Re: [PATCH 5.4 10/36] bpf: Fix tnum constraints for 32-bit comparisons

From: Daniel Borkmann
Date: Tue Apr 07 2020 - 06:45:27 EST

Next message: Manivannan Sadhasivam: "Re: [PATCH] bus: mhi: core: Fix a NULL vs IS_ERR check in mhi_create_devices()"
Previous message: Christian Brauner: "Re: [PATCH] kernel/time: Add max_time_namespaces ucount"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 10/36] bpf: Fix tnum constraints for 32-bit comparisons"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH 5.4 10/36] bpf: Fix tnum constraints for 32-bit comparisons"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hey Sasha, hey Greg,

On 4/7/20 12:21 PM, Greg Kroah-Hartman wrote:

From: Jann Horn <jannh@xxxxxxxxxx>

[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ]

The BPF verifier tried to track values based on 32-bit comparisons by
(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register
bounds after jmp32 instructions"). The idea is that after a check like
this:

if ((u32)r0 > 3)
exit

We can't meaningfully constrain the arithmetic-range-based tracking, but
we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003).
However, the implementation from 581738a681b6 didn't compute the tnum
constraint based on the fixed operand, but instead derives it from the
arithmetic-range-based tracking. This means that after the following
sequence of operations:

if (r0 >= 0x1'0000'0001)
exit
if ((u32)r0 > 7)
exit

The verifier assumed that the lower half of r0 is in the range (0, 0)
and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus
causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was
incorrect. Provide a fixed implementation.

Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
Signed-off-by: Jann Horn <jannh@xxxxxxxxxx>
Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx>
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@xxxxxxxxxxxxx
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

We've already addressed this issue (CVE-2020-8835) on 5.4/5.5/5.6 kernels through
the following backports:

https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.4.y&id=8d62a8c7489a68b5738390b008134a644aa9b383
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.5.y&id=0ebc01466d98d016eb6a3780ec8edb0c86fa48bc
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.6.y&id=6797143df51c8ae259aa4bfe4e99c832b20bde8a

Given the severity of the issue, we concluded that revert-only is the best and
most straight forward way to address it for stable.

Was this selected via Sasha's ML mechanism? Should there be a commit tag to opt-out
for some commits being selected? E.g. this one 581738a681b6 ("bpf: Provide better
register bounds after jmp32 instructions") already fell through our radar and wrongly
made its way into 5.4 where it should have never landed. :/

Thanks,
Daniel

Next message: Manivannan Sadhasivam: "Re: [PATCH] bus: mhi: core: Fix a NULL vs IS_ERR check in mhi_create_devices()"
Previous message: Christian Brauner: "Re: [PATCH] kernel/time: Add max_time_namespaces ucount"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 10/36] bpf: Fix tnum constraints for 32-bit comparisons"
Next in thread: Greg Kroah-Hartman: "Re: [PATCH 5.4 10/36] bpf: Fix tnum constraints for 32-bit comparisons"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]