On Wed, Jan 31, 2018 at 06:08:10PM +0000, Ben Hutchings wrote: > From: Alexei Starovoitov <ast@xxxxxx> > > commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 upstream. > > when the verifier detects that register contains a runtime constant > and it's compared with another constant it will prune exploration > of the branch that is guaranteed not to be taken at runtime. > This is all correct, but malicious program may be constructed > in such a way that it always has a constant comparison and > the other branch is never taken under any conditions. > In this case such path through the program will not be explored > by the verifier. It won't be taken at run-time either, but since > all instructions are JITed the malicious program may cause JITs > to complain about using reserved fields, etc. > To fix the issue we have to track the instructions explored by > the verifier and sanitize instructions that are dead at run time > with NOPs. We cannot reject such dead code, since llvm generates > it for valid C code, since it doesn't do as much data flow > analysis as the verifier does. > > Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") > Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx> > Acked-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> > Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> > [bwh: Backported to 4.4: > - s/bpf_verifier_env/verifier_env/ > - Adjust context] > Signed-off-by: Ben Hutchings <ben.hutchings@xxxxxxxxxxxxxxx> > --- > v2: Restore Alexei as author All 3 of these are already queued up thanks to backport from Daniel. greg k-h