Hi Ben,
On 01/31/2018 07:08 PM, Ben Hutchings wrote:
> From: Alexei Starovoitov <ast@xxxxxx>
>
> commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 upstream.
>
> when the verifier detects that register contains a runtime constant
> and it's compared with another constant it will prune exploration
> of the branch that is guaranteed not to be taken at runtime.
> This is all correct, but malicious program may be constructed
> in such a way that it always has a constant comparison and
> the other branch is never taken under any conditions.
> In this case such path through the program will not be explored
> by the verifier. It won't be taken at run-time either, but since
> all instructions are JITed the malicious program may cause JITs
> to complain about using reserved fields, etc.
> To fix the issue we have to track the instructions explored by
> the verifier and sanitize instructions that are dead at run time
> with NOPs. We cannot reject such dead code, since llvm generates
> it for valid C code, since it doesn't do as much data flow
> analysis as the verifier does.
>
> Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
> Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> [bwh: Backported to 4.4:
> - s/bpf_verifier_env/verifier_env/
> - Adjust context]
> Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
Thanks a lot for helping out with 4.4! There are a couple of more
needed for 4.4, see also the series [0] from few days ago. I don't
really mind at all which of those Greg cherry-picks, but it would
be good to have the 9 listed upstream commits in some form in 4.4
kernels.
Thanks & best,
Daniel
[0] https://www.spinics.net/lists/stable/msg212526.html