Received: by 10.223.185.111 with SMTP id b44csp902803wrg; Fri, 9 Mar 2018 16:26:22 -0800 (PST) X-Google-Smtp-Source: AG47ELu5LuF0DKgKtiTEvraxedRIg9Zb4b/JvMTWiUbayES40xNIhwBOkNQQIAkgB9rgKJr+buqX X-Received: by 2002:a17:902:550f:: with SMTP id f15-v6mr353199pli.50.1520641582364; Fri, 09 Mar 2018 16:26:22 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1520641582; cv=none; d=google.com; s=arc-20160816; b=PqDO/IPBkJoE5WREHP1fWULTVX/8xR17HKXio+BNUnT7TanalUjnGYcjC56BY2bn5M b54iMATaHVw1LUwWhp6GknuTzQgt+bC9LbHqrAoEHilylt0pRWaujSKeRTVwt5SPAhZ2 A8sVvzCVpe7LeXWoc7hDfVzzOIJ5ZMiGZqvISfr0/ZxAArcIwued6Kp5l1n9ckC5xVdh H/pSf25LmJLNkT1a1RDOO7I5S0AvRs7CgQprYOyPxCNlrg72xK72kOfDLZmIKpPeDEmj 9sEaoYEVz3SUAl9RXDPTGjT8CMwlDK04t5MugcTLRwanhGdyglYTotFlY1SgPYwTlxOX LmDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=JG8dZfJUNDrFQlRUqY0OOAuYLT8SpC6oKtrHSEjLaaQ=; b=Tb3CtM04Xrm30/65ze9vYg9i3i5qsWerDxcOix7xFm8MLTSuUUI/HAmTHHzp1zt8OP 9vQOjXFNOaRP4hPHYAAqMyQx71uyhg8nJV+eQelxFXVhA+jZ5PakPJuaSoeCMJW+hcJE zPtQHfByW9v/he1MWJc1ZYmVfqDmcA/8nQ2k0gtCZo8FhfowPfSd4oEzaRoCfVQNVGB5 nKqRdkN+M21fFS0CHpNarpRJW1VC35BK5qZqxKsC56oRqMcFkWtBOUb2KRXi0Aja31Fr NnmSNTGIqKjWRSM4CPMEYzV0ZIvcHPJ1kmSwf9Fr7A4IEJTrrlF6TuTkEbblbqYfIbDs apVQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si1478854pgv.476.2018.03.09.16.26.07; Fri, 09 Mar 2018 16:26:22 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933971AbeCJAYh (ORCPT + 99 others); Fri, 9 Mar 2018 19:24:37 -0500 Received: from mail.linuxfoundation.org ([140.211.169.12]:41250 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933593AbeCJAXy (ORCPT ); Fri, 9 Mar 2018 19:23:54 -0500 Received: from localhost (unknown [185.236.200.248]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id EA1EDFBE; Sat, 10 Mar 2018 00:23:53 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , "Naveen N. Rao" , Alexei Starovoitov Subject: [PATCH 4.15 08/11] bpf, ppc64: fix out of bounds access in tail call Date: Fri, 9 Mar 2018 16:19:22 -0800 Message-Id: <20180310001835.001671203@linuxfoundation.org> X-Mailer: git-send-email 2.16.2 In-Reply-To: <20180310001834.560857664@linuxfoundation.org> References: <20180310001834.560857664@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.15-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ upstream commit d269176e766c71c998cb75b4ea8cbc321cc0019d ] While working on 16338a9b3ac3 ("bpf, arm64: fix out of bounds access in tail call") I noticed that ppc64 JIT is partially affected as well. While the bound checking is correctly performed as unsigned comparison, the register with the index value however, is never truncated into 32 bit space, so e.g. a index value of 0x100000000ULL with a map of 1 element would pass with PPC_CMPLW() whereas we later on continue with the full 64 bit register value. Therefore, as we do in interpreter and other JITs truncate the value to 32 bit initially in order to fix access. Fixes: ce0761419fae ("powerpc/bpf: Implement support for tail calls") Signed-off-by: Daniel Borkmann Reviewed-by: Naveen N. Rao Tested-by: Naveen N. Rao Signed-off-by: Alexei Starovoitov Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- arch/powerpc/net/bpf_jit_comp64.c | 1 + 1 file changed, 1 insertion(+) --- a/arch/powerpc/net/bpf_jit_comp64.c +++ b/arch/powerpc/net/bpf_jit_comp64.c @@ -242,6 +242,7 @@ static void bpf_jit_emit_tail_call(u32 * * goto out; */ PPC_LWZ(b2p[TMP_REG_1], b2p_bpf_array, offsetof(struct bpf_array, map.max_entries)); + PPC_RLWINM(b2p_index, b2p_index, 0, 0, 31); PPC_CMPLW(b2p_index, b2p[TMP_REG_1]); PPC_BCC(COND_GE, out);