On Wed, Jan 31, 2018 at 06:03:45PM +0000, Ben Hutchings wrote:
> commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 upstream.
>
> when the verifier detects that register contains a runtime constant
> and it's compared with another constant it will prune exploration
> of the branch that is guaranteed not to be taken at runtime.
> This is all correct, but malicious program may be constructed
> in such a way that it always has a constant comparison and
> the other branch is never taken under any conditions.
> In this case such path through the program will not be explored
> by the verifier. It won't be taken at run-time either, but since
> all instructions are JITed the malicious program may cause JITs
> to complain about using reserved fields, etc.
> To fix the issue we have to track the instructions explored by
> the verifier and sanitize instructions that are dead at run time
> with NOPs. We cannot reject such dead code, since llvm generates
> it for valid C code, since it doesn't do as much data flow
> analysis as the verifier does.
>
> Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)")
> Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
> Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
> [bwh: Backported to 4.4:
> - s/bpf_verifier_env/verifier_env/
> - Adjust context]
> Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 28 ++++++++++++++++++++++++++++
> 1 file changed, 28 insertions(+)
Daniel already provided a backport of this, thanks.
greg k-h