The upstream changes necessary to fix these CVEs rely on the presence of JMP32, which is not a small backport and brings its own potential set of necessary follow-ups. Daniel Borkmann, John Fastabend and Alexei Starovoitov came up with a fix involving the use of the AX register. This has been tested against the test_verifier in 4.14.y tree and some tests specific to the two referred CVEs. The test_bpf module was also tested. Daniel Borkmann (4): bpf: Do not use ax register in interpreter on div/mod bpf: fix subprog verifier bypass by div/mod by 0 exception bpf: Fix 32 bit src register truncation on div/mod bpf: Fix truncation handling for mod32 dst reg wrt zero include/linux/filter.h | 24 ++++++++++++++++++++++++ kernel/bpf/core.c | 40 +++++++++++++++------------------------- kernel/bpf/verifier.c | 39 +++++++++++++++++++++++++++++++-------- net/core/filter.c | 9 ++++++++- 4 files changed, 78 insertions(+), 34 deletions(-) -- 2.30.2
