diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-03-23 12:30:29 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2020-03-23 12:30:29 +0100 |
commit | 0563fdf8ca1be4ead824153e7411ab5fe99d1d2c (patch) | |
tree | 2a9a3b548fabb26f09c384821ca7a57806c8552f | |
parent | 15c990fecc7f2e82254d2cb720f4a37f742b2e72 (diff) | |
download | patches-0563fdf8ca1be4ead824153e7411ab5fe99d1d2c.tar.gz |
bpf aptches
-rw-r--r-- | 0001-bpf-explicitly-memset-the-bpf_attr-structure.patch | 45 | ||||
-rw-r--r-- | 0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch | 81 | ||||
-rw-r--r-- | series | 2 |
3 files changed, 128 insertions, 0 deletions
diff --git a/0001-bpf-explicitly-memset-the-bpf_attr-structure.patch b/0001-bpf-explicitly-memset-the-bpf_attr-structure.patch new file mode 100644 index 00000000000000..ab16c12026bb46 --- /dev/null +++ b/0001-bpf-explicitly-memset-the-bpf_attr-structure.patch @@ -0,0 +1,45 @@ +From ca46ef180f66f15ec6e4de7e872183aa6b90e887 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Fri, 20 Mar 2020 10:09:37 +0100 +Subject: [PATCH 1/2] bpf: explicitly memset the bpf_attr structure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +For the bpf syscall, we are relying on the compiler to properly zero out +the bpf_attr union that we copy userspace data into. Unfortunately that +doesn't always work properly, padding and other oddities might not be +correctly zeroed, and in some tests odd things have been found when the +stack is pre-initialized to other values. + +Fix this by explicitly memsetting the structure to 0 before using it. + +Reported-by: Maciej Żenczykowski <maze@google.com> +Reported-by: John Stultz <john.stultz@linaro.org> +Reported-by: Alexander Potapenko <glider@google.com> +Reported-by: Alistair Delva <adelva@google.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/bpf/syscall.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -3354,7 +3354,7 @@ err_put: + + SYSCALL_DEFINE3(bpf, int, cmd, union bpf_attr __user *, uattr, unsigned int, size) + { +- union bpf_attr attr = {}; ++ union bpf_attr attr; + int err; + + if (sysctl_unprivileged_bpf_disabled && !capable(CAP_SYS_ADMIN)) +@@ -3366,6 +3366,7 @@ SYSCALL_DEFINE3(bpf, int, cmd, union bpf + size = min_t(u32, size, sizeof(attr)); + + /* copy attributes from user space, may be less than sizeof(bpf_attr) */ ++ memset(&attr, 0, sizeof(attr)); + if (copy_from_user(&attr, uattr, size) != 0) + return -EFAULT; + diff --git a/0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch b/0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch new file mode 100644 index 00000000000000..dc3e0e99ba0d8d --- /dev/null +++ b/0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch @@ -0,0 +1,81 @@ +From 32f493a17f62a2b144790b7b46054b9b4ee43f68 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +Date: Fri, 20 Mar 2020 17:18:56 +0100 +Subject: [PATCH 2/2] bpf: explicitly memset some bpf info structures declared + on the stack + +Trying to initialize a structure with "= {};" will not always clean out +all padding locations in a structure. So be explicit and call memset to +initialize everything for a number of bpf information structures that +are then copied from userspace, sometimes from smaller memory locations +than the size of the structure. + +Reported-by: Daniel Borkmann <daniel@iogearbox.net +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + kernel/bpf/btf.c | 3 ++- + kernel/bpf/syscall.c | 6 ++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c +index 787140095e58..2fc945fcf952 100644 +--- a/kernel/bpf/btf.c ++++ b/kernel/bpf/btf.c +@@ -4564,7 +4564,7 @@ int btf_get_info_by_fd(const struct btf *btf, + union bpf_attr __user *uattr) + { + struct bpf_btf_info __user *uinfo; +- struct bpf_btf_info info = {}; ++ struct bpf_btf_info info; + u32 info_copy, btf_copy; + void __user *ubtf; + u32 uinfo_len; +@@ -4573,6 +4573,7 @@ int btf_get_info_by_fd(const struct btf *btf, + uinfo_len = attr->info.info_len; + + info_copy = min_t(u32, uinfo_len, sizeof(info)); ++ memset(&info, 0, sizeof(info)); + if (copy_from_user(&info, uinfo, info_copy)) + return -EFAULT; + +diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c +index a4b1de8ea409..84213cc5d016 100644 +--- a/kernel/bpf/syscall.c ++++ b/kernel/bpf/syscall.c +@@ -2787,7 +2787,7 @@ static int bpf_prog_get_info_by_fd(struct bpf_prog *prog, + union bpf_attr __user *uattr) + { + struct bpf_prog_info __user *uinfo = u64_to_user_ptr(attr->info.info); +- struct bpf_prog_info info = {}; ++ struct bpf_prog_info info; + u32 info_len = attr->info.info_len; + struct bpf_prog_stats stats; + char __user *uinsns; +@@ -2799,6 +2799,7 @@ static int bpf_prog_get_info_by_fd(struct bpf_prog *prog, + return err; + info_len = min_t(u32, sizeof(info), info_len); + ++ memset(&info, 0, sizeof(info)); + if (copy_from_user(&info, uinfo, info_len)) + return -EFAULT; + +@@ -3062,7 +3063,7 @@ static int bpf_map_get_info_by_fd(struct bpf_map *map, + union bpf_attr __user *uattr) + { + struct bpf_map_info __user *uinfo = u64_to_user_ptr(attr->info.info); +- struct bpf_map_info info = {}; ++ struct bpf_map_info info; + u32 info_len = attr->info.info_len; + int err; + +@@ -3071,6 +3072,7 @@ static int bpf_map_get_info_by_fd(struct bpf_map *map, + return err; + info_len = min_t(u32, sizeof(info), info_len); + ++ memset(&info, 0, sizeof(info)); + info.type = map->map_type; + info.id = map->id; + info.key_size = map->key_size; +-- +2.25.2 + @@ -1,4 +1,6 @@ # +0001-bpf-explicitly-memset-the-bpf_attr-structure.patch +0002-bpf-explicitly-memset-some-bpf-info-structures-decla.patch 0001-tty-serial-samsung_tty-build-it-for-any-platform.patch 0002-tty-serial-samsung_tty-remove-SERIAL_SAMSUNG_DEBUG.patch dynamic_debug-allow-to-work-if-debugfs-is-disabled.patch |