Received: by 10.223.185.111 with SMTP id b44csp905130wrg;
        Fri, 9 Mar 2018 16:30:06 -0800 (PST)
X-Google-Smtp-Source: AG47ELsDuzo64D+4CStO4y1239m8E/lXnwk1vFq1hfigAJ4tZkP7u6gsO6Ul5HksNkYC2mHjiOZe
X-Received: by 10.99.54.74 with SMTP id d71mr302869pga.86.1520641806576;
        Fri, 09 Mar 2018 16:30:06 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1520641806; cv=none;
        d=google.com; s=arc-20160816;
        b=nbXHQD/43nzyjClYpPcHDDwNjZu06TPv6+g9qDBlFBiZxnskPdS2gIZW0Mw7iy84la
         uEJqoRMRUtxhXLR5lcrK+fLLsla5Ps/dJguO/aMyigjYMIb2Cyrtm9sQh86LDv7Nh/WA
         NzLuDh+XblKxG4tZp9MlRkt0cT8qWUEBd1oB0MuC00rf7JCnSOFOokswStbTf5mHM4k0
         twhpMXb7J8gyk57acFNySJgOh1sxLfiGQvHdu7owv6fb9gl0Bad7VZbEiczZjY+rUJCi
         cITtSdehhhLzuAcvgBaR85+eilm3hNaTqqArcy+q+BZyuQKVRnc62bMoKvV58Wnx8H3y
         z7bw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=UkuV9QDuAZ4L4FyhbzW1UQ+CLElPaShCzPt/K1oOWcA=;
        b=0kexnPrq+q77K/SATwEByKS9dgh4meMf1d9gTT09Sy+JGO1ZsDZnl85AvFyN1jIHJK
         fekPl45RTZX3JMrsV1uvkRcsYVRL6TCEFR2MZOGX+sFHGaCxWccXkdvk8pZwm7qEVtQK
         kDgwphwPgxWDAxGOSvDy4YBTOoBx3m5ou6582lBRiiV+9buQGh74r+M3+QqegRaKeiGe
         8PNqlgoCmo2PCY8iadD+cY/DOd/XTty8ZW2bPoQcEvscs7umlOueAS51DzfvfcGWEtZ8
         s3hr4mrEcQfcLWVHNNY7ksH2DCAGTEZSCnRkgRyU2SBkyI+EQTqt9jhDHCxunMT7hApA
         Cu7g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f5si1478854pgv.476.2018.03.09.16.29.50;
        Fri, 09 Mar 2018 16:30:06 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751968AbeCJAXL (ORCPT <rfc822;yxhlfx@gmail.com> + 99 others);
        Fri, 9 Mar 2018 19:23:11 -0500
Received: from mail.linuxfoundation.org ([140.211.169.12]:40344 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S933647AbeCJAXJ (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 9 Mar 2018 19:23:09 -0500
Received: from localhost (unknown [185.236.200.248])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 9818111A8;
        Sat, 10 Mar 2018 00:23:08 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Daniel Borkmann <daniel@iogearbox.net>,
        "Naveen N. Rao" <naveen.n.rao@linux.vnet.ibm.com>,
        Alexei Starovoitov <ast@kernel.org>
Subject: [PATCH 4.9 64/65] bpf, ppc64: fix out of bounds access in tail call
Date:   Fri,  9 Mar 2018 16:19:04 -0800
Message-Id: <20180310001830.431379926@linuxfoundation.org>
X-Mailer: git-send-email 2.16.2
In-Reply-To: <20180310001824.927996722@linuxfoundation.org>
References: <20180310001824.927996722@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.9-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Daniel Borkmann <daniel@iogearbox.net>

[ upstream commit d269176e766c71c998cb75b4ea8cbc321cc0019d ]

While working on 16338a9b3ac3 ("bpf, arm64: fix out of bounds access in
tail call") I noticed that ppc64 JIT is partially affected as well. While
the bound checking is correctly performed as unsigned comparison, the
register with the index value however, is never truncated into 32 bit
space, so e.g. a index value of 0x100000000ULL with a map of 1 element
would pass with PPC_CMPLW() whereas we later on continue with the full
64 bit register value. Therefore, as we do in interpreter and other JITs
truncate the value to 32 bit initially in order to fix access.

Fixes: ce0761419fae ("powerpc/bpf: Implement support for tail calls")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Tested-by: Naveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 arch/powerpc/net/bpf_jit_comp64.c |    1 +
 1 file changed, 1 insertion(+)

--- a/arch/powerpc/net/bpf_jit_comp64.c
+++ b/arch/powerpc/net/bpf_jit_comp64.c
@@ -245,6 +245,7 @@ static void bpf_jit_emit_tail_call(u32 *
 	 *   goto out;
 	 */
 	PPC_LWZ(b2p[TMP_REG_1], b2p_bpf_array, offsetof(struct bpf_array, map.max_entries));
+	PPC_RLWINM(b2p_index, b2p_index, 0, 0, 31);
 	PPC_CMPLW(b2p_index, b2p[TMP_REG_1]);
 	PPC_BCC(COND_GE, out);