Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp728447pxj; Thu, 27 May 2021 10:17:15 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzdDWw1FROB0cy86E4kRES9TiWk/8j2Txpkeu6lotq77abX+p3hxHzBnOxCX6ksqQaWHDUT X-Received: by 2002:a05:6638:a2c:: with SMTP id 12mr4424721jao.99.1622135834869; Thu, 27 May 2021 10:17:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1622135834; cv=none; d=google.com; s=arc-20160816; b=VmdwEx1RyxHHh4O9nnXs7pAPOQ1nKbvHamq/XgYJuBRkccVCkuEPnZdJ0N3h9RCoEZ FjgGkeg4SrY5cU+s0pzps4nQykJpQDI7HxDpSqM61bw+taVyyf4P8+Wya2JA5F2rGUWI L6qDEg78KR8rZ3dtUXvbGzKDfek7VvByGDeCXsKF2iDaRdRogsUFEN05E03Hawx/Jd/J L7cLlmQWOmtDrX8JAHubLaXqtyQD0sse5+lNYr4fVlg8vDF3RPq+NTx3v04uEWP5KM/D TfHcI+G/0S/qqIJitcqI28/zxwMcGxF+qQQr4PbzbjO6IS39K4HjEEigbBDRT4n4+4YT B+2g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ctUlUM6HIkn/v63i4s+M+Tc+AeCoc146BqGvCYntGNM=; b=jDsX0Bdsxfn0YqkXM37mmrAdDMpVX3/ASzdH9s3IPjsKO4qehSaJOSeFdSAEYpyJXK SMkQOPeBNkSKKzFIlRo4diKPiOi5KuoVuHj+OJNQ4A4cJ76U647d87dMOOZjOElNWhHi 2Ufr7C0pk2GRCerPWLCsGGv5JtZ6T+55NSQo16C3L6C+D1jDgke7h1+1BNKL5RQtRBgL AT/gCGVc7sXXUqoCFWvrDFAv8G/k4Ha9APXrEkvaZFgtwdT0dJ33D+ijrjztmBe4YPyk Cv4VFXr6rqG9Xa/B3ZJPeonXFjdCVJu0aaDkrtI945C4IRTWEtWD0iak7lTnFRrQWTPt 3YyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1rM4DWWa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id l1si2836794ilg.123.2021.05.27.10.16.59; Thu, 27 May 2021 10:17:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=1rM4DWWa; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237042AbhE0PPI (ORCPT + 99 others); Thu, 27 May 2021 11:15:08 -0400 Received: from mail.kernel.org ([198.145.29.99]:43372 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236928AbhE0POs (ORCPT ); Thu, 27 May 2021 11:14:48 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id A19A660724; Thu, 27 May 2021 15:13:13 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1622128394; bh=ViOOawHrnfl+PiIZ029e3HBJHv1vJ9NG6iGD30OfETg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1rM4DWWaHSPNvB3+04lbgj1TTntpgtyaNl/ZevCXsyViNmbiDMNrZCa+yRVxxp2Wu mzc3hFC7RRQ95GA0dm8+ooAQuz95gF0Rncmfr2lCyEWdWSzGkgYdJvP0sJYOHFZ+0k vaCR5A/lN8/moAUKzkRROoWx/iWT6fByzFofAWIs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Krysiuk , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.4 2/7] bpf: Fix mask direction swap upon off reg sign change Date: Thu, 27 May 2021 17:12:44 +0200 Message-Id: <20210527151139.302053105@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210527151139.224619013@linuxfoundation.org> References: <20210527151139.224619013@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Daniel Borkmann commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream. Masking direction as indicated via mask_to_left is considered to be calculated once and then used to derive pointer limits. Thus, this needs to be placed into bpf_sanitize_info instead so we can pass it to sanitize_ptr_alu() call after the pointer move. Piotr noticed a corner case where the off reg causes masking direction change which then results in an incorrect final aux->alu_limit. Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") Reported-by: Piotr Krysiuk Signed-off-by: Daniel Borkmann Reviewed-by: Piotr Krysiuk Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4272,18 +4272,10 @@ enum { }; static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, - const struct bpf_reg_state *off_reg, - u32 *alu_limit, u8 opcode) + u32 *alu_limit, bool mask_to_left) { - bool off_is_neg = off_reg->smin_value < 0; - bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || - (opcode == BPF_SUB && !off_is_neg); u32 max = 0, ptr_limit = 0; - if (!tnum_is_const(off_reg->var_off) && - (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) - return REASON_BOUNDS; - switch (ptr_reg->type) { case PTR_TO_STACK: /* Offset 0 is out-of-bounds, but acceptable start for the @@ -4351,6 +4343,7 @@ static bool sanitize_needed(u8 opcode) struct bpf_sanitize_info { struct bpf_insn_aux_data aux; + bool mask_to_left; }; static int sanitize_ptr_alu(struct bpf_verifier_env *env, @@ -4382,7 +4375,16 @@ static int sanitize_ptr_alu(struct bpf_v if (vstate->speculative) goto do_sim; - err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); + if (!commit_window) { + if (!tnum_is_const(off_reg->var_off) && + (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) + return REASON_BOUNDS; + + info->mask_to_left = (opcode == BPF_ADD && off_is_neg) || + (opcode == BPF_SUB && !off_is_neg); + } + + err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left); if (err < 0) return err;