Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp899468yba; Thu, 18 Apr 2019 11:26:46 -0700 (PDT) X-Google-Smtp-Source: APXvYqzML7JVQOOYP+uIOcG9/w8UdeHpbyZWZ6tbNdiwdkLnFlUK4BurUMKUHZhS+iwbxhyPQU+1 X-Received: by 2002:a65:51c8:: with SMTP id i8mr89955745pgq.175.1555612006560; Thu, 18 Apr 2019 11:26:46 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1555612006; cv=none; d=google.com; s=arc-20160816; b=Xm8Mcx8RTQBE9FiEBBoqOR49nSW8QYXvj7LWRsyL2UjWJlrjmgt9L0PW9TXllkD9DV TPudBsWVOADuiNstRyhzMOQkljot27HN5uFNoHkmz4z8at2xV2ZP13Pv9ve3PRNYnCeN cxgX9zdGuy98VJC6GtWzjlgZb4+EMZsiYW6yclM+sFxCYzqVQXPaVJXaJj10cHGsEERK cqoV3nJFoXxmFL8OuUJ0I/JFQeLh7NkKAzMFs+UdpI/Ac7edywqMs6tuJ5PVszc8NFD2 vto6SQbFW72Fb7QOWIH8WKppD/GnehVc9f0AJhNpT0Lv0gdCwokJuo5+bp20nwncd4Is bAtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=JmCEXiQBULh3NjeKsudZeUIBUIz0C1okvhvvpr6xuhI=; b=0CJ2a7AeTD7scYqmLRgFCpPklt04xXFrjx2l36+tCypuQk4JyjxxFsLGVQT4CnO0Za rcCM9v3CY/1umLF6Z0UIKsSdNmhD0HI+Q2rYUF97SVQYVhP14roWUc1oUcSQzjhxcWYB 4VM09GWUeNav7PTn1qBR6pgP3uivDcOurupQddpMukmAodvcyq0MBmMdzD+eMfM1H+gR yt/NXi/7uS5Cze/uf5yGpl7YLXHUfsk+Jif6u3Ts4M7aJNOpRAo3J8XPqt93eSo08RJt 5k4kIti7e4VGRHRVZ0XLXwbmG9DBQEWOndvrA8UAw3kG9EMUpCCYS/BuSlZckF2x429Z 2GLA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Q6ZrisV+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 32si2621124pld.155.2019.04.18.11.26.31; Thu, 18 Apr 2019 11:26:46 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Q6ZrisV+; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2403992AbfDRSXr (ORCPT + 99 others); Thu, 18 Apr 2019 14:23:47 -0400 Received: from mail.kernel.org ([198.145.29.99]:36150 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2391458AbfDRSGW (ORCPT ); Thu, 18 Apr 2019 14:06:22 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 40BE4218AF; Thu, 18 Apr 2019 18:06:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1555610781; bh=Pxzvkw2x6G81FdU2nkh3g/UYR8UlNTL3U0Y92xeVoII=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Q6ZrisV+s2+EiXwPUp9ok9TL9Uclq11D3r2ayNgOE3nM2PiCfnP5wiFnKSFdhkzz4 nUnI6fOd0ZUiCNgci2udv8lyd3JTT6YhKrPjPVrwp2pBpI7UKz2fRaN2FxGqzKiB2B MXfWRw9xNdBHXjsSppTeCP7oN/ux2pl13vtlM1iQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , Alexei Starovoitov , Balbir Singh Subject: [PATCH 4.14 82/92] bpf: restrict unknown scalars of mixed signed bounds for unprivileged Date: Thu, 18 Apr 2019 19:57:40 +0200 Message-Id: <20190418160437.708923790@linuxfoundation.org> X-Mailer: git-send-email 2.21.0 In-Reply-To: <20190418160430.325165109@linuxfoundation.org> References: <20190418160430.325165109@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Borkmann commit 9d7eceede769f90b66cfa06ad5b357140d5141ed upstream. For unknown scalars of mixed signed bounds, meaning their smin_value is negative and their smax_value is positive, we need to reject arithmetic with pointer to map value. For unprivileged the goal is to mask every map pointer arithmetic and this cannot reliably be done when it is unknown at verification time whether the scalar value is negative or positive. Given this is a corner case, the likelihood of breaking should be very small. Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Alexei Starovoitov [backported to 4.14 sblbir] Signed-off-by: Balbir Singh Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -2014,8 +2014,8 @@ static int adjust_ptr_min_max_vals(struc smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; + u32 dst = insn->dst_reg, src = insn->src_reg; u8 opcode = BPF_OP(insn->code); - u32 dst = insn->dst_reg; dst_reg = ®s[dst]; @@ -2189,6 +2189,13 @@ static int adjust_ptr_min_max_vals(struc verbose("R%d bitwise operator %s on pointer prohibited\n", dst, bpf_alu_string[opcode >> 4]); return -EACCES; + case PTR_TO_MAP_VALUE: + if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { + verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", + off_reg == dst_reg ? dst : src); + return -EACCES; + } + /* fall-through */ default: /* other operators (e.g. MUL,LSH) produce non-pointer results */ if (!env->allow_ptr_leaks)