These are the first two patches in https://lore.kernel.org/stable/20210501043014.33300-1-fllinden@amazon.com/
I will re-send the rest of that series as soon as the other bpf backports hit the 4.19 branch.
This fixes errors in earlier bpf 4.14 backports. The verifier fix was sent in earlier to bpf@ by Sam, and acked. I added the selftests fix.
Essentially, together with the previous backports that had errors, this produces correct backports of:
9d7eceede76 ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") 80c9b2fae87b ("bpf: add various test cases to selftests")
Commits:
<4.14 only> ("bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged") This was sent in by Sam to bpf@ earlier, and acked by Yonghong Song, https://lore.kernel.org/bpf/20210419235641.5442-1-samjonas@amazon.com/T/#u
I am including it so that it is 'formally' submitted it to -stable.
<4.14 only> ("bpf: fix up selftests after backports were fixed") This is a follow-up to the previous by me, to fix selftests. It's from 80c9b2fae87b ("bpf: add various test cases to selftests"), but since that one was already partially added to the 4.14 branch in 03f11a51a196 ("bpf: Fix selftests are changes for CVE 2019-7308"), it's not a "backport" as such. To avoid confusion, I created a separate commit for it, referencing the original commit in the message. I examined each individual changed test, and went through the history to see that the error message was indeed as expected.
From: Samuel Mendoza-Jonas samjonas@amazon.com
The 4.14 backport of 9d7eceede ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") adds the PTR_TO_MAP_VALUE check to the wrong location in adjust_ptr_min_max_vals(), most likely because 4.14 doesn't include the commit that updates the if-statement to a switch-statement (aad2eeaf4 "bpf: Simplify ptr_min_max_vals adjustment").
Move the check to the proper location in adjust_ptr_min_max_vals().
Fixes: 17efa65350c5a ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") Signed-off-by: Samuel Mendoza-Jonas samjonas@amazon.com Reviewed-by: Frank van der Linden fllinden@amazon.com Reviewed-by: Ethan Chen yishache@amazon.com Acked-by: Yonghong Song yhs@fb.com --- kernel/bpf/verifier.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 0c3a9302be93..9e9b7c076bcb 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2204,6 +2204,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, dst); return -EACCES; } + if (ptr_reg->type == PTR_TO_MAP_VALUE) { + if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { + verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", + off_reg == dst_reg ? dst : src); + return -EACCES; + } + }
/* In case of 'scalar += pointer', dst_reg inherits pointer type and id. * The id may be overwritten later if we create a new variable offset. @@ -2349,13 +2356,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, verbose("R%d bitwise operator %s on pointer prohibited\n", dst, bpf_alu_string[opcode >> 4]); return -EACCES; - case PTR_TO_MAP_VALUE: - if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { - verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", - off_reg == dst_reg ? dst : src); - return -EACCES; - } - /* fall-through */ default: /* other operators (e.g. MUL,LSH) produce non-pointer results */ if (!env->allow_ptr_leaks)
After the backport of the changes to fix CVE 2019-7308, the selftests also need to be fixed up, as was done originally in mainline 80c9b2fae87b ("bpf: add various test cases to selftests").
4.14 commit 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308") did that, but since there was an error in the backport, some selftests did not change output. So, add them now that this error has been fixed, and their output has actually changed as expected.
This adds the rest of the changed test outputs from 80c9b2fae87b.
Fixes: 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308") Signed-off-by: Frank van der Linden fllinden@amazon.com --- tools/testing/selftests/bpf/test_verifier.c | 12 ++++++++++++ 1 file changed, 12 insertions(+)
diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c index 9babb3fef8e2..9f7fc30d247d 100644 --- a/tools/testing/selftests/bpf/test_verifier.c +++ b/tools/testing/selftests/bpf/test_verifier.c @@ -6207,6 +6207,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6231,6 +6232,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6257,6 +6259,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6282,6 +6285,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6330,6 +6334,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6401,6 +6406,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6452,6 +6458,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6479,6 +6486,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6505,6 +6513,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6534,6 +6543,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", .result = REJECT, }, { @@ -6592,6 +6602,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "unbounded min value", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, .result_unpriv = REJECT, }, @@ -6644,6 +6655,7 @@ static struct bpf_test tests[] = { }, .fixup_map1 = { 3 }, .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", + .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", .result = REJECT, }, {
On Sat, May 01, 2021 at 06:05:04PM +0000, Frank van der Linden wrote:
These are the first two patches in https://lore.kernel.org/stable/20210501043014.33300-1-fllinden@amazon.com/
I will re-send the rest of that series as soon as the other bpf backports hit the 4.19 branch.
This fixes errors in earlier bpf 4.14 backports. The verifier fix was sent in earlier to bpf@ by Sam, and acked. I added the selftests fix.
Both of these here now queued up, thanks.
greg k-h
linux-stable-mirror@lists.linaro.org