)]}' { "commit": "e9c242e034a9c9cbde8ec42e6dc941cf8e4e27a5", "tree": "57baf12153a07171f344002920c9f27ae6612700", "parents": [ "50c0c67ba0865e5732effecd3fbacc3912cd2b80" ], "author": { "name": "Daniel Borkmann", "email": "daniel@iogearbox.net", "time": "Mon Oct 21 17:28:06 2024 +0200" }, "committer": { "name": "Kevin Berry", "email": "kpberry@google.com", "time": "Sat Jan 25 16:25:26 2025 -0800" }, "message": "bpf: Fix overloading of MEM_UNINIT\u0027s meaning\n\ncommit 8ea607330a39184f51737c6ae706db7fdca7628e upstream.\n\nLonial reported an issue in the BPF verifier where check_mem_size_reg()\nhas the following code:\n\n if (!tnum_is_const(reg-\u003evar_off))\n /* For unprivileged variable accesses, disable raw\n * mode so that the program is required to\n * initialize all the memory that the helper could\n * just partially fill up.\n */\n meta \u003d NULL;\n\nThis means that writes are not checked when the register containing the\nsize of the passed buffer has not a fixed size. Through this bug, a BPF\nprogram can write to a map which is marked as read-only, for example,\n.rodata global maps.\n\nThe problem is that MEM_UNINIT\u0027s initial meaning that \"the passed buffer\nto the BPF helper does not need to be initialized\" which was added back\nin commit 435faee1aae9 (\"bpf, verifier: add ARG_PTR_TO_RAW_STACK type\")\ngot overloaded over time with \"the passed buffer is being written to\".\n\nThe problem however is that checks such as the above which were added later\nvia 06c1c049721a (\"bpf: allow helpers access to variable memory\") set meta\nto NULL in order force the user to always initialize the passed buffer to\nthe helper. Due to the current double meaning of MEM_UNINIT, this bypasses\nverifier write checks to the memory (not boundary checks though) and only\nassumes the latter memory is read instead.\n\nFix this by reverting MEM_UNINIT back to its original meaning, and having\nMEM_WRITE as an annotation to BPF helpers in order to then trigger the\nBPF verifier checks for writing to memory.\n\nSome notes: check_arg_pair_ok() ensures that for ARG_CONST_SIZE{,_OR_ZERO}\nwe can access fn-\u003earg_type[arg - 1] since it must contain a preceding\nARG_PTR_TO_MEM. For check_mem_reg() the meta argument can be removed\naltogether since we do check both BPF_READ and BPF_WRITE. Same for the\nequivalent check_kfunc_mem_size_reg().\n\nBUG\u003db/376432884,b/380569401\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed KCTF-8ea6073 and CVE CVE-2024-50164 in the Linux kernel.\n\ncos-patch: security-high\nFixes: 7b3552d3f9f6 (\"bpf: Reject writes for PTR_TO_MAP_KEY in check_helper_mem_access\")\nFixes: 97e6d7dab1ca (\"bpf: Check PTR_TO_MEM | MEM_RDONLY in check_helper_mem_access\")\nFixes: 15baa55ff5b0 (\"bpf/verifier: allow all functions to read user provided context\")\nReported-by: Lonial Con \u003ckongln9170@gmail.com\u003e\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nAcked-by: Kumar Kartikeya Dwivedi \u003cmemxor@gmail.com\u003e\nLink: https://lore.kernel.org/r/20241021152809.33343-2-daniel@iogearbox.net\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: BRUNO VERNAY \u003cbruno.vernay@se.com\u003e\nSigned-off-by: Hugo SIMELIERE \u003chsimeliere.opensource@witekio.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nChange-Id: I45499c29322cf0d382f2305598de5ed355543e1d\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/91352\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Arnav Kansal \u003crnv@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "bdd5105337dc1a5a9db9ee5f69953c0d61e39cd1", "old_mode": 33188, "old_path": "kernel/bpf/verifier.c", "new_id": "ead1811534a0d554f692082ac72f0d8abe77f25d", "new_mode": 33188, "new_path": "kernel/bpf/verifier.c" } ] }