Hey Sasha, hey Greg,
On 4/7/20 12:21 PM, Greg Kroah-Hartman wrote:
From: Jann Horn jannh@google.com
[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ]
The BPF verifier tried to track values based on 32-bit comparisons by (ab)using the tnum state via 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions"). The idea is that after a check like this:
if ((u32)r0 > 3) exitWe can't meaningfully constrain the arithmetic-range-based tracking, but we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003). However, the implementation from 581738a681b6 didn't compute the tnum constraint based on the fixed operand, but instead derives it from the arithmetic-range-based tracking. This means that after the following sequence of operations:
if (r0 >= 0x1'0000'0001) exit if ((u32)r0 > 7) exitThe verifier assumed that the lower half of r0 is in the range (0, 0) and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was incorrect. Provide a fixed implementation.
Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") Signed-off-by: Jann Horn jannh@google.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Signed-off-by: Alexei Starovoitov ast@kernel.org Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net Signed-off-by: Sasha Levin sashal@kernel.org
We've already addressed this issue (CVE-2020-8835) on 5.4/5.5/5.6 kernels through the following backports:
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=l... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=l... https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=l...
Given the severity of the issue, we concluded that revert-only is the best and most straight forward way to address it for stable.
Was this selected via Sasha's ML mechanism? Should there be a commit tag to opt-out for some commits being selected? E.g. this one 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") already fell through our radar and wrongly made its way into 5.4 where it should have never landed. :/
Thanks, Daniel