From patchwork Fri Jan 26 22:44:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Bethany Jamison X-Patchwork-Id: 1891690 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=185.125.189.65; helo=lists.ubuntu.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=patchwork.ozlabs.org) Received: from lists.ubuntu.com (lists.ubuntu.com [185.125.189.65]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TMCTJ5Vpnz23fD for ; Sat, 27 Jan 2024 09:45:40 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=lists.ubuntu.com) by lists.ubuntu.com with esmtp (Exim 4.86_2) (envelope-from ) id 1rTUx3-00012a-34; Fri, 26 Jan 2024 22:45:33 +0000 Received: from smtp-relay-internal-1.internal ([10.131.114.114] helo=smtp-relay-internal-1.canonical.com) by lists.ubuntu.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1rTUwV-0000qq-Qc for kernel-team@lists.ubuntu.com; Fri, 26 Jan 2024 22:45:00 +0000 Received: from mail-oi1-f198.google.com (mail-oi1-f198.google.com [209.85.167.198]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-1.canonical.com (Postfix) with ESMTPS id 9B80F3F5F4 for ; Fri, 26 Jan 2024 22:44:59 +0000 (UTC) Received: by mail-oi1-f198.google.com with SMTP id 5614622812f47-3bdef76ae17so860070b6e.2 for ; Fri, 26 Jan 2024 14:44:59 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1706309098; x=1706913898; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=xoNqDueOyRDHPZrNvVU/T8t2l4w1r5XcCnKmvwk00TA=; b=b3ewP7jU6clkEFn3VhRQgGPBi4pjYfCcWs2eucnj3QFVea5LxGamk3vohilwGO3JSi D+3K+27tTvcmi8arTRNrGYRdZDtd8JMuhFt2STk77qf0x1H3sKK3bE4KC23/UdtKwX0A d+6bVdrvZhp1gbgEfVR0TKp69vwXkIqekhpqDQQqmasbvt/TY67JAn3vuNyUuryr2uGX tR6UnnUUrRe3pZXtH2urVDJnRyoyhpEo8Cpa2lNZbBoQfoG5PaGy50pj/3x1aU9oUbCZ pCMIKv2/qmtEpzvB71x7p/AxPpDLlYKJ4Oo3Gpa1whNaHE7FVxI9jmdwdbndhuHka3ol 4qig== X-Gm-Message-State: AOJu0YzHg5Ev143v7SWfbfe8FdfHXWuo9lMlLwyN25SbtuA/z2WWpLzV /TmaKkv0j76bsxVIlp8OrsCnHO/4LVxi6ivRvzKfaUe8eBGFkm2PXQaE6a4X9K62s9gnJbDYiuR xFCtpXwE+BiVF8qSrGy+XFc51WClSeTCvo+lfUqvIHNYOi3lF4go3jtVfUov2Rs38aQx/HFSsVt PLEqdk0LXvXg== X-Received: by 2002:a05:6808:1904:b0:3bd:a09a:b47e with SMTP id bf4-20020a056808190400b003bda09ab47emr498031oib.113.1706309098094; Fri, 26 Jan 2024 14:44:58 -0800 (PST) X-Google-Smtp-Source: AGHT+IGP8hu6ENf7Ng5XVPgCTDR+oSLqjYXcHRqSnyH903k4G7ZENuuYr/W4rB1xjze7tdsE9T6W/Q== X-Received: by 2002:a05:6808:1904:b0:3bd:a09a:b47e with SMTP id bf4-20020a056808190400b003bda09ab47emr498026oib.113.1706309097682; Fri, 26 Jan 2024 14:44:57 -0800 (PST) Received: from smtp.gmail.com (104-218-69-19.dynamic.lnk.ne.allofiber.net. [104.218.69.19]) by smtp.gmail.com with ESMTPSA id hx3-20020a05622a668300b0042a0a0d4225sm907794qtb.38.2024.01.26.14.44.57 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 26 Jan 2024 14:44:57 -0800 (PST) From: Bethany Jamison To: kernel-team@lists.ubuntu.com Subject: [SRU][Lunar][PATCH 4/4] bpf: Avoid recomputing spi in process_dynptr_func Date: Fri, 26 Jan 2024 16:44:53 -0600 Message-Id: <20240126224453.46651-5-bethany.jamison@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20240126224453.46651-1-bethany.jamison@canonical.com> References: <20240126224453.46651-1-bethany.jamison@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Kumar Kartikeya Dwivedi Currently, process_dynptr_func first calls dynptr_get_spi and then is_dynptr_reg_valid_init and is_dynptr_reg_valid_uninit have to call it again to obtain the spi value. Instead of doing this twice, reuse the already obtained value (which is by default 0, and is only set for PTR_TO_STACK, and only used in that case in aforementioned functions). The input value for these two functions will either be -ERANGE or >= 1, and can either be permitted or rejected based on the respective check. Suggested-by: Joanne Koong Acked-by: Joanne Koong Signed-off-by: Kumar Kartikeya Dwivedi Link: https://lore.kernel.org/r/20230121002241.2113993-8-memxor@gmail.com Signed-off-by: Alexei Starovoitov (cherry picked from commit 1ee72bcbe48de6dcfa44d6eba0aec6e42d04cd4d) CVE-2023-39191 Signed-off-by: Bethany Jamison --- kernel/bpf/verifier.c | 24 +++++++++++------------- 1 file changed, 11 insertions(+), 13 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index a41f0af660d4..e6bd8af3c8b7 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -955,14 +955,12 @@ static int destroy_if_dynptr_stack_slot(struct bpf_verifier_env *env, return 0; } -static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg) +static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_reg_state *reg, + int spi) { - int spi; - if (reg->type == CONST_PTR_TO_DYNPTR) return false; - spi = dynptr_get_spi(env, reg); /* For -ERANGE (i.e. spi not falling into allocated stack slots), we * will do check_mem_access to check and update stack bounds later, so * return true for that case. @@ -980,16 +978,16 @@ static bool is_dynptr_reg_valid_uninit(struct bpf_verifier_env *env, struct bpf_ return true; } -static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg) +static bool is_dynptr_reg_valid_init(struct bpf_verifier_env *env, struct bpf_reg_state *reg, + int spi) { struct bpf_func_state *state = func(env, reg); - int spi, i; + int i; /* This already represents first slot of initialized bpf_dynptr */ if (reg->type == CONST_PTR_TO_DYNPTR) return true; - spi = dynptr_get_spi(env, reg); if (spi < 0) return false; if (!state->stack[spi].spilled_ptr.dynptr.first_slot) @@ -6207,6 +6205,7 @@ int process_dynptr_func(struct bpf_verifier_env *env, int regno, enum bpf_arg_type arg_type, struct bpf_call_arg_meta *meta) { struct bpf_reg_state *regs = cur_regs(env), *reg = ®s[regno]; + int spi = 0; /* MEM_UNINIT and MEM_RDONLY are exclusive, when applied to an * ARG_PTR_TO_DYNPTR (or ARG_PTR_TO_DYNPTR | DYNPTR_TYPE_*): @@ -6220,10 +6219,9 @@ int process_dynptr_func(struct bpf_verifier_env *env, int regno, * and its alignment for PTR_TO_STACK. */ if (reg->type == PTR_TO_STACK) { - int err = dynptr_get_spi(env, reg); - - if (err < 0 && err != -ERANGE) - return err; + spi = dynptr_get_spi(env, reg); + if (spi < 0 && spi != -ERANGE) + return spi; } /* MEM_UNINIT - Points to memory that is an appropriate candidate for @@ -6242,7 +6240,7 @@ int process_dynptr_func(struct bpf_verifier_env *env, int regno, * to. */ if (arg_type & MEM_UNINIT) { - if (!is_dynptr_reg_valid_uninit(env, reg)) { + if (!is_dynptr_reg_valid_uninit(env, reg, spi)) { verbose(env, "Dynptr has to be an uninitialized dynptr\n"); return -EINVAL; } @@ -6265,7 +6263,7 @@ int process_dynptr_func(struct bpf_verifier_env *env, int regno, return -EINVAL; } - if (!is_dynptr_reg_valid_init(env, reg)) { + if (!is_dynptr_reg_valid_init(env, reg, spi)) { verbose(env, "Expected an initialized dynptr as arg #%d\n", regno);