linux-hardened/samples
Alexei Starovoitov 725f9dcd58 bpf: fix two bugs in verification logic when accessing 'ctx' pointer
1.
first bug is a silly mistake. It broke tracing examples and prevented
simple bpf programs from loading.

In the following code:
if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) {
} else if (...) {
  // this part should have been executed when
  // insn->code == BPF_W and insn->imm != 0
}

Obviously it's not doing that. So simple instructions like:
r2 = *(u64 *)(r1 + 8)
will be rejected. Note the comments in the code around these branches
were and still valid and indicate the true intent.

Replace it with:
if (BPF_SIZE(insn->code) != BPF_W)
  continue;

if (insn->imm == 0) {
} else if (...) {
  // now this code will be executed when
  // insn->code == BPF_W and insn->imm != 0
}

2.
second bug is more subtle.
If malicious code is using the same dest register as source register,
the checks designed to prevent the same instruction to be used with different
pointer types will fail to trigger, since we were assigning src_reg_type
when it was already overwritten by check_mem_access().
The fix is trivial. Just move line:
src_reg_type = regs[insn->src_reg].type;
before check_mem_access().
Add new 'access skb fields bad4' test to check this case.

Fixes: 9bac3d6d54 ("bpf: allow extended BPF programs access skb fields")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-04-16 14:08:49 -04:00
..
bpf bpf: fix two bugs in verification logic when accessing 'ctx' pointer 2015-04-16 14:08:49 -04:00
hidraw HID: samples/hidraw: make it possible to select device 2015-03-15 10:11:21 -04:00
hw_breakpoint perf: Add context field to perf_event 2011-07-01 11:06:38 +02:00
kdb kdb: Add kdb kernel module sample 2010-10-29 13:14:39 -05:00
kfifo kfifo API type safety 2013-11-15 09:32:23 +09:00
kobject samples/kobject: be explicit in the module license 2015-03-25 13:41:42 +01:00
kprobes kprobes: update jprobe_example.c for do_fork() change 2014-09-26 11:11:12 +02:00
livepatch livepatch: rename config to CONFIG_LIVEPATCH 2015-02-04 11:25:51 +01:00
pktgen samples/pktgen: Show the results rather than just commenting where they are 2015-02-23 22:04:25 -05:00
rpmsg misc: remove __dev* attributes. 2013-01-03 15:57:16 -08:00
seccomp samples/seccomp: improve label helper 2015-02-17 14:34:55 -08:00
trace_events tracing/samples: Update the trace-event-sample.h with TRACE_DEFINE_ENUM() 2015-04-08 09:39:58 -04:00
uhid HID: uhid: improve uhid example client 2013-09-04 11:35:14 +02:00
Kconfig livepatch: rename config to CONFIG_LIVEPATCH 2015-02-04 11:25:51 +01:00
Makefile livepatch: samples: add sample live patching module 2014-12-22 15:40:49 +01:00