)]}'
{
  "commit": "888f6019304c56d32ff9a3d14a09b32683e00a02",
  "tree": "a94a0f8bd7ae59746f6d4867eb8d707fbc6689bd",
  "parents": [
    "891c14d471a1d7021bbcb5b4b6b4462bdec7f947"
  ],
  "author": {
    "name": "Hao Sun",
    "email": "sunhao.th@gmail.com",
    "time": "Mon Jan 15 09:20:27 2024 +0100"
  },
  "committer": {
    "name": "COS Cherry Picker",
    "email": "cloud-image-release@prod.google.com",
    "time": "Fri Mar 22 14:41:28 2024 -0700"
  },
  "message": "bpf: Reject variable offset alu on PTR_TO_FLOW_KEYS\n\n[ Upstream commit 22c7fa171a02d310e3a3f6ed46a698ca8a0060ed ]\n\nFor PTR_TO_FLOW_KEYS, check_flow_keys_access() only uses fixed off\nfor validation. However, variable offset ptr alu is not prohibited\nfor this ptr kind. So the variable offset is not checked.\n\nThe following prog is accepted:\n\n  func#0 @0\n  0: R1\u003dctx() R10\u003dfp0\n  0: (bf) r6 \u003d r1                       ; R1\u003dctx() R6_w\u003dctx()\n  1: (79) r7 \u003d *(u64 *)(r6 +144)        ; R6_w\u003dctx() R7_w\u003dflow_keys()\n  2: (b7) r8 \u003d 1024                     ; R8_w\u003d1024\n  3: (37) r8 /\u003d 1                       ; R8_w\u003dscalar()\n  4: (57) r8 \u0026\u003d 1024                    ; R8_w\u003dscalar(smin\u003dsmin32\u003d0,\n  smax\u003dumax\u003dsmax32\u003dumax32\u003d1024,var_off\u003d(0x0; 0x400))\n  5: (0f) r7 +\u003d r8\n  mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1\n  mark_precise: frame0: regs\u003dr8 stack\u003d before 4: (57) r8 \u0026\u003d 1024\n  mark_precise: frame0: regs\u003dr8 stack\u003d before 3: (37) r8 /\u003d 1\n  mark_precise: frame0: regs\u003dr8 stack\u003d before 2: (b7) r8 \u003d 1024\n  6: R7_w\u003dflow_keys(smin\u003dsmin32\u003d0,smax\u003dumax\u003dsmax32\u003dumax32\u003d1024,var_off\n  \u003d(0x0; 0x400)) R8_w\u003dscalar(smin\u003dsmin32\u003d0,smax\u003dumax\u003dsmax32\u003dumax32\u003d1024,\n  var_off\u003d(0x0; 0x400))\n  6: (79) r0 \u003d *(u64 *)(r7 +0)          ; R0_w\u003dscalar()\n  7: (95) exit\n\nThis prog loads flow_keys to r7, and adds the variable offset r8\nto r7, and finally causes out-of-bounds access:\n\n  BUG: unable to handle page fault for address: ffffc90014c80038\n  [...]\n  Call Trace:\n   \u003cTASK\u003e\n   bpf_dispatcher_nop_func include/linux/bpf.h:1231 [inline]\n   __bpf_prog_run include/linux/filter.h:651 [inline]\n   bpf_prog_run include/linux/filter.h:658 [inline]\n   bpf_prog_run_pin_on_cpu include/linux/filter.h:675 [inline]\n   bpf_flow_dissect+0x15f/0x350 net/core/flow_dissector.c:991\n   bpf_prog_test_run_flow_dissector+0x39d/0x620 net/bpf/test_run.c:1359\n   bpf_prog_test_run kernel/bpf/syscall.c:4107 [inline]\n   __sys_bpf+0xf8f/0x4560 kernel/bpf/syscall.c:5475\n   __do_sys_bpf kernel/bpf/syscall.c:5561 [inline]\n   __se_sys_bpf kernel/bpf/syscall.c:5559 [inline]\n   __x64_sys_bpf+0x73/0xb0 kernel/bpf/syscall.c:5559\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0x3f/0x110 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x63/0x6b\n\nFix this by rejecting ptr alu with variable offset on flow_keys.\nApplying the patch rejects the program with \"R7 pointer arithmetic\non flow_keys prohibited\".\n\nBUG\u003db/330305698\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2024-26589 in the Linux kernel.\n\ncos-patch: security-high\nFixes: d58e468b1112 (\"flow_dissector: implements flow dissector BPF hook\")\nSigned-off-by: Hao Sun \u003csunhao.th@gmail.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nAcked-by: Yonghong Song \u003cyonghong.song@linux.dev\u003e\nLink: https://lore.kernel.org/bpf/20240115082028.9992-1-sunhao.th@gmail.com\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\nChange-Id: Idf0c7cd576eda5ab4ad5c69950b35e29e1eceba5\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/67850\nMain-Branch-Verified: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Anil Altinay \u003caaltinay@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "45b20590bcecbd1ed99083845c6c291733e5bf03",
      "old_mode": 33188,
      "old_path": "kernel/bpf/verifier.c",
      "new_id": "35e712666598f3e0aa2f2ae1fe60895d88d37e60",
      "new_mode": 33188,
      "new_path": "kernel/bpf/verifier.c"
    }
  ]
}