ACK: Re: ACK/cmnt: [SRU][Xenial][PATCH v2] UBUNTU: SAUCE: Add missing hunks from "bpf: fix branch pruning logic"
Stefan Bader
stefan.bader at canonical.com
Fri Apr 20 08:42:08 UTC 2018
> On 04/19/2018 08:03 PM, Seth Forshee wrote:
>> BugLink: http://bugs.launchpad.net/bugs/1763454
>>
>> At the time this commit was backported some of the code it
>> modifies was not present. When the code was later introduced from
>> upstream stable it did not get the changes from this commit.
>> Backport those changes now.
>>
>> v2: Also remove errant marking of instruction as seen from the
>> backport.
>>
>> CVE-2017-17862
Fixes: 68dd63b26223 ("bpf: fix branch pruning logic")
>> Signed-off-by: Seth Forshee <seth.forshee at canonical.com>
Acked-by: Juerg Haefliger <juergh at canonical.com>
Acked-by: Stefan Bader <stefan.bader at canonical.com>
>> ---
> Can we add a reference to the fixed commit when the patch is applied?
>
Sounds sensible.
-Stefan
>> kernel/bpf/verifier.c | 5 ++++-
>> 1 file changed, 4 insertions(+), 1 deletion(-)
>>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index c7c7a85fb1e2..b8d06bb938a0 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -1846,7 +1846,6 @@ static int do_check(struct verifier_env *env)
>>
>> if (BPF_SIZE(insn->code) != BPF_W) {
>> insn_idx++;
>> - env->insn_aux_data[insn_idx].seen = true;
>> continue;
>> }
>>
>> @@ -2016,6 +2015,7 @@ process_bpf_exit:
>> return err;
>>
>> insn_idx++;
>> + env->insn_aux_data[insn_idx].seen = true;
>> } else {
>> verbose("invalid BPF_LD mode\n");
>> return -EINVAL;
>> @@ -2172,6 +2172,7 @@ static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
>> u32 off, u32 cnt)
>> {
>> struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
>> + int i;
>>
>> if (cnt == 1)
>> return 0;
>> @@ -2181,6 +2182,8 @@ static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
>> memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
>> memcpy(new_data + off + cnt - 1, old_data + off,
>> sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
>> + for (i = off; i < off + cnt - 1; i++)
>> + new_data[i].seen = true;
>> env->insn_aux_data = new_data;
>> vfree(old_data);
>> return 0;
>>
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180420/1fe4fd35/attachment.sig>
More information about the kernel-team
mailing list