git.baikalelectronics.ru Git - kernel.git/commit

author	Alexei Starovoitov <ast@kernel.org>
	Tue, 19 Dec 2017 04:12:00 +0000 (20:12 -0800)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Thu, 21 Dec 2017 01:15:41 +0000 (02:15 +0100)
commit	18f0cf409d4f271726a85e77c405e081ad78c51f
tree	1667911dc70762b44fac20651cd8e23b73c257cf	tree \| snapshot
parent	7bd87da931e8cc06d4803048f59e46e5c8a4e042	commit \| diff

bpf: fix integer overflows

There were various issues related to the limited size of integers used in
the verifier:
- `off + size` overflow in __check_map_access()
- `off + reg->off` overflow in check_mem_access()
- `off + reg->var_off.value` overflow or 32-bit truncation of
`reg->var_off.value` in check_mem_access()
- 32-bit truncation in check_stack_boundary()

Make sure that any integer math cannot overflow by not allowing
pointer math with large values.

Also reduce the scope of "scalar op scalar" tracking.

Fixes: d4b79d1043b4 ("bpf/verifier: rework value tracking")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>

include/linux/bpf_verifier.h		diff \| blob \| history
kernel/bpf/verifier.c		diff \| blob \| history