projects / GitHub / LineageOS / android_kernel_motorola_exynos9610.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cb56cc1) | patch
bpf: fix integer overflows
authorDaniel Borkmann <daniel@iogearbox.net>
Fri, 22 Dec 2017 15:23:11 +0000 (16:23 +0100)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Mon, 25 Dec 2017 13:26:33 +0000 (14:26 +0100)
commitde31796c052e47c99b1bb342bc70aa826733e862
tree1f80ef91734f88c3d273f935a525084c050989bftree | snapshot (tar.gz zip)
parentcb56cc1b292b8b3f787fad89f1208f8e98d12c7dcommit | diff
bpf: fix integer overflows

From: Alexei Starovoitov <ast@kernel.org>

[ Upstream commit bb7f0f989ca7de1153bd128a40a71709e339fa03 ]

There were various issues related to the limited size of integers used in
the verifier:
 - `off + size` overflow in __check_map_access()
 - `off + reg->off` overflow in check_mem_access()
 - `off + reg->var_off.value` overflow or 32-bit truncation of
   `reg->var_off.value` in check_mem_access()
 - 32-bit truncation in check_stack_boundary()

Make sure that any integer math cannot overflow by not allowing
pointer math with large values.

Also reduce the scope of "scalar op scalar" tracking.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
include/linux/bpf_verifier.h diff | blob | blame | history
kernel/bpf/verifier.c diff | blob | blame | history