1 files changed, 38 insertions, 0 deletions

diff --git a/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch b/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch
new file mode 100644
index 0000000..dfed2c2
--- /dev/null
+++ b/patches/cve/CVE-2017-17857-bpf-fix-missing-error-return-in-check_stack_boundary.patch
@@ -0,0 +1,38 @@
+From 2120fca0ecfb4552d27608d409ebd3403ce02ce4 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Fri, 22 Dec 2017 16:23:08 +0100
+Subject: [PATCH] bpf: fix missing error return in check_stack_boundary()
+
+From: Jann Horn <jannh@google.com>
+
+Prevent indirect stack accesses at non-constant addresses, which would
+permit reading and corrupting spilled pointers.
+
+CVE: CVE-2017-17857
+Upstream-Status: Backport [https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-4.14.y&id=2120fca0ecfb4552d27608d409ebd3403ce02ce4]
+
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Andreas Wellving <andreas.wellving@enea.com>
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 0c7e4c8a2b8a..8aa98a0591d6 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1303,6 +1303,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
+                tnum_strn(tn_buf, sizeof(tn_buf), regs[regno].var_off);
+                verbose("invalid variable stack read R%d var_off=%s\n",
+                        regno, tn_buf);
++               return -EACCES;
+        }
+        off = regs[regno].off + regs[regno].var_off.value;
+        if (off >= 0 || off < -MAX_BPF_STACK || off + access_size > 0 ||
+-- 
+2.20.1
+