From patchwork Thu Jan  4 14:01:18 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Seth Forshee <seth.forshee@canonical.com>
X-Patchwork-Id: 855600
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	by ozlabs.org (Postfix) with ESMTP id 3zC8c668xYz9t44;
	Fri,  5 Jan 2018 01:01:41 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1eX65Q-0004v4-5U; Thu, 04 Jan 2018 14:01:36 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <seth.forshee@canonical.com>)
	id 1eX65O-0004tu-Gn
	for kernel-team@lists.ubuntu.com; Thu, 04 Jan 2018 14:01:34 +0000
Received: from mail-it0-f69.google.com ([209.85.214.69])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <seth.forshee@canonical.com>)
	id 1eX65O-0002Ai-5c
	for kernel-team@lists.ubuntu.com; Thu, 04 Jan 2018 14:01:34 +0000
Received: by mail-it0-f69.google.com with SMTP id g69so1932758ita.9
	for <kernel-team@lists.ubuntu.com>;
	Thu, 04 Jan 2018 06:01:34 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to
	:references;
	bh=m2Y517h8k69gutCJM8ssvBn3eGLQ6tlBRIJUDUYi13I=;
	b=kqjnwvR4BV3UhhyJtaf+MHppMjZ2Wibl0fBhJtjWOV0Y78ojCkjq+HvMDD5ZVJ2Iop
	fwHkzoU/3x2OLYhdGGZbU20rFgRla9cOQBCKVDJrSKribFPxb+BrV21p2yNllb6KfiPm
	u30xxOUG6VPNlAGBt7OCO2INZgvK+ZSDR5yAje259WoFotxIw0GWzv/oqz7p5FJdKdqT
	ikc56mzCmYb/slMXB/DjPC/0CZEgjGROLBImLmZ1qCjK5+NQjeIdXir673WpGdOxnrEd
	zv5UCEuoTfXLvpz9Al3yGasjj8TTolkyQTLsfBuM9J5cjaNITPj3+zrotzwOJ1U4raXB
	pNPA==
X-Gm-Message-State: AKGB3mKYd/ibAWNmAKnh/WyWv+wNXQDGRwP1IsBadwmL2Dm9GASbqfp9
	lFdqXbw//E4Rtn2Ceg5PCKF38cf2VE63thgiNiCLlt4E8mymxGcASrGqx8fYw0pJJTfjObJKXIu
	OSf4cjmFHmf69YlyvdVkLvqTTZyxZ6CRro4gI1a0VHw==
X-Received: by 10.36.211.4 with SMTP id n4mr6275883itg.88.1515074492874;
	Thu, 04 Jan 2018 06:01:32 -0800 (PST)
X-Google-Smtp-Source: 
 ACJfBos2DsURdGSyBZxue7f3ccYRH5mz126xepGp/PcV6VfxU74ThGZFmM5RVUEIhvNVmrntrXlzhw==
X-Received: by 10.36.211.4 with SMTP id n4mr6275850itg.88.1515074492581;
	Thu, 04 Jan 2018 06:01:32 -0800 (PST)
Received: from localhost ([2605:a601:aae:1b20:6cc2:cccd:da95:a96c])
	by smtp.gmail.com with ESMTPSA id
	d3sm2118918itf.39.2018.01.04.06.01.31
	for <kernel-team@lists.ubuntu.com>
	(version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
	Thu, 04 Jan 2018 06:01:31 -0800 (PST)
From: Seth Forshee <seth.forshee@canonical.com>
To: kernel-team@lists.ubuntu.com
Subject: [PATCH 2/4][Z] bpf: fix incorrect sign extension in check_alu_op()
Date: Thu,  4 Jan 2018 08:01:18 -0600
Message-Id: <20180104140124.2515-5-seth.forshee@canonical.com>
X-Mailer: git-send-email 2.14.1
In-Reply-To: <20180104140124.2515-1-seth.forshee@canonical.com>
References: <20180104140124.2515-1-seth.forshee@canonical.com>
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
MIME-Version: 1.0
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Jann Horn <jannh@google.com>

[ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]

Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.

Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.

Debian assigned CVE-2017-16995 for this issue.

v3:
 - add CVE number (Ben Hutchings)

Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
CVE-2017-16995
[ saf: Backport to 4.10 ]
Signed-off-by: Seth Forshee <seth.forshee@canonical.com>
---
 kernel/bpf/verifier.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index b741b616e935..edc885b3c157 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1723,10 +1723,17 @@ static int check_alu_op(struct bpf_verifier_env *env, struct bpf_insn *insn)
 			/* case: R = imm
 			 * remember the value we stored into this reg
 			 */
+			u64 imm;
+
+			if (BPF_CLASS(insn->code) == BPF_ALU64)
+				imm = insn->imm;
+			else
+				imm = (u32)insn->imm;
+
 			regs[insn->dst_reg].type = CONST_IMM;
-			regs[insn->dst_reg].imm = insn->imm;
-			regs[insn->dst_reg].max_value = insn->imm;
-			regs[insn->dst_reg].min_value = insn->imm;
+			regs[insn->dst_reg].imm = imm;
+			regs[insn->dst_reg].max_value = imm;
+			regs[insn->dst_reg].min_value = imm;
 		}
 
 	} else if (opcode > BPF_END) {