UBUNTU: SAUCE: bpf, x86: Validate computation of branch displacements for x86-64
The branch displacement logic in the BPF JIT compilers for x86 assumes
that, for any generated branch instruction, the distance cannot
increase between optimization passes.
But this assumption can be violated due to how the distances are
computed. Specifically, whenever a backward branch is processed in
do_jit(), the distance is computed by subtracting the positions in the
machine code from different optimization passes. This is because part
of addrs[] is already updated for the current optimization pass, before
the branch instruction is visited.
And so the optimizer can expand blocks of machine code in some cases.
This can confuse the optimizer logic, where it assumes that a fixed
point has been reached for all machine code blocks once the total
program size stops changing. And then the JIT compiler can output
abnormal machine code containing incorrect branch displacements.
To mitigate this issue, we assert that a fixed point is reached while
populating the output image. This rejects any problematic programs.
The issue affects both x86-32 and x86-64. We mitigate separately to
ease backporting.
Signed-off-by: Piotr Krysiuk <email address hidden>
Reviewed-by: Daniel Borkmann <email address hidden>
Signed-off-by: Daniel Borkmann <email address hidden>
(backported from commit e4d4d456436bfb2fe412ee2cd489f7658449b098)
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git)
[cascardo: conflict on message, kept new one, so users can find more
references about it]
CVE-2021-29154
Signed-off-by: Thadeu Lima de Souza Cascardo <email address hidden>
Acked-by: Guilherme G. Piccoli <email address hidden>
Acked-by: Colin King <email address hidden>
This reverts commit 5d742149ceb112c61ee576f371b574da32532c43 (commit
ad67b74d2469d9b82aaa572d76474c95bc484d57 upstream).
The backport of this upstream commit, applied to xenial/linux to fix
CVEs CVE-2018-5953, CVE-2018-5995 and CVE-2018-7754, introduced a
regression on the addresses exported via /proc interfaces (mainly
/proc/kallsyms). The patch leaks what the address 0x0 hashes to for
regular users instead of the expected zeroed out values. It also mangles
the default address for 'startup_64' expected to be 'ffffffff81000000'
for non-kaslr kernels (<4.15).
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Stefan Bader <email address hidden>
Acked-by: Krzysztof Kozlowski <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
When converting fuse_do_setattr() to take a denry instead of an inode as
argument, there was one call to it missed in fuse_setattr(). This adds
the missing conversion.
Fixes: b3ce51efc535 "fuse: Propagate dentry down to inode_change_ok()"
Signed-off-by: Stefan Bader <email address hidden>
Acked-by: Kleber Sacilotto de Souza <email address hidden>
Acked-by: Colin Ian King <email address hidden>
Signed-off-by: Kleber Sacilotto de Souza <email address hidden>
1 branch
proposed for merging into this one.
