| Message ID | 20211208142711.42804-1-cascardo@canonical.com |
|---|---|
| Headers | show |
| Series | CVE-2018-25020 // LP: #1953287 | expand |
On 08.12.21 15:27, Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1953287 > > [Impact] > > A CBPF program jumping over a large number of instructions may lead to kernel > code execution. > > The test might fail with EINVAL or EOPNOTSUPP, which must be accounted for on > different kernel versions. > > [Test case] > Load test_bpf module. > Userspace program that causes crash. > > [Potential regression] > Some CBPF and EBPF programs might not load. > > > Daniel Borkmann (1): > bpf: fix truncated jump targets on heavy expansions > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "bpf: add also cbpf long jump test cases with > heavy expansion" > > kernel/bpf/core.c | 63 ++++++++++++++++++++++++++++++++++++++++------- > lib/test_bpf.c | 63 ----------------------------------------------- > net/core/filter.c | 11 +++++++-- > 3 files changed, 63 insertions(+), 74 deletions(-) > It would help here if it contained some mention about successful testing. The first patch needed some heavier changes which seem to make one function vanish (the adjust_imm one). That seems to be related to pseudo call that is mentioned in the backport comment. For a quick review that is making things hard. I believe it looks ok... Acked-by: Stefan Bader <stefan.bader@canonical.com>
On 08.12.21 15:27, Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1953287 > > [Impact] > > A CBPF program jumping over a large number of instructions may lead to kernel > code execution. > > The test might fail with EINVAL or EOPNOTSUPP, which must be accounted for on > different kernel versions. > > [Test case] > Load test_bpf module. > Userspace program that causes crash. > > [Potential regression] > Some CBPF and EBPF programs might not load. > > > Daniel Borkmann (1): > bpf: fix truncated jump targets on heavy expansions > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "bpf: add also cbpf long jump test cases with > heavy expansion" > > kernel/bpf/core.c | 63 ++++++++++++++++++++++++++++++++++++++++------- > lib/test_bpf.c | 63 ----------------------------------------------- > net/core/filter.c | 11 +++++++-- > 3 files changed, 63 insertions(+), 74 deletions(-) > Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> Thanks
On Wed, Dec 08, 2021 at 03:46:07PM +0100, Stefan Bader wrote: > On 08.12.21 15:27, Thadeu Lima de Souza Cascardo wrote: > > BugLink: https://bugs.launchpad.net/bugs/1953287 > > > > [Impact] > > > > A CBPF program jumping over a large number of instructions may lead to kernel > > code execution. > > > > The test might fail with EINVAL or EOPNOTSUPP, which must be accounted for on > > different kernel versions. > > > > [Test case] > > Load test_bpf module. > > Userspace program that causes crash. > > > > [Potential regression] > > Some CBPF and EBPF programs might not load. > > > > > > Daniel Borkmann (1): > > bpf: fix truncated jump targets on heavy expansions > > > > Thadeu Lima de Souza Cascardo (1): > > UBUNTU: SAUCE: Revert "bpf: add also cbpf long jump test cases with > > heavy expansion" > > > > kernel/bpf/core.c | 63 ++++++++++++++++++++++++++++++++++++++++------- > > lib/test_bpf.c | 63 ----------------------------------------------- > > net/core/filter.c | 11 +++++++-- > > 3 files changed, 63 insertions(+), 74 deletions(-) > > > It would help here if it contained some mention about successful testing. > The first patch needed some heavier changes which seem to make one function > vanish (the adjust_imm one). That seems to be related to pseudo call that is > mentioned in the backport comment. For a quick review that is making things > hard. > I believe it looks ok... > > Acked-by: Stefan Bader <stefan.bader@canonical.com> > That's right. It has to do with the pseudo calls. Since the test for !bpf_is_jmp_and_has_target(insn) will make it skip the case where BPF_OP(insn) == BPF_CALL, bpf_adj_delta_to_imm would never be called. The test cases that I mentioned were run and successful. Regards. Cascardo.
On 08.12.21 15:27, Thadeu Lima de Souza Cascardo wrote: > BugLink: https://bugs.launchpad.net/bugs/1953287 > > [Impact] > > A CBPF program jumping over a large number of instructions may lead to kernel > code execution. > > The test might fail with EINVAL or EOPNOTSUPP, which must be accounted for on > different kernel versions. > > [Test case] > Load test_bpf module. > Userspace program that causes crash. > > [Potential regression] > Some CBPF and EBPF programs might not load. > > > Daniel Borkmann (1): > bpf: fix truncated jump targets on heavy expansions > > Thadeu Lima de Souza Cascardo (1): > UBUNTU: SAUCE: Revert "bpf: add also cbpf long jump test cases with > heavy expansion" > > kernel/bpf/core.c | 63 ++++++++++++++++++++++++++++++++++++++++------- > lib/test_bpf.c | 63 ----------------------------------------------- > net/core/filter.c | 11 +++++++-- > 3 files changed, 63 insertions(+), 74 deletions(-) > Applied to bionic:linux. Thanks, Kleber
BugLink: https://bugs.launchpad.net/bugs/1953287 [Impact] A CBPF program jumping over a large number of instructions may lead to kernel code execution. The test might fail with EINVAL or EOPNOTSUPP, which must be accounted for on different kernel versions. [Test case] Load test_bpf module. Userspace program that causes crash. [Potential regression] Some CBPF and EBPF programs might not load. Daniel Borkmann (1): bpf: fix truncated jump targets on heavy expansions Thadeu Lima de Souza Cascardo (1): UBUNTU: SAUCE: Revert "bpf: add also cbpf long jump test cases with heavy expansion" kernel/bpf/core.c | 63 ++++++++++++++++++++++++++++++++++++++++------- lib/test_bpf.c | 63 ----------------------------------------------- net/core/filter.c | 11 +++++++-- 3 files changed, 63 insertions(+), 74 deletions(-)