bpf: CVE-2017-17856

bpf: force strict alignment checks for stack pointers Reference: https://nvd.nist.gov/vuln/detail/CVE-2017-17856 https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=c90268f7cbee0781331b96d1423d0f28a6183889 Change-Id: Ie064962ab3e3bd59e79a919f530355e713e908f1 Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
author: Andreas Wellving <andreas.wellving@enea.com> 2019-05-21 14:31:26 +0200
committer: Adrian Mangeac <Adrian.Mangeac@enea.com> 2019-05-21 16:54:38 +0200
commit: 7cc6f2646649f9ee3fcf59b3121742ac1f9e10ad (patch)
tree: 9eba1df58551f5e8c7e4f0d0debdd90ce1ff5163
parent: d4365eb45c5f3a7f3965a5e2d6c5abf3c5aaedc1 (diff)
download: enea-kernel-cache-7cc6f2646649f9ee3fcf59b3121742ac1f9e10ad.tar.gz
1 files changed, 45 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-17856-bpf-force-strict-alignment-checks-for-stack-pointers.patch b/patches/cve/CVE-2017-17856-bpf-force-strict-alignment-checks-for-stack-pointers.patch
new file mode 100644
index 0000000..e440dc2
--- /dev/null
+++ b/patches/cve/CVE-2017-17856-bpf-force-strict-alignment-checks-for-stack-pointers.patch
@@ -0,0 +1,45 @@
+From c90268f7cbee0781331b96d1423d0f28a6183889 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 22 Dec 2017 16:23:09 +0100
+Subject: [PATCH] bpf: force strict alignment checks for stack pointers
+From: Jann Horn <jannh@google.com>
+[ Upstream commit a5ec6ae161d72f01411169a938fa5f8baea16e8f ]
+Force strict alignment checks for stack pointers because the tracking of
+stack spills relies on it; unaligned stack accesses can lead to corruption
+of spilled registers, which is exploitable.
+CVE: CVE-2017-17856
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=c90268f7cbee0781331b96d1423d0f28a6183889]
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/bpf/verifier.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 8aa98a0591d6..8c353554628e 100644
+--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
+@@ -1061,6 +1061,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
+                break;
+        case PTR_TO_STACK:
+                pointer_desc = "stack ";
+               /* The stack spill tracking logic in check_stack_write()
+                * and check_stack_read() relies on stack accesses being
+                * aligned.
+                */
+               strict = true;
+                break;
+        default:
+                break;
+-- 
+2.20.1
author	Andreas Wellving <andreas.wellving@enea.com>	2019-05-21 14:31:26 +0200
committer	Adrian Mangeac <Adrian.Mangeac@enea.com>	2019-05-21 16:54:38 +0200
commit	7cc6f2646649f9ee3fcf59b3121742ac1f9e10ad (patch)
tree	9eba1df58551f5e8c7e4f0d0debdd90ce1ff5163
parent	d4365eb45c5f3a7f3965a5e2d6c5abf3c5aaedc1 (diff)
download	enea-kernel-cache-7cc6f2646649f9ee3fcf59b3121742ac1f9e10ad.tar.gz

diff --git a/patches/cve/CVE-2017-17856-bpf-force-strict-alignment-checks-for-stack-pointers.patch b/patches/cve/CVE-2017-17856-bpf-force-strict-alignment-checks-for-stack-pointers.patch new file mode 100644 index 0000000..e440dc2 --- /dev/null +++ b/patches/cve/CVE-2017-17856-bpf-force-strict-alignment-checks-for-stack-pointers.patch
@@ -0,0 +1,45 @@
	1	From c90268f7cbee0781331b96d1423d0f28a6183889 Mon Sep 17 00:00:00 2001
	2	From: Daniel Borkmann <daniel@iogearbox.net>
	3	Date: Fri, 22 Dec 2017 16:23:09 +0100
	4	Subject: [PATCH] bpf: force strict alignment checks for stack pointers
	5
	6	From: Jann Horn <jannh@google.com>
	7
	8	[ Upstream commit a5ec6ae161d72f01411169a938fa5f8baea16e8f ]
	9
	10	Force strict alignment checks for stack pointers because the tracking of
	11	stack spills relies on it; unaligned stack accesses can lead to corruption
	12	of spilled registers, which is exploitable.
	13
	14	CVE: CVE-2017-17856
	15	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=c90268f7cbee0781331b96d1423d0f28a6183889]
	16
	17	Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
	18	Signed-off-by: Jann Horn <jannh@google.com>
	19	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
	20	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	21	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	22	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	23	---
	24	kernel/bpf/verifier.c \| 5 +++++
	25	1 file changed, 5 insertions(+)
	26
	27	diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
	28	index 8aa98a0591d6..8c353554628e 100644
	29	--- a/kernel/bpf/verifier.c
	30	+++ b/kernel/bpf/verifier.c
	31	@@ -1061,6 +1061,11 @@ static int check_ptr_alignment(struct bpf_verifier_env *env,
	32	break;
	33	case PTR_TO_STACK:
	34	pointer_desc = "stack ";
	35	+ /* The stack spill tracking logic in check_stack_write()
	36	+ * and check_stack_read() relies on stack accesses being
	37	+ * aligned.
	38	+ */
	39	+ strict = true;
	40	break;
	41	default:
	42	break;
	43	--
	44	2.20.1
	45