)]}'
{
  "commit": "7fed98f4a1e6eb77a5d66ecfdf9345e21df6ac82",
  "tree": "3be178cb929ff1a7e81de2ce9dc50f7783ee51fc",
  "parents": [
    "1051a28b7255e6624d379f2bd45713352f9470cf"
  ],
  "author": {
    "name": "Daniel Borkmann",
    "email": "daniel@iogearbox.net",
    "time": "Thu Jun 07 17:40:03 2018 +0200"
  },
  "committer": {
    "name": "Greg Kroah-Hartman",
    "email": "gregkh@linuxfoundation.org",
    "time": "Sun Jan 12 12:12:02 2020 +0100"
  },
  "message": "bpf: reject passing modified ctx to helper functions\n\ncommit 58990d1ff3f7896ee341030e9a7c2e4002570683 upstream.\n\nAs commit 28e33f9d78ee (\"bpf: disallow arithmetic operations on\ncontext pointer\") already describes, f1174f77b50c (\"bpf/verifier:\nrework value tracking\") removed the specific white-listed cases\nwe had previously where we would allow for pointer arithmetic in\norder to further generalize it, and allow e.g. context access via\nmodified registers. While the dereferencing of modified context\npointers had been forbidden through 28e33f9d78ee, syzkaller did\nrecently manage to trigger several KASAN splats for slab out of\nbounds access and use after frees by simply passing a modified\ncontext pointer to a helper function which would then do the bad\naccess since verifier allowed it in adjust_ptr_min_max_vals().\n\nRejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals()\ngenerally could break existing programs as there\u0027s a valid use\ncase in tracing in combination with passing the ctx to helpers as\nbpf_probe_read(), where the register then becomes unknown at\nverification time due to adding a non-constant offset to it. An\naccess sequence may look like the following:\n\n  offset \u003d args-\u003efilename;  /* field __data_loc filename */\n  bpf_probe_read(\u0026dst, len, (char *)args + offset); // args is ctx\n\nThere are two options: i) we could special case the ctx and as\nsoon as we add a constant or bounded offset to it (hence ctx type\nwouldn\u0027t change) we could turn the ctx into an unknown scalar, or\nii) we generalize the sanity test for ctx member access into a\nsmall helper and assert it on the ctx register that was passed\nas a function argument. Fwiw, latter is more obvious and less\ncomplex at the same time, and one case that may potentially be\nlegitimate in future for ctx member access at least would be for\nctx to carry a const offset. Therefore, fix follows approach\nfrom ii) and adds test cases to BPF kselftests.\n\nFixes: f1174f77b50c (\"bpf/verifier: rework value tracking\")\nReported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com\nReported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com\nReported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com\nReported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com\nSigned-off-by: Daniel Borkmann \u003cdaniel@iogearbox.net\u003e\nAcked-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nAcked-by: Yonghong Song \u003cyhs@fb.com\u003e\nAcked-by: Edward Cree \u003cecree@solarflare.com\u003e\nSigned-off-by: Alexei Starovoitov \u003cast@kernel.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\n\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "a4875ff0bab197f8e71aa0b0d3fdea141e55c5a6",
      "old_mode": 33188,
      "old_path": "kernel/bpf/verifier.c",
      "new_id": "be52b0529225ac96df628184c82d1cc9d5c67ffe",
      "new_mode": 33188,
      "new_path": "kernel/bpf/verifier.c"
    },
    {
      "type": "modify",
      "old_id": "913539aea645040e087602e6103031f4b90e7700",
      "old_mode": 33188,
      "old_path": "tools/testing/selftests/bpf/test_verifier.c",
      "new_id": "9babb3fef8e2e16b8e5e6beb5157a877f027e5a6",
      "new_mode": 33188,
      "new_path": "tools/testing/selftests/bpf/test_verifier.c"
    }
  ]
}
