Commit e232808
bpf: Reject indirect var_off stack access in unpriv mode
OpenAnolis Bug Tracker: 0000429
commit 088ec26 upstream.
Proper support of indirect stack access with variable offset in
unprivileged mode (!root) requires corresponding support in Spectre
masking for stack ALU in retrieve_ptr_limit().
There are no use-case for variable offset in unprivileged mode though so
make verifier reject such accesses for simplicity.
Pointer arithmetics is one (and only?) way to cause variable offset and
it's already rejected in unpriv mode so that verifier won't even get to
helper function whose argument contains variable offset, e.g.:
0: (7a) *(u64 *)(r10 -16) = 0
1: (7a) *(u64 *)(r10 -8) = 0
2: (61) r2 = *(u32 *)(r1 +0)
3: (57) r2 &= 4
4: (17) r2 -= 16
5: (0f) r2 += r10
variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16 size=1R2
stack pointer arithmetic goes out of range, prohibited for !root
Still it looks like a good idea to reject variable offset indirect stack
access for unprivileged mode in check_stack_boundary() explicitly.
Fixes: 2011fcc ("bpf: Support variable offset stack access from helpers")
Reported-by: Daniel Borkmann <[email protected]>
Signed-off-by: Andrey Ignatov <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
[OP: drop comment in retrieve_ptr_limit()]
Signed-off-by: Ovidiu Panait <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
Fixes: CVE-2021-34556, CVE-2021-35477
Signed-off-by: Shile Zhang <[email protected]>
Acked-by: Mao Wenan <[email protected]>1 parent 9e9a8da commit e232808
1 file changed
+13
-0
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1812 | 1812 | | |
1813 | 1813 | | |
1814 | 1814 | | |
| 1815 | + | |
| 1816 | + | |
| 1817 | + | |
| 1818 | + | |
| 1819 | + | |
| 1820 | + | |
| 1821 | + | |
| 1822 | + | |
| 1823 | + | |
| 1824 | + | |
| 1825 | + | |
| 1826 | + | |
| 1827 | + | |
1815 | 1828 | | |
1816 | 1829 | | |
1817 | 1830 | | |
| |||
0 commit comments