Received: by 10.223.176.5 with SMTP id f5csp967388wra; Fri, 2 Feb 2018 09:01:06 -0800 (PST) X-Google-Smtp-Source: AH8x226JU7cytKbU/+9SlI42eTZ1U2u026atLqnrmyZwtvMFFUHYSg/dtWllVyHUtYR4QbUn10Ph X-Received: by 10.98.210.5 with SMTP id c5mr40088951pfg.238.1517590865943; Fri, 02 Feb 2018 09:01:05 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517590865; cv=none; d=google.com; s=arc-20160816; b=sWW8trUQLgnPRxu9AAs6q7aIrLY860P4wmozzPR1Th9tW82r7oSSWxyEo/AXeK4iRa 3lW6NiarwMMSPvSYyTeiI9cKrJVtjhTWDJkiqMZb+CIbJRR7l4K+9Ih0XTOJjj/bVkcC thRPlRPudvHSzgIFzU3qBr/wdNiCNNFAuH6DPwOLXZ+OakQUt7ql/90Lhyo15WCGFIU7 ZZlXpQ6yawInNgAn9XmUVIWaCOIWp2em1/QMynckbDEMpta2D7eSMb7tERBD+AVtYpHM 07N2/9sDgM31MHLYyMP4R5PtDKh74HUuqww1OEkPhMgjewkZexPm1DKBIPDfV/NBQbxB TgLw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=75MuXyPI9RyJBIpm0lFf5ttmP4F5QyoszXSZVDYW2cg=; b=aEAwnpxipOO/l2D29fOhZCVNJ9++KD7z3PwfJpQe4FS50rnOfy7u7oazOA+T3d6WtG APHH9+SaiGlchYor3GnHPt+o57NCqG3KcDZ+hIDpfaEWzFuwNw5YcWT8asU7GL1XWkaa PiiAvuth173ehwWQs2HCcToRPA62kUwGU2n58w3tnjuH5i6oSxGoQC2N+koqn0dPM9Yn cTr2QKmU5TfG3zoUHliKdezdXyuKXThDzQHBTzQc2jb2c9vUI8XfoY8ftwYuoB4hoT/C eY2WuSf3KUubVfrfoN8BJaGJCbEQ8jzBhzp+xOy3D0sFdNJ8QAH/VQmsYvFI/ExNBTO4 wghA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v81si638529pgb.570.2018.02.02.09.00.50; Fri, 02 Feb 2018 09:01:05 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752511AbeBBQ7n (ORCPT + 99 others); Fri, 2 Feb 2018 11:59:43 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:34436 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752050AbeBBQ7g (ORCPT ); Fri, 2 Feb 2018 11:59:36 -0500 Received: from localhost (LFbn-1-12258-90.w90-92.abo.wanadoo.fr [90.92.71.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 7C8B2DDF; Fri, 2 Feb 2018 16:59:35 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexei Starovoitov , Daniel Borkmann Subject: [PATCH 4.4 10/67] bpf: reject stores into ctx via st and xadd Date: Fri, 2 Feb 2018 17:57:39 +0100 Message-Id: <20180202140816.368433911@linuxfoundation.org> X-Mailer: git-send-email 2.16.1 In-Reply-To: <20180202140815.091718203@linuxfoundation.org> References: <20180202140815.091718203@linuxfoundation.org> User-Agent: quilt/0.65 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ upstream commit f37a8cb84cce18762e8f86a70bd6a49a66ab964c ] Alexei found that verifier does not reject stores into context via BPF_ST instead of BPF_STX. And while looking at it, we also should not allow XADD variant of BPF_STX. The context rewriter is only assuming either BPF_LDX_MEM- or BPF_STX_MEM-type operations, thus reject anything other than that so that assumptions in the rewriter properly hold. Add test cases as well for BPF selftests. Fixes: d691f9e8d440 ("bpf: allow programs to write to certain skb fields") Reported-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Signed-off-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -683,6 +683,13 @@ static bool is_pointer_value(struct veri } } +static bool is_ctx_reg(struct verifier_env *env, int regno) +{ + const struct reg_state *reg = &env->cur_state.regs[regno]; + + return reg->type == PTR_TO_CTX; +} + /* check whether memory at (regno + off) is accessible for t = (read | write) * if t==write, value_regno is a register which value is stored into memory * if t==read, value_regno is a register which will receive the value from memory @@ -779,6 +786,12 @@ static int check_xadd(struct verifier_en return -EACCES; } + if (is_ctx_reg(env, insn->dst_reg)) { + verbose("BPF_XADD stores into R%d context is not allowed\n", + insn->dst_reg); + return -EACCES; + } + /* check whether atomic_add can read the memory */ err = check_mem_access(env, insn->dst_reg, insn->off, BPF_SIZE(insn->code), BPF_READ, -1); @@ -1909,6 +1922,12 @@ static int do_check(struct verifier_env if (err) return err; + if (is_ctx_reg(env, insn->dst_reg)) { + verbose("BPF_ST stores into R%d context is not allowed\n", + insn->dst_reg); + return -EACCES; + } + /* check that memory (dst_reg + off) is writeable */ err = check_mem_access(env, insn->dst_reg, insn->off, BPF_SIZE(insn->code), BPF_WRITE,