Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1213432pxf; Fri, 9 Apr 2021 02:59:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyfJOjvyKSJ+5KUWlAXSSVbymtZjmgtBV/A7ITS2TxYfDhA33rHUXkI+BSvnjTB3OFXvdO7 X-Received: by 2002:a17:90a:6304:: with SMTP id e4mr6521406pjj.63.1617962340292; Fri, 09 Apr 2021 02:59:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1617962340; cv=none; d=google.com; s=arc-20160816; b=yjn/2H379Sl3us2MHO96U24HPhP2UZaufULsd5ZD1omtU2aXn2T/maBlgjaNRMITVM lJf0VFTFs2fAD/Ze2rOmKAjpyBvuLGLHkcfZ9JrWFyv2fMq19ZDYZH6zA1roUSAdPTzZ srM207TOXNZBiN20ouhlCZqSuxhto+8dbkONkvh1RNzNct9fkXOAeCx6ZREk2qOO8kg0 3ltvaxJRgb+mQhU8zS/bGCPLgxy5CbC0RpXDYRb0ltJvJhKwt/3LbnMorT4AakyZY8PV kJrcfZUGaTIKTiucdATWkOtDI8OLv1lzgisConbBq1jKp73j2wytQ+TjGnlCN3ziTKlZ ifuQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=Bj7C09HIP+COAKpWVt8sgD/bdbwPNTUMhvkiVMubBmQ=; b=VVV+dHCZ/WVc+s/KhQYThyzWPmdmVlw4kQx6J3UyD7JglMPNvoE37z/ulKqfQnv4+9 oCwvpE+hi5BezSh/L9VaMrXp2VE6mRfhirNrnYM7Px0niyZLviIRPNAoeKUsfEIsfsZZ lPxBc51z7sGiFRMK1tKGkJ42eSFyOAZfpg6WhqOTI4xLbJS08T6tzaRmfRQI19KXwww9 LvMdj4is7WfFxkZTys2yUhsucGsenfRtKILRXfTypKqHeunHtU/e156+z2tiXyR0GGha x71HIGfGKtP4wxTNMoq0P4nnCT84lqJtJIQfSWF82OCbLpiP/Q6kK5SF/vcNFZhqT4Wc g2Nw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=R5wpzssn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id t10si2358158pfe.247.2021.04.09.02.58.48; Fri, 09 Apr 2021 02:59:00 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=R5wpzssn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233657AbhDIJ5a (ORCPT + 99 others); Fri, 9 Apr 2021 05:57:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:44302 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232813AbhDIJ4Q (ORCPT ); Fri, 9 Apr 2021 05:56:16 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 63B3F6103E; Fri, 9 Apr 2021 09:56:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1617962162; bh=fQ2B3Sw6KBl8kdpti/WJmy/wUgEyZvTQx5IeAxhDBJ0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R5wpzssnz6520nbMATMmSo6F927QDxMGV2eGsIsFrmaoMGxC5hIs+wed/DCEcf/21 R4lzyWMmAuZgLgkVUtY3aKMckoERfXEyO1vM1lB66riTzXWzdjUBvtWD/payjG4m+B 8TFJsrFvdF0PRNR0IgI5sLguApKaut7QhFTpA5IU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Krysiuk , Daniel Borkmann Subject: [PATCH 4.14 12/14] bpf, x86: Validate computation of branch displacements for x86-64 Date: Fri, 9 Apr 2021 11:53:37 +0200 Message-Id: <20210409095300.792883435@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210409095300.391558233@linuxfoundation.org> References: <20210409095300.391558233@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Piotr Krysiuk commit e4d4d456436bfb2fe412ee2cd489f7658449b098 upstream. The branch displacement logic in the BPF JIT compilers for x86 assumes that, for any generated branch instruction, the distance cannot increase between optimization passes. But this assumption can be violated due to how the distances are computed. Specifically, whenever a backward branch is processed in do_jit(), the distance is computed by subtracting the positions in the machine code from different optimization passes. This is because part of addrs[] is already updated for the current optimization pass, before the branch instruction is visited. And so the optimizer can expand blocks of machine code in some cases. This can confuse the optimizer logic, where it assumes that a fixed point has been reached for all machine code blocks once the total program size stops changing. And then the JIT compiler can output abnormal machine code containing incorrect branch displacements. To mitigate this issue, we assert that a fixed point is reached while populating the output image. This rejects any problematic programs. The issue affects both x86-32 and x86-64. We mitigate separately to ease backporting. Signed-off-by: Piotr Krysiuk Reviewed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Signed-off-by: Greg Kroah-Hartman --- arch/x86/net/bpf_jit_comp.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -1107,7 +1107,16 @@ common_load: } if (image) { - if (unlikely(proglen + ilen > oldproglen)) { + /* + * When populating the image, assert that: + * + * i) We do not write beyond the allocated space, and + * ii) addrs[i] did not change from the prior run, in order + * to validate assumptions made for computing branch + * displacements. + */ + if (unlikely(proglen + ilen > oldproglen || + proglen + ilen != addrs[i])) { pr_err("bpf_jit: fatal error\n"); return -EFAULT; }