf: Rework ptr_limit into alu_limit and add common error path") * Clean cherry-pick.
a6aaece00a57 ("bpf: Improve verifier error messages for users") * Resolved simple contextual conflict in adjust_scalar_min_max_vals(). because of a var declaration that was added by this post-5.4 commit: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking").
073815b756c5 ("bpf: Refactor and streamline bounds check into helper") * Conflict: another allow_ptr_leaks that was replaced with bypass_spec_v1 after 2c78ee898d8f. * Conflict: Post-5.4 commit 01f810ace9ed ("bpf: Allow variable-offset stack access") changed the call to check_stack_access to a new function, check_stack_access_for_ptr_arithmetic(), and moved/changed an error message. * Since this commit just factors out some code from adjust_ptr_min_max_vals() in to a new function, do the same with the corresponding block in 5.4 that doesn't have the changes listed above from post-5.4 commits. f528819334 ("bpf: Move sanitize_val_alu out of op switch") * Contextual conflict from post-5.4 commit 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking"), that added a comment on top of the switch referenced in the commit message.
7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") * Contextual conflict post-5.4 commit: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking") added a call to a new function just above the switch statement in adjust_ptr_min_max_vals. This doesn't affect the lines that were actually changed.
d7a509135175 ("bpf: Update selftests to reflect new error states") * The bounds.c tests have undergone several changes since 5.4, related to commits that were not backported (like e.g. the ALU32 changes). The error messages for those tests will remain the same on 5.4.
=====
Daniel Borkmann (8): bpf: Move off_reg into sanitize_ptr_alu bpf: Ensure off_reg has no mixed signed bounds for all types bpf: Rework ptr_limit into alu_limit and add common error path bpf: Improve verifier error messages for users bpf: Refactor and streamline bounds check into helper bpf: Move sanitize_val_alu out of op switch bpf: Tighten speculative pointer arithmetic mask bpf: Update selftests to reflect new error states
kernel/bpf/verifier.c | 233 ++++++++++++------ .../selftests/bpf/verifier/bounds_deduction.c | 21 +- .../bpf/verifier/bounds_mix_sign_unsign.c | 13 - tools/testing/selftests/bpf/verifier/unpriv.c | 2 +- .../selftests/bpf/verifier/value_ptr_arith.c | 6 +- 5 files changed, 173 insertions(+), 102 deletions(-)