bpf aptches

3 files changed, 128 insertions, 0 deletions

diff --git a/0001-bpf-explicitly-memset-the-bpf_attr-structure.patch b/0001-bpf-explicitly-memset-the-bpf_attr-structure.patch
new file mode 100644
index 00000000000000..ab16c12026bb46
--- /dev/null
+++ b/0001-bpf-explicitly-memset-the-bpf_attr-structure.patch
@@ -0,0 +1,45 @@
+From ca46ef180f66f15ec6e4de7e872183aa6b90e887 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 20 Mar 2020 10:09:37 +0100
+Subject: [PATCH 1/2] bpf: explicitly memset the bpf_attr structure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+For the bpf syscall, we are relying on the compiler to properly zero out
+the bpf_attr union that we copy userspace data into.  Unfortunately that
+doesn't always work properly, padding and other oddities might not be
+correctly zeroed, and in some tests odd things have been found when the
+stack is pre-initialized to other values.
+
+Fix this by explicitly memsetting the structure to 0 before using it.
+
+Reported-by: Maciej Żenczykowski <maze@google.com>
+Reported-by: John Stultz <john.stultz@linaro.org>
+Reported-by: Alexander Potapenko <glider@google.com>
+Reported-by: Alistair Delva <adelva@google.com>
+Cc: stable <stable@vger.kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/syscall.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -3354,7 +3354,7 @@ err_put:
+ 
+ SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size)
+ {
+-	union bpf_attr attr = {};
++	union bpf_attr attr;
+ 	int err;
+ 
+ 	if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN))
+@@ -3366,6 +3366,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf
+ 	size = min_t(u32, size, sizeof(attr));
+ 
+ 	/* copy attributes from user space, may be less than sizeof(bpf_attr) */
++	memset(&attr, 0, sizeof(attr));
+ 	if (copy_from_user(&attr, uattr, size) != 0)
+ 		return -EFAULT;
+ 
diff --git a/0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch b/0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch
new file mode 100644
index 00000000000000..dc3e0e99ba0d8d
--- /dev/null
+++ b/0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch
@@ -0,0 +1,81 @@
+From 32f493a17f62a2b144790b7b46054b9b4ee43f68 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Fri, 20 Mar 2020 17:18:56 +0100
+Subject: [PATCH 2/2] bpf: explicitly memset some bpf info structures declared
+ on the stack
+
+Trying to initialize a structure with "= {};" will not always clean out
+all padding locations in a structure.  So be explicit and call memset to
+initialize everything for a number of bpf information structures that
+are then copied from userspace, sometimes from smaller memory locations
+than the size of the structure.
+
+Reported-by: Daniel Borkmann <daniel@iogearbox.net
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/btf.c     | 3 ++-
+ kernel/bpf/syscall.c | 6 ++++--
+ 2 files changed, 6 insertions(+), 3 deletions(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index 787140095e58..2fc945fcf952 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -4564,7 +4564,7 @@ int btf_get_info_by_fd(const struct btf *btf,
+ 		       union bpf_attr __user *uattr)
+ {
+ 	struct bpf_btf_info __user *uinfo;
+-	struct bpf_btf_info info = {};
++	struct bpf_btf_info info;
+ 	u32 info_copy, btf_copy;
+ 	void __user *ubtf;
+ 	u32 uinfo_len;
+@@ -4573,6 +4573,7 @@ int btf_get_info_by_fd(const struct btf *btf,
+ 	uinfo_len = attr->info.info_len;
+ 
+ 	info_copy = min_t(u32, uinfo_len, sizeof(info));
++	memset(&info, 0, sizeof(info));
+ 	if (copy_from_user(&info, uinfo, info_copy))
+ 		return -EFAULT;
+ 
+diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
+index a4b1de8ea409..84213cc5d016 100644
+--- a/kernel/bpf/syscall.c
++++ b/kernel/bpf/syscall.c
+@@ -2787,7 +2787,7 @@ static int bpf_prog_get_info_by_fd(struct bpf_prog *prog,
+ 				   union bpf_attr __user *uattr)
+ {
+ 	struct bpf_prog_info __user *uinfo = u64_to_user_ptr(attr->info.info);
+-	struct bpf_prog_info info = {};
++	struct bpf_prog_info info;
+ 	u32 info_len = attr->info.info_len;
+ 	struct bpf_prog_stats stats;
+ 	char __user *uinsns;
+@@ -2799,6 +2799,7 @@ static int bpf_prog_get_info_by_fd(struct bpf_prog *prog,
+ 		return err;
+ 	info_len = min_t(u32, sizeof(info), info_len);
+ 
++	memset(&info, 0, sizeof(info));
+ 	if (copy_from_user(&info, uinfo, info_len))
+ 		return -EFAULT;
+ 
+@@ -3062,7 +3063,7 @@ static int bpf_map_get_info_by_fd(struct bpf_map *map,
+ 				  union bpf_attr __user *uattr)
+ {
+ 	struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info);
+-	struct bpf_map_info info = {};
++	struct bpf_map_info info;
+ 	u32 info_len = attr->info.info_len;
+ 	int err;
+ 
+@@ -3071,6 +3072,7 @@ static int bpf_map_get_info_by_fd(struct bpf_map *map,
+ 		return err;
+ 	info_len = min_t(u32, sizeof(info), info_len);
+ 
++	memset(&info, 0, sizeof(info));
+ 	info.type = map->map_type;
+ 	info.id = map->id;
+ 	info.key_size = map->key_size;
+-- 
+2.25.2
+
diff --git a/series b/series
index 3403ee2a1adcfc..dbb51a2009a906 100644
--- a/series
+++ b/series
@@ -1,4 +1,6 @@
 #
+0001-bpf-explicitly-memset-the-bpf_attr-structure.patch
+0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch
 0001-tty-serial-samsung_tty-build-it-for-any-platform.patch
 0002-tty-serial-samsung_tty-remove-SERIAL_SAMSUNG_DEBUG.patch
 dynamic_debug-allow-to-work-if-debugfs-is-disabled.patch