summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-04-01 12:33:51 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-04-07 00:10:15 (GMT)
commit36a40ded7cf283f89b6d0f30bd474f822f94359d (patch)
tree4776b583ea25dcba1aa953da2ffd9b74c76ef9a5
parent4e3dbf27ce3d119bb7267c57f5dfb46c0b9b0da3 (diff)
downloadmeta-hierofalcon-36a40ded7cf283f89b6d0f30bd474f822f94359d.tar.gz
Kernel/bpf: CVE-2016-2383
Incorrect branch fixups for eBPG allow arbitrary read Reference to CVE assignement: http://seclists.org/oss-sec/2016/q1/333 Reference to upstrem patch: https://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/ patch/?id=0f912f6700a3f14481c13cbda2b9cc1b636948ac Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch99
-rw-r--r--recipes-kernel/linux/linux-hierofalcon_4.1.bb1
2 files changed, 100 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch
new file mode 100644
index 0000000..d72d90d
--- /dev/null
+++ b/recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch
@@ -0,0 +1,99 @@
1From 0f912f6700a3f14481c13cbda2b9cc1b636948ac Mon Sep 17 00:00:00 2001
2From: Daniel Borkmann <daniel@iogearbox.net>
3Date: Wed, 10 Feb 2016 16:47:11 +0100
4Subject: [PATCH] bpf: fix branch offset adjustment on backjumps after patching
5 ctx expansion
6
7[ Upstream commit a1b14d27ed0965838350f1377ff97c93ee383492 ]
8
9When ctx access is used, the kernel often needs to expand/rewrite
10instructions, so after that patching, branch offsets have to be
11adjusted for both forward and backward jumps in the new eBPF program,
12but for backward jumps it fails to account the delta. Meaning, for
13example, if the expansion happens exactly on the insn that sits at
14the jump target, it doesn't fix up the back jump offset.
15
16Analysis on what the check in adjust_branches() is currently doing:
17
18 /* adjust offset of jmps if necessary */
19 if (i < pos && i + insn->off + 1 > pos)
20 insn->off += delta;
21 else if (i > pos && i + insn->off + 1 < pos)
22 insn->off -= delta;
23
24First condition (forward jumps):
25
26 Before: After:
27
28 insns[0] insns[0]
29 insns[1] <--- i/insn insns[1] <--- i/insn
30 insns[2] <--- pos insns[P] <--- pos
31 insns[3] insns[P] `------| delta
32 insns[4] <--- target_X insns[P] `-----|
33 insns[5] insns[3]
34 insns[4] <--- target_X
35 insns[5]
36
37First case is if we cross pos-boundary and the jump instruction was
38before pos. This is handeled correctly. I.e. if i == pos, then this
39would mean our jump that we currently check was the patchlet itself
40that we just injected. Since such patchlets are self-contained and
41have no awareness of any insns before or after the patched one, the
42delta is correctly not adjusted. Also, for the second condition in
43case of i + insn->off + 1 == pos, means we jump to that newly patched
44instruction, so no offset adjustment are needed. That part is correct.
45
46Second condition (backward jumps):
47
48 Before: After:
49
50 insns[0] insns[0]
51 insns[1] <--- target_X insns[1] <--- target_X
52 insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y
53 insns[3] insns[P] `------| delta
54 insns[4] <--- i/insn insns[P] `-----|
55 insns[5] insns[3]
56 insns[4] <--- i/insn
57 insns[5]
58
59Second interesting case is where we cross pos-boundary and the jump
60instruction was after pos. Backward jump with i == pos would be
61impossible and pose a bug somewhere in the patchlet, so the first
62condition checking i > pos is okay only by itself. However, i +
63insn->off + 1 < pos does not always work as intended to trigger the
64adjustment. It works when jump targets would be far off where the
65delta wouldn't matter. But, for example, where the fixed insn->off
66before pointed to pos (target_Y), it now points to pos + delta, so
67that additional room needs to be taken into account for the check.
68This means that i) both tests here need to be adjusted into pos + delta,
69and ii) for the second condition, the test needs to be <= as pos
70itself can be a target in the backjump, too.
71
72Fixes CVE-2016-2383.
73Upstream-Status: Backport
74
75Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields")
76Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
77Signed-off-by: David S. Miller <davem@davemloft.net>
78Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
79Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
80---
81 kernel/bpf/verifier.c | 2 +-
82 1 file changed, 1 insertion(+), 1 deletion(-)
83
84diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
85index 141d562..6582410 100644
86--- a/kernel/bpf/verifier.c
87+++ b/kernel/bpf/verifier.c
88@@ -1944,7 +1944,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta)
89 /* adjust offset of jmps if necessary */
90 if (i < pos && i + insn->off + 1 > pos)
91 insn->off += delta;
92- else if (i > pos && i + insn->off + 1 < pos)
93+ else if (i > pos + delta && i + insn->off + 1 <= pos + delta)
94 insn->off -= delta;
95 }
96 }
97--
981.9.1
99
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
index 8112cdd..1227c71 100644
--- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb
+++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb
@@ -34,6 +34,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64
34 file://ipc-CVE-2015-7613.patch \ 34 file://ipc-CVE-2015-7613.patch \
35 file://net-unix-CVE-2013-7446.patch \ 35 file://net-unix-CVE-2013-7446.patch \
36 file://usb-CVE-2015-8816.patch \ 36 file://usb-CVE-2015-8816.patch \
37 file://bpf-CVE-2016-2383.patch \
37 " 38 "
38 39
39S = "${WORKDIR}/git" 40S = "${WORKDIR}/git"