ACK/Cmnt: [SRU Bionic 0/2] CVE-2018-25020 // LP: #1953287
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Wed Dec 8 14:56:59 UTC 2021
On Wed, Dec 08, 2021 at 03:46:07PM +0100, Stefan Bader wrote:
> On 08.12.21 15:27, Thadeu Lima de Souza Cascardo wrote:
> > BugLink: https://bugs.launchpad.net/bugs/1953287
> >
> > [Impact]
> >
> > A CBPF program jumping over a large number of instructions may lead to kernel
> > code execution.
> >
> > The test might fail with EINVAL or EOPNOTSUPP, which must be accounted for on
> > different kernel versions.
> >
> > [Test case]
> > Load test_bpf module.
> > Userspace program that causes crash.
> >
> > [Potential regression]
> > Some CBPF and EBPF programs might not load.
> >
> >
> > Daniel Borkmann (1):
> > bpf: fix truncated jump targets on heavy expansions
> >
> > Thadeu Lima de Souza Cascardo (1):
> > UBUNTU: SAUCE: Revert "bpf: add also cbpf long jump test cases with
> > heavy expansion"
> >
> > kernel/bpf/core.c | 63 ++++++++++++++++++++++++++++++++++++++++-------
> > lib/test_bpf.c | 63 -----------------------------------------------
> > net/core/filter.c | 11 +++++++--
> > 3 files changed, 63 insertions(+), 74 deletions(-)
> >
> It would help here if it contained some mention about successful testing.
> The first patch needed some heavier changes which seem to make one function
> vanish (the adjust_imm one). That seems to be related to pseudo call that is
> mentioned in the backport comment. For a quick review that is making things
> hard.
> I believe it looks ok...
>
> Acked-by: Stefan Bader <stefan.bader at canonical.com>
>
That's right. It has to do with the pseudo calls. Since the test for
!bpf_is_jmp_and_has_target(insn) will make it skip the case where
BPF_OP(insn) == BPF_CALL, bpf_adj_delta_to_imm would never be called.
The test cases that I mentioned were run and successful.
Regards.
Cascardo.
More information about the kernel-team
mailing list