Patch "bpf: Fix issue in verifying allow_ptr_leaks" has been added to the 5.10-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    bpf: Fix issue in verifying allow_ptr_leaks

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 80ab7ec37d80ac93467aa9fadb8912c2d15155b5
Author: Yafang Shao <laoar.shao@xxxxxxxxx>
Date:   Wed Aug 23 02:07:02 2023 +0000

    bpf: Fix issue in verifying allow_ptr_leaks
    
    [ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
    
    After we converted the capabilities of our networking-bpf program from
    cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
    failed to start. Because it failed the bpf verifier, and the error log
    is "R3 pointer comparison prohibited".
    
    A simple reproducer as follows,
    
    SEC("cls-ingress")
    int ingress(struct __sk_buff *skb)
    {
            struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
    
            if ((long)(iph + 1) > (long)skb->data_end)
                    return TC_ACT_STOLEN;
            return TC_ACT_OK;
    }
    
    Per discussion with Yonghong and Alexei [1], comparison of two packet
    pointers is not a pointer leak. This patch fixes it.
    
    Our local kernel is 6.1.y and we expect this fix to be backported to
    6.1.y, so stable is CCed.
    
    [1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@xxxxxxxxxxxxxx/
    
    Suggested-by: Yonghong Song <yonghong.song@xxxxxxxxx>
    Suggested-by: Alexei Starovoitov <alexei.starovoitov@xxxxxxxxx>
    Signed-off-by: Yafang Shao <laoar.shao@xxxxxxxxx>
    Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
    Cc: stable@xxxxxxxxxxxxxxx
    Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@xxxxxxxxx
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 8f1e43df8c5fa..3fb6f6e4857a0 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8178,6 +8178,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 		return -EINVAL;
 	}
 
+	/* check src2 operand */
+	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
+	if (err)
+		return err;
+
+	dst_reg = &regs[insn->dst_reg];
 	if (BPF_SRC(insn->code) == BPF_X) {
 		if (insn->imm != 0) {
 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
@@ -8189,12 +8195,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 		if (err)
 			return err;
 
-		if (is_pointer_value(env, insn->src_reg)) {
+		src_reg = &regs[insn->src_reg];
+		if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
+		    is_pointer_value(env, insn->src_reg)) {
 			verbose(env, "R%d pointer comparison prohibited\n",
 				insn->src_reg);
 			return -EACCES;
 		}
-		src_reg = &regs[insn->src_reg];
 	} else {
 		if (insn->src_reg != BPF_REG_0) {
 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
@@ -8202,12 +8209,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 		}
 	}
 
-	/* check src2 operand */
-	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-	if (err)
-		return err;
-
-	dst_reg = &regs[insn->dst_reg];
 	is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
 
 	if (BPF_SRC(insn->code) == BPF_K) {



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux