git.baikalelectronics.ru Git - kernel.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Sat, 5 Jan 2019 23:54:37 +0000 (00:54 +0100)
committer	Alexei Starovoitov <ast@kernel.org>
	Sun, 6 Jan 2019 05:32:38 +0000 (21:32 -0800)
commit	fc96ea536621296ee664e058aeffd43f3eda3700
tree	921fb6e1b153c75a832e52659b7b9166b9174bec	tree \| snapshot
parent	d302b921d1eb8dd8954944a39cf24ea4c6d2d3ef	commit \| diff

bpf: fix sanitation of alu op with pointer / scalar type from different paths

While 422fca2ce03f ("bpf: prevent out of bounds speculation on pointer
arithmetic") took care of rejecting alu op on pointer when e.g. pointer
came from two different map values with different map properties such as
value size, Jann reported that a case was not covered yet when a given
alu op is used in both "ptr_reg += reg" and "numeric_reg += reg" from
different branches where we would incorrectly try to sanitize based
on the pointer's limit. Catch this corner case and reject the program
instead.

Fixes: 422fca2ce03f ("bpf: prevent out of bounds speculation on pointer arithmetic")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

include/linux/bpf_verifier.h		diff \| blob \| history
kernel/bpf/verifier.c		diff \| blob \| history