Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGary Lin <glin@suse.com>2019-02-20 12:20:01 +0800
committerGary Lin <glin@suse.com>2019-02-20 12:20:03 +0800
commit489cb8c591bac765a4f9b195367a097168a4bdfa (patch)
tree16317bbd4b33e00a0902a5575786ebbf5d055147
parent800750b0f2b2ca3676200cb09ef4546e0e0001d6 (diff)
bpf: enable access to ax register also from verifier rewrite
(bsc#1124055 CVE-2019-7308).
-rw-r--r--patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch70
-rw-r--r--series.conf1
2 files changed, 71 insertions, 0 deletions
diff --git a/patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch b/patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch
new file mode 100644
index 0000000000..3cce51bc75
--- /dev/null
+++ b/patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch
@@ -0,0 +1,70 @@
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 3 Jan 2019 00:58:29 +0100
+Subject: bpf: enable access to ax register also from verifier rewrite
+Patch-mainline: v5.0-rc1
+Git-commit: 9b73bfdd08e73231d6a90ae6db4b46b3fbf56c30
+References: bsc#1124055 CVE-2019-7308
+
+Right now we are using BPF ax register in JIT for constant blinding as
+well as in interpreter as temporary variable. Verifier will not be able
+to use it simply because its use will get overridden from the former in
+bpf_jit_blind_insn(). However, it can be made to work in that blinding
+will be skipped if there is prior use in either source or destination
+register on the instruction. Taking constraints of ax into account, the
+verifier is then open to use it in rewrites under some constraints. Note,
+ax register already has mappings in every eBPF JIT.
+
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Gary Lin <glin@suse.com>
+---
+ include/linux/filter.h | 7 +------
+ kernel/bpf/core.c | 20 ++++++++++++++++++++
+ 2 files changed, 21 insertions(+), 6 deletions(-)
+
+--- a/include/linux/filter.h
++++ b/include/linux/filter.h
+@@ -48,12 +48,7 @@ struct bpf_prog_aux;
+ #define BPF_REG_X BPF_REG_7
+ #define BPF_REG_TMP BPF_REG_8
+
+-/* Kernel hidden auxiliary/helper register for hardening step.
+- * Only used by eBPF JITs. It's nothing more than a temporary
+- * register that JITs use internally, only that here it's part
+- * of eBPF instructions that have been rewritten for blinding
+- * constants. See JIT pre-step in bpf_jit_blind_constants().
+- */
++/* Kernel hidden auxiliary/helper register. */
+ #define BPF_REG_AX MAX_BPF_REG
+ #define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
+ #define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
+--- a/kernel/bpf/core.c
++++ b/kernel/bpf/core.c
+@@ -557,6 +557,26 @@ static int bpf_jit_blind_insn(const stru
+ BUILD_BUG_ON(BPF_REG_AX + 1 != MAX_BPF_JIT_REG);
+ BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
+
++ /* Constraints on AX register:
++ *
++ * AX register is inaccessible from user space. It is mapped in
++ * all JITs, and used here for constant blinding rewrites. It is
++ * typically "stateless" meaning its contents are only valid within
++ * the executed instruction, but not across several instructions.
++ * There are a few exceptions however which are further detailed
++ * below.
++ *
++ * Constant blinding is only used by JITs, not in the interpreter.
++ * The interpreter uses AX in some occasions as a local temporary
++ * register e.g. in DIV or MOD instructions.
++ *
++ * In restricted circumstances, the verifier can also use the AX
++ * register for rewrites as long as they do not interfere with
++ * the above cases!
++ */
++ if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
++ goto out;
++
+ if (from->imm == 0 &&
+ (from->code == (BPF_ALU | BPF_MOV | BPF_K) ||
+ from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
diff --git a/series.conf b/series.conf
index fe57c7a291..d1292a376d 100644
--- a/series.conf
+++ b/series.conf
@@ -20190,6 +20190,7 @@
patches.drivers/isdn-fix-kernel-infoleak-in-capi_unlocked_ioctl.patch
patches.fixes/bpf-move-prev_-insn_idx-into-verifier-env.patch
patches.fixes/bpf-move-tmp-variable-into-ax-register-in-interprete.patch
+ patches.fixes/bpf-enable-access-to-ax-register-also-from-verifier-.patch
patches.fixes/bpf-restrict-map-value-pointer-arithmetic-for-unpriv.patch
patches.fixes/bpf-restrict-stack-pointer-arithmetic-for-unprivileg.patch
patches.fixes/bpf-restrict-unknown-scalars-of-mixed-signed-bounds-.patch