diff options
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch | 99 | ||||
-rw-r--r-- | recipes-kernel/linux/linux-hierofalcon_4.1.bb | 1 |
2 files changed, 100 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch b/recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch new file mode 100644 index 0000000..d72d90d --- /dev/null +++ b/recipes-kernel/linux/linux-hierofalcon-4.1/bpf-CVE-2016-2383.patch | |||
@@ -0,0 +1,99 @@ | |||
1 | From 0f912f6700a3f14481c13cbda2b9cc1b636948ac Mon Sep 17 00:00:00 2001 | ||
2 | From: Daniel Borkmann <daniel@iogearbox.net> | ||
3 | Date: Wed, 10 Feb 2016 16:47:11 +0100 | ||
4 | Subject: [PATCH] bpf: fix branch offset adjustment on backjumps after patching | ||
5 | ctx expansion | ||
6 | |||
7 | [ Upstream commit a1b14d27ed0965838350f1377ff97c93ee383492 ] | ||
8 | |||
9 | When ctx access is used, the kernel often needs to expand/rewrite | ||
10 | instructions, so after that patching, branch offsets have to be | ||
11 | adjusted for both forward and backward jumps in the new eBPF program, | ||
12 | but for backward jumps it fails to account the delta. Meaning, for | ||
13 | example, if the expansion happens exactly on the insn that sits at | ||
14 | the jump target, it doesn't fix up the back jump offset. | ||
15 | |||
16 | Analysis on what the check in adjust_branches() is currently doing: | ||
17 | |||
18 | /* adjust offset of jmps if necessary */ | ||
19 | if (i < pos && i + insn->off + 1 > pos) | ||
20 | insn->off += delta; | ||
21 | else if (i > pos && i + insn->off + 1 < pos) | ||
22 | insn->off -= delta; | ||
23 | |||
24 | First condition (forward jumps): | ||
25 | |||
26 | Before: After: | ||
27 | |||
28 | insns[0] insns[0] | ||
29 | insns[1] <--- i/insn insns[1] <--- i/insn | ||
30 | insns[2] <--- pos insns[P] <--- pos | ||
31 | insns[3] insns[P] `------| delta | ||
32 | insns[4] <--- target_X insns[P] `-----| | ||
33 | insns[5] insns[3] | ||
34 | insns[4] <--- target_X | ||
35 | insns[5] | ||
36 | |||
37 | First case is if we cross pos-boundary and the jump instruction was | ||
38 | before pos. This is handeled correctly. I.e. if i == pos, then this | ||
39 | would mean our jump that we currently check was the patchlet itself | ||
40 | that we just injected. Since such patchlets are self-contained and | ||
41 | have no awareness of any insns before or after the patched one, the | ||
42 | delta is correctly not adjusted. Also, for the second condition in | ||
43 | case of i + insn->off + 1 == pos, means we jump to that newly patched | ||
44 | instruction, so no offset adjustment are needed. That part is correct. | ||
45 | |||
46 | Second condition (backward jumps): | ||
47 | |||
48 | Before: After: | ||
49 | |||
50 | insns[0] insns[0] | ||
51 | insns[1] <--- target_X insns[1] <--- target_X | ||
52 | insns[2] <--- pos <-- target_Y insns[P] <--- pos <-- target_Y | ||
53 | insns[3] insns[P] `------| delta | ||
54 | insns[4] <--- i/insn insns[P] `-----| | ||
55 | insns[5] insns[3] | ||
56 | insns[4] <--- i/insn | ||
57 | insns[5] | ||
58 | |||
59 | Second interesting case is where we cross pos-boundary and the jump | ||
60 | instruction was after pos. Backward jump with i == pos would be | ||
61 | impossible and pose a bug somewhere in the patchlet, so the first | ||
62 | condition checking i > pos is okay only by itself. However, i + | ||
63 | insn->off + 1 < pos does not always work as intended to trigger the | ||
64 | adjustment. It works when jump targets would be far off where the | ||
65 | delta wouldn't matter. But, for example, where the fixed insn->off | ||
66 | before pointed to pos (target_Y), it now points to pos + delta, so | ||
67 | that additional room needs to be taken into account for the check. | ||
68 | This means that i) both tests here need to be adjusted into pos + delta, | ||
69 | and ii) for the second condition, the test needs to be <= as pos | ||
70 | itself can be a target in the backjump, too. | ||
71 | |||
72 | Fixes CVE-2016-2383. | ||
73 | Upstream-Status: Backport | ||
74 | |||
75 | Fixes: 9bac3d6d548e ("bpf: allow extended BPF programs access skb fields") | ||
76 | Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> | ||
77 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
78 | Signed-off-by: Sasha Levin <sasha.levin@oracle.com> | ||
79 | Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> | ||
80 | --- | ||
81 | kernel/bpf/verifier.c | 2 +- | ||
82 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
83 | |||
84 | diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c | ||
85 | index 141d562..6582410 100644 | ||
86 | --- a/kernel/bpf/verifier.c | ||
87 | +++ b/kernel/bpf/verifier.c | ||
88 | @@ -1944,7 +1944,7 @@ static void adjust_branches(struct bpf_prog *prog, int pos, int delta) | ||
89 | /* adjust offset of jmps if necessary */ | ||
90 | if (i < pos && i + insn->off + 1 > pos) | ||
91 | insn->off += delta; | ||
92 | - else if (i > pos && i + insn->off + 1 < pos) | ||
93 | + else if (i > pos + delta && i + insn->off + 1 <= pos + delta) | ||
94 | insn->off -= delta; | ||
95 | } | ||
96 | } | ||
97 | -- | ||
98 | 1.9.1 | ||
99 | |||
diff --git a/recipes-kernel/linux/linux-hierofalcon_4.1.bb b/recipes-kernel/linux/linux-hierofalcon_4.1.bb index 8112cdd..1227c71 100644 --- a/recipes-kernel/linux/linux-hierofalcon_4.1.bb +++ b/recipes-kernel/linux/linux-hierofalcon_4.1.bb | |||
@@ -34,6 +34,7 @@ SRC_URI = "git://git.yoctoproject.org/linux-yocto-4.1;branch="standard/qemuarm64 | |||
34 | file://ipc-CVE-2015-7613.patch \ | 34 | file://ipc-CVE-2015-7613.patch \ |
35 | file://net-unix-CVE-2013-7446.patch \ | 35 | file://net-unix-CVE-2013-7446.patch \ |
36 | file://usb-CVE-2015-8816.patch \ | 36 | file://usb-CVE-2015-8816.patch \ |
37 | file://bpf-CVE-2016-2383.patch \ | ||
37 | " | 38 | " |
38 | 39 | ||
39 | S = "${WORKDIR}/git" | 40 | S = "${WORKDIR}/git" |