diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-02 09:51:06 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2018-08-02 09:51:06 -0400 |
commit | b7274c6e077388435e63e61459bdf8e997515d0d (patch) | |
tree | a00857db7db5e4a01baad872f624426d5f26679a | |
parent | 70eb7cf538de7c94107fe8f9b14ef926b50e0599 (diff) | |
download | longterm-queue-4.12-b7274c6e077388435e63e61459bdf8e997515d0d.tar.gz |
bpf: drop patch n/a for 4.12.x
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
-rw-r--r-- | queue/bpf-fix-branch-pruning-logic.patch | 117 | ||||
-rw-r--r-- | queue/series | 1 |
2 files changed, 0 insertions, 118 deletions
diff --git a/queue/bpf-fix-branch-pruning-logic.patch b/queue/bpf-fix-branch-pruning-logic.patch deleted file mode 100644 index cfed4a8..0000000 --- a/queue/bpf-fix-branch-pruning-logic.patch +++ /dev/null @@ -1,117 +0,0 @@ -From c131187db2d3fa2f8bf32fdf4e9a4ef805168467 Mon Sep 17 00:00:00 2001 -From: Alexei Starovoitov <ast@fb.com> -Date: Wed, 22 Nov 2017 16:42:05 -0800 -Subject: [PATCH] bpf: fix branch pruning logic - -commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 upstream. - -when the verifier detects that register contains a runtime constant -and it's compared with another constant it will prune exploration -of the branch that is guaranteed not to be taken at runtime. -This is all correct, but malicious program may be constructed -in such a way that it always has a constant comparison and -the other branch is never taken under any conditions. -In this case such path through the program will not be explored -by the verifier. It won't be taken at run-time either, but since -all instructions are JITed the malicious program may cause JITs -to complain about using reserved fields, etc. -To fix the issue we have to track the instructions explored by -the verifier and sanitize instructions that are dead at run time -with NOPs. We cannot reject such dead code, since llvm generates -it for valid C code, since it doesn't do as much data flow -analysis as the verifier does. - -Fixes: 17a5267067f3 ("bpf: verifier (add verifier core)") -Signed-off-by: Alexei Starovoitov <ast@kernel.org> -Acked-by: Daniel Borkmann <daniel@iogearbox.net> -Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> - -diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h -index b61482d354a2..c561b986bab0 100644 ---- a/include/linux/bpf_verifier.h -+++ b/include/linux/bpf_verifier.h -@@ -115,7 +115,7 @@ struct bpf_insn_aux_data { - struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */ - }; - int ctx_field_size; /* the ctx field size for load insn, maybe 0 */ -- int converted_op_size; /* the valid value width after perceived conversion */ -+ bool seen; /* this insn was processed by the verifier */ - }; - - #define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */ -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 308b0638ec5d..d4593571c404 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -3827,6 +3827,7 @@ static int do_check(struct bpf_verifier_env *env) - return err; - - regs = cur_regs(env); -+ env->insn_aux_data[insn_idx].seen = true; - if (class == BPF_ALU || class == BPF_ALU64) { - err = check_alu_op(env, insn); - if (err) -@@ -4022,6 +4023,7 @@ static int do_check(struct bpf_verifier_env *env) - return err; - - insn_idx++; -+ env->insn_aux_data[insn_idx].seen = true; - } else { - verbose(env, "invalid BPF_LD mode\n"); - return -EINVAL; -@@ -4204,6 +4206,7 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, - u32 off, u32 cnt) - { - struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data; -+ int i; - - if (cnt == 1) - return 0; -@@ -4213,6 +4216,8 @@ static int adjust_insn_aux_data(struct bpf_verifier_env *env, u32 prog_len, - memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off); - memcpy(new_data + off + cnt - 1, old_data + off, - sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1)); -+ for (i = off; i < off + cnt - 1; i++) -+ new_data[i].seen = true; - env->insn_aux_data = new_data; - vfree(old_data); - return 0; -@@ -4231,6 +4236,25 @@ static struct bpf_prog *bpf_patch_insn_data(struct bpf_verifier_env *env, u32 of - return new_prog; - } - -+/* The verifier does more data flow analysis than llvm and will not explore -+ * branches that are dead at run time. Malicious programs can have dead code -+ * too. Therefore replace all dead at-run-time code with nops. -+ */ -+static void sanitize_dead_code(struct bpf_verifier_env *env) -+{ -+ struct bpf_insn_aux_data *aux_data = env->insn_aux_data; -+ struct bpf_insn nop = BPF_MOV64_REG(BPF_REG_0, BPF_REG_0); -+ struct bpf_insn *insn = env->prog->insnsi; -+ const int insn_cnt = env->prog->len; -+ int i; -+ -+ for (i = 0; i < insn_cnt; i++) { -+ if (aux_data[i].seen) -+ continue; -+ memcpy(insn + i, &nop, sizeof(nop)); -+ } -+} -+ - /* convert load instructions that access fields of 'struct __sk_buff' - * into sequence of instructions that access fields of 'struct sk_buff' - */ -@@ -4557,6 +4581,9 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) - while (!pop_stack(env, NULL, NULL)); - free_states(env); - -+ if (ret == 0) -+ sanitize_dead_code(env); -+ - if (ret == 0) - /* program is valid, convert *(u32*)(ctx + off) accesses */ - ret = convert_ctx_accesses(env); --- -2.15.0 - diff --git a/queue/series b/queue/series index a14d5b1..7f70d0d 100644 --- a/queue/series +++ b/queue/series @@ -46,7 +46,6 @@ thermal-drivers-hisi-Fix-kernel-panic-on-alarm-inter.patch thermal-drivers-hisi-Simplify-the-temperature-step-c.patch thermal-drivers-hisi-Fix-multiple-alarm-interrupts-f.patch platform-x86-asus-wireless-send-an-EV_SYN-SYN_REPORT.patch -bpf-fix-branch-pruning-logic.patch bpf-s390x-do-not-reload-skb-pointers-in-non-skb-cont.patch bpf-ppc64-do-not-reload-skb-pointers-in-non-skb-cont.patch bpf-sparc-fix-usage-of-wrong-reg-for-load_skb_regs-a.patch |