1 files changed, 58 insertions, 0 deletions
diff --git a/patches/cve/CVE-2017-17855-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch b/patches/cve/CVE-2017-17855-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch
new file mode 100644
index 0000000..713e011
--- /dev/null
+++ b/patches/cve/CVE-2017-17855-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch
@@ -0,0 +1,58 @@
+From cb56cc1b292b8b3f787fad89f1208f8e98d12c7d Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 22 Dec 2017 16:23:10 +0100
+Subject: [PATCH] bpf: don't prune branches when a scalar is replaced with a
+ pointer
+From: Jann Horn <jannh@google.com>
+[ Upstream commit 179d1c5602997fef5a940c6ddcf31212cbfebd14 ]
+This could be made safe by passing through a reference to env and checking
+for env->allow_ptr_leaks, but it would only work one way and is probably
+not worth the hassle - not doing it will not directly lead to program
+rejection.
+CVE: CVE-2017-17855
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=cb56cc1b292b8b3f787fad89f1208f8e98d12c7d]
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/bpf/verifier.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 8c353554628e..5a30eda17c4f 100644
+--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
+@@ -3337,15 +3337,14 @@ static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
+                        return range_within(rold, rcur) &&
+                               tnum_in(rold->var_off, rcur->var_off);
+                } else {
+-                       /* if we knew anything about the old value, we're not
+-                        * equal, because we can't know anything about the
+-                        * scalar value of the pointer in the new value.
+                       /* We're trying to use a pointer in place of a scalar.
+                        * Even if the scalar was unbounded, this could lead to
+                        * pointer leaks because scalars are allowed to leak
+                        * while pointers are not. We could make this safe in
+                        * special cases if root is calling us, but it's
+                        * probably not worth the hassle.
+                         */
+-                       return rold->umin_value == 0 &&
+-                              rold->umax_value == U64_MAX &&
+-                              rold->smin_value == S64_MIN &&
+-                              rold->smax_value == S64_MAX &&
+-                              tnum_is_unknown(rold->var_off);
+                       return false;
+                }
+        case PTR_TO_MAP_VALUE:
+                /* If the new min/max/var_off satisfy the old ones and
+-- 
+2.20.1

diff --git a/patches/cve/CVE-2017-17855-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch b/patches/cve/CVE-2017-17855-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch new file mode 100644 index 0000000..713e011 --- /dev/null +++ b/patches/cve/CVE-2017-17855-bpf-don-t-prune-branches-when-a-scalar-is-replaced-w.patch
@@ -0,0 +1,58 @@
	1	From cb56cc1b292b8b3f787fad89f1208f8e98d12c7d Mon Sep 17 00:00:00 2001
	2	From: Daniel Borkmann <daniel@iogearbox.net>
	3	Date: Fri, 22 Dec 2017 16:23:10 +0100
	4	Subject: [PATCH] bpf: don't prune branches when a scalar is replaced with a
	5	pointer
	6
	7	From: Jann Horn <jannh@google.com>
	8
	9	[ Upstream commit 179d1c5602997fef5a940c6ddcf31212cbfebd14 ]
	10
	11	This could be made safe by passing through a reference to env and checking
	12	for env->allow_ptr_leaks, but it would only work one way and is probably
	13	not worth the hassle - not doing it will not directly lead to program
	14	rejection.
	15
	16	CVE: CVE-2017-17855
	17	Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=cb56cc1b292b8b3f787fad89f1208f8e98d12c7d]
	18
	19	Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
	20	Signed-off-by: Jann Horn <jannh@google.com>
	21	Signed-off-by: Alexei Starovoitov <ast@kernel.org>
	22	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
	25	---
	26	kernel/bpf/verifier.c \| 15 +++++++--------
	27	1 file changed, 7 insertions(+), 8 deletions(-)
	28
	29	diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
	30	index 8c353554628e..5a30eda17c4f 100644
	31	--- a/kernel/bpf/verifier.c
	32	+++ b/kernel/bpf/verifier.c
	33	@@ -3337,15 +3337,14 @@ static bool regsafe(struct bpf_reg_state rold, struct bpf_reg_state rcur,
	34	return range_within(rold, rcur) &&
	35	tnum_in(rold->var_off, rcur->var_off);
	36	} else {
	37	- /* if we knew anything about the old value, we're not
	38	- * equal, because we can't know anything about the
	39	- * scalar value of the pointer in the new value.
	40	+ /* We're trying to use a pointer in place of a scalar.
	41	+ * Even if the scalar was unbounded, this could lead to
	42	+ * pointer leaks because scalars are allowed to leak
	43	+ * while pointers are not. We could make this safe in
	44	+ * special cases if root is calling us, but it's
	45	+ * probably not worth the hassle.
	46	*/
	47	- return rold->umin_value == 0 &&
	48	- rold->umax_value == U64_MAX &&
	49	- rold->smin_value == S64_MIN &&
	50	- rold->smax_value == S64_MAX &&
	51	- tnum_is_unknown(rold->var_off);
	52	+ return false;
	53	}
	54	case PTR_TO_MAP_VALUE:
	55	/* If the new min/max/var_off satisfy the old ones and
	56	--
	57	2.20.1
	58