bpf: CVE-2017-17857

bpf: fix missing error return in check_stack_boundary() Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17857 [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=2120fca0ecfb4552d27608d409ebd3403ce02ce4 Change-Id: I3b916fbdd44fa97039b3d648a230c2fd42b53848 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-21 14:44:05 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-21 16:56:42 +0200
commit: 15927a53a67f71f6220a95cc900aa40d9a69201f (patch)
tree: 2c2da9b5ff3f68c22bcc36c64f361a25fb5d3a85
parent: 7cc6f2646649f9ee3fcf59b3121742ac1f9e10ad (diff)
download: enea-kernel-cache-15927a53a67f71f6220a95cc900aa40d9a69201f.tar.gz
1 files changed, 38 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch b/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch
new file mode 100644
index 0000000..dfed2c2
--- /dev/null
+++ b/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch
@@ -0,0 +1,38 @@
+From 2120fca0ecfb4552d27608d409ebd3403ce02ce4 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 22 Dec 2017 16:23:08 +0100
+Subject: [PATCH] bpf: fix missing error return in check_stack_boundary()
+From: Jann Horn <jannh@google.com>
+Prevent indirect stack accesses at non-constant addresses, which would
+permit reading and corrupting spilled pointers.
+CVE: CVE-2017-17857
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=2120fca0ecfb4552d27608d409ebd3403ce02ce4]
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 0c7e4c8a2b8a..8aa98a0591d6 100644
+--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
+@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+                tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
+                verbose("invalid variable stack read R%d var_off=%s\n",
+                        regno, tn_buf);
+               return -EACCES;
+        }
+        off = regs[regno].off + regs[regno].var_off.value;
+        if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-21 14:44:05 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-21 16:56:42 +0200
commit	15927a53a67f71f6220a95cc900aa40d9a69201f (patch)
tree	2c2da9b5ff3f68c22bcc36c64f361a25fb5d3a85
parent	7cc6f2646649f9ee3fcf59b3121742ac1f9e10ad (diff)
download	enea-kernel-cache-15927a53a67f71f6220a95cc900aa40d9a69201f.tar.gz

diff --git a/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch b/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch new file mode 100644 index 0000000..dfed2c2 --- /dev/null +++ b/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch
@@ -0,0 +1,38 @@
	1	From 2120fca0ecfb4552d27608d409ebd3403ce02ce4 Mon Sep 17 00:00:00 2001
	2	From: Daniel Borkmann <daniel@iogearbox.net>
	3	Date: Fri, 22 Dec 2017 16:23:08 +0100
	4	Subject: [PATCH] bpf: fix missing error return in check_stack_boundary()
	5
	6	From: Jann Horn <jannh@google.com>
	7
	8	Prevent indirect stack accesses at non-constant addresses, which would
	9	permit reading and corrupting spilled pointers.
	10
	11	CVE: CVE-2017-17857
	12	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=2120fca0ecfb4552d27608d409ebd3403ce02ce4]
	13
	14	Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
	15	Signed-off-by: Jann Horn <jannh@google.com>
	16	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
	17	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	18	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	19	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	20	---
	21	kernel/bpf/verifier.c \| 1 +
	22	1 file changed, 1 insertion(+)
	23
	24	diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
	25	index 0c7e4c8a2b8a..8aa98a0591d6 100644
	26	--- a/kernel/bpf/verifier.c
	27	+++ b/kernel/bpf/verifier.c
	28	@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
	29	tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
	30	verbose("invalid variable stack read R%d var_off=%s\n",
	31	regno, tn_buf);
	32	+ return -EACCES;
	33	}
	34	off = regs[regno].off + regs[regno].var_off.value;
	35	if (off >= 0 \|\| off < -MAX_BPF_STACK \|\| off + access_size > 0 \|\|
	36	--
	37	2.20.1
	38