Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp295517pxb; Thu, 26 Aug 2021 03:25:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz160Qom+XgWPAyhqGuypv0XDoKDiMuNWuRe9NjlwmJyT+5wv14JsGGeUguEtkRZbpI4EeF X-Received: by 2002:a17:906:6bc5:: with SMTP id t5mr3543334ejs.340.1629973548293; Thu, 26 Aug 2021 03:25:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1629973548; cv=none; d=google.com; s=arc-20160816; b=nodocsERmZTyrqizXxbwptI5wX24+9m5oodUz+h2sFLF6AjrUS6xm1Z5xIV9BanOEo lDg9IWigAv9Q3rleee3zOPvD2grqAjwQwmhx6DRBuuOSmsLQTa55rKcHFybjSWFO/w0T ZOFX7wKeg8ZB/OalgnEe8FzTC9ABfiOkW2JTsp5lizudLadaXDMB8XB6w91e1/IxmPZ0 W8PJObDuMWEB8MPoS8cc8ez9uNE0ooBFzxZTdcz9p5Hl3D5FFVJpISjJ0ATpU/TA7ONG Htv3J3LzQMlZnilcNikbPCjUt7QZL2LVfl/5WlMjAOBCy0sS0bg/b8SXjSd79OFnXUWG a+vQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:content-disposition:mime-version :message-id:subject:to:from:date; bh=y39PMllP/bxrDHw5HNjbXaZZZeiWY0nTWORWUottTm0=; b=GWpEUvyJhF0kpNMUWg3530go1eoMzX1ObQ1KQd95aWwLAlCy84hizqEv3Z3zhugwVH oGq5DYRnDAS+7rM1ApGQVUgK6j4C5wTeFA8dU3i0OBX4Q+DZxfPt9H+HHK5gPCqJhxAA T9jnS7kjdXjomwFHPRS+s69ce4hg7DoG/LZgXtj3euCj2wr2c04liCQCFIQHVS6HKrF4 5Q6v6nCKFWhhQOPO5MgzfHjMBJk5PiOKWgDWYL68k3tdr9fL5VV9LiPT8ZSKz6DORbgi T5UvyevRGBmCZM9PmMCN74gfKjt/CbJJFYACiBo06pryajbqNEf96JqCnMa+cGAxmc4N fLZw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jt11si2287533ejb.125.2021.08.26.03.25.24; Thu, 26 Aug 2021 03:25:48 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241371AbhHZKY0 (ORCPT + 99 others); Thu, 26 Aug 2021 06:24:26 -0400 Received: from jabberwock.ucw.cz ([46.255.230.98]:50808 "EHLO jabberwock.ucw.cz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233654AbhHZKYZ (ORCPT ); Thu, 26 Aug 2021 06:24:25 -0400 Received: by jabberwock.ucw.cz (Postfix, from userid 1017) id 98D8B1C0B7A; Thu, 26 Aug 2021 12:23:37 +0200 (CEST) Date: Thu, 26 Aug 2021 12:23:37 +0200 From: Pavel Machek To: stable@vger.kernel.org, kernel list , daniel@iogearbox.net, john.fastabend@gmail.com, ast@kernel.org Subject: CVE-2021-3600 aka bpf: Fix 32 bit src register truncation on div/mod Message-ID: <20210826102337.GA7362@duo.ucw.cz> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="vtzGhvizbBRQ85DL" Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org --vtzGhvizbBRQ85DL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Hi! As far as I can tell, CVE-2021-3600 is still a problem for 4.14 and 4.19. Unfortunately, those kernels lack BPF_JMP32 support, and that support is too big and intrusive to backport. So I tried to come up with solution without JMP32 support... only to end up with not seeing the bug in the affected code. Changelog says: bpf: Fix 32 bit src register truncation on div/mod =20 While reviewing a different fix, John and I noticed an oddity in one of= the BPF program dumps that stood out, for example: =20 # bpftool p d x i 13 0: (b7) r0 =3D 808464450 1: (b4) w4 =3D 808464432 2: (bc) w0 =3D w0 3: (15) if r0 =3D=3D 0x0 goto pc+1 4: (9c) w4 %=3D w0 [...] =20 In line 2 we noticed that the mov32 would 32 bit truncate the original = src register for the div/mod operation. While for the two operations the dst register is typically marked unknown e.g. from adjust_scalar_min_max_va= ls() the src register is not, and thus verifier keeps tracking original boun= ds, simplified: So this explains "mov32 w0, w0" is problematic, and fixes the bug by replacing it with jmp32. Unfortunately, I can't do that in 4.19; plus I don't really see how the bug is solved -- we avoided adding mov32 sequence that triggers the problem, but the problematic sequence could still be produced by the userspace, no? Does adjust_scalar_min_max_vals still need fixing? Do you have any hints how to solve this in 4.19? Best regards, Pavel --=20 DENX Software Engineering GmbH, Managing Director: Wolfgang Denk HRB 165235 Munich, Office: Kirchenstr.5, D-82194 Groebenzell, Germany --vtzGhvizbBRQ85DL Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EABECAB0WIQRPfPO7r0eAhk010v0w5/Bqldv68gUCYSdrqQAKCRAw5/Bqldv6 8rK9AJ9kEm63Lbsbk8N3qBjuKHwwcGEstQCeK9JGBYjsg/VAmJ9wFUCiW+gfTSE= =T4Yk -----END PGP SIGNATURE----- --vtzGhvizbBRQ85DL--