98 lines
3.3 KiB
Diff
98 lines
3.3 KiB
Diff
From: Alexei Starovoitov <ast@kernel.org>
|
|
Date: Mon, 18 Dec 2017 20:12:00 -0800
|
|
Subject: [8/9] bpf: fix integer overflows
|
|
Origin: https://git.kernel.org/linus/bb7f0f989ca7de1153bd128a40a71709e339fa03
|
|
|
|
There were various issues related to the limited size of integers used in
|
|
the verifier:
|
|
- `off + size` overflow in __check_map_access()
|
|
- `off + reg->off` overflow in check_mem_access()
|
|
- `off + reg->var_off.value` overflow or 32-bit truncation of
|
|
`reg->var_off.value` in check_mem_access()
|
|
- 32-bit truncation in check_stack_boundary()
|
|
|
|
Make sure that any integer math cannot overflow by not allowing
|
|
pointer math with large values.
|
|
|
|
Also reduce the scope of "scalar op scalar" tracking.
|
|
|
|
Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
|
|
Reported-by: Jann Horn <jannh@google.com>
|
|
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
|
|
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
|
|
[carnil:
|
|
- adjust context, we previously change verbose() signature
|
|
- drop changes to include/linux/bpf_verifier.h already set
|
|
]
|
|
---
|
|
include/linux/bpf_verifier.h | 4 ++--
|
|
kernel/bpf/verifier.c | 48 ++++++++++++++++++++++++++++++++++++++++++++
|
|
2 files changed, 50 insertions(+), 2 deletions(-)
|
|
|
|
--- a/kernel/bpf/verifier.c
|
|
+++ b/kernel/bpf/verifier.c
|
|
@@ -1821,25 +1821,25 @@ static bool check_reg_sane_offset(struct
|
|
s64 smin = reg->smin_value;
|
|
|
|
if (known && (val >= BPF_MAX_VAR_OFF || val <= -BPF_MAX_VAR_OFF)) {
|
|
- verbose("math between %s pointer and %lld is not allowed\n",
|
|
+ verbose(env, "math between %s pointer and %lld is not allowed\n",
|
|
reg_type_str[type], val);
|
|
return false;
|
|
}
|
|
|
|
if (reg->off >= BPF_MAX_VAR_OFF || reg->off <= -BPF_MAX_VAR_OFF) {
|
|
- verbose("%s pointer offset %d is not allowed\n",
|
|
+ verbose(env, "%s pointer offset %d is not allowed\n",
|
|
reg_type_str[type], reg->off);
|
|
return false;
|
|
}
|
|
|
|
if (smin == S64_MIN) {
|
|
- verbose("math between %s pointer and register with unbounded min value is not allowed\n",
|
|
+ verbose(env, "math between %s pointer and register with unbounded min value is not allowed\n",
|
|
reg_type_str[type]);
|
|
return false;
|
|
}
|
|
|
|
if (smin >= BPF_MAX_VAR_OFF || smin <= -BPF_MAX_VAR_OFF) {
|
|
- verbose("value %lld makes %s pointer be out of bounds\n",
|
|
+ verbose(env, "value %lld makes %s pointer be out of bounds\n",
|
|
smin, reg_type_str[type]);
|
|
return false;
|
|
}
|
|
@@ -1919,6 +1919,10 @@ static int adjust_ptr_min_max_vals(struc
|
|
!check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
|
|
return -EINVAL;
|
|
|
|
+ if (!check_reg_sane_offset(env, off_reg, ptr_reg->type) ||
|
|
+ !check_reg_sane_offset(env, ptr_reg, ptr_reg->type))
|
|
+ return -EINVAL;
|
|
+
|
|
switch (opcode) {
|
|
case BPF_ADD:
|
|
/* We can take a fixed offset as long as it doesn't overflow
|
|
@@ -2052,6 +2056,9 @@ static int adjust_ptr_min_max_vals(struc
|
|
if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
|
|
return -EINVAL;
|
|
|
|
+ if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
|
|
+ return -EINVAL;
|
|
+
|
|
__update_reg_bounds(dst_reg);
|
|
__reg_deduce_bounds(dst_reg);
|
|
__reg_bound_offset(dst_reg);
|
|
@@ -2083,6 +2090,12 @@ static int adjust_scalar_min_max_vals(st
|
|
|
|
if (!src_known &&
|
|
opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
|
|
+ __mark_reg_unknown(dst_reg);
|
|
+ return 0;
|
|
+ }
|
|
+
|
|
+ if (!src_known &&
|
|
+ opcode != BPF_ADD && opcode != BPF_SUB && opcode != BPF_AND) {
|
|
__mark_reg_unknown(dst_reg);
|
|
return 0;
|
|
}
|