This is a note to let you know that I've just added the patch titled bpf: Simplify alu_limit masking for pointer arithmetic to the 5.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch and it can be found in the queue-5.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From b5871dca250cd391885218b99cc015aca1a51aea Mon Sep 17 00:00:00 2001 From: Piotr Krysiuk <piotras@xxxxxxxxx> Date: Tue, 16 Mar 2021 08:26:25 +0100 Subject: bpf: Simplify alu_limit masking for pointer arithmetic From: Piotr Krysiuk <piotras@xxxxxxxxx> commit b5871dca250cd391885218b99cc015aca1a51aea upstream. Instead of having the mov32 with aux->alu_limit - 1 immediate, move this operation to retrieve_ptr_limit() instead to simplify the logic and to allow for subsequent sanity boundary checks inside retrieve_ptr_limit(). This avoids in future that at the time of the verifier masking rewrite we'd run into an underflow which would not sign extend due to the nature of mov32 instruction. Signed-off-by: Piotr Krysiuk <piotras@xxxxxxxxx> Co-developed-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Acked-by: Alexei Starovoitov <ast@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/bpf/verifier.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5398,16 +5398,16 @@ static int retrieve_ptr_limit(const stru */ off = ptr_reg->off + ptr_reg->var_off.value; if (mask_to_left) - *ptr_limit = MAX_BPF_STACK + off + 1; + *ptr_limit = MAX_BPF_STACK + off; else - *ptr_limit = -off; + *ptr_limit = -off - 1; return 0; case PTR_TO_MAP_VALUE: if (mask_to_left) { - *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; + *ptr_limit = ptr_reg->umax_value + ptr_reg->off; } else { off = ptr_reg->smin_value + ptr_reg->off; - *ptr_limit = ptr_reg->map_ptr->value_size - off; + *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; } return 0; default: @@ -11083,7 +11083,7 @@ static int fixup_bpf_calls(struct bpf_ve off_reg = issrc ? insn->src_reg : insn->dst_reg; if (isneg) *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); - *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1); + *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); Patches currently in stable-queue which might be from piotras@xxxxxxxxx are queue-5.11/bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch queue-5.11/bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch queue-5.11/bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch queue-5.11/bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch queue-5.11/bpf-add-sanity-check-for-upper-ptr_limit.patch