Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 3695b3b18519099224efbc5875569d2cb6da256d
commit3695b3b18519099224efbc5875569d2cb6da256d[log] [tgz]
authorDaniel Borkmann <daniel@iogearbox.net>Fri Dec 22 16:29:05 2017 +0100
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>Mon Dec 25 14:23:47 2017 +0100
tree03b70a41cbc9ddd7f4f9b11c2b95c3035b0aa8cc
parentd75d3ee237cee9068022117e059b64bbab617f3d [diff]
bpf: fix incorrect sign extension in check_alu_op()


From: Jann Horn <jannh@google.com>

[ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]

Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.

Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.

Debian assigned CVE-2017-16995 for this issue.

v3:
 - add CVE number (Ben Hutchings)

Fixes: 484611357c19 ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
1 file changed
tree: 03b70a41cbc9ddd7f4f9b11c2b95c3035b0aa8cc
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. firmware/
  8. fs/
  9. include/
  10. init/
  11. ipc/
  12. kernel/
  13. lib/
  14. mm/
  15. net/
  16. samples/
  17. scripts/
  18. security/
  19. sound/
  20. tools/
  21. usr/
  22. virt/
  23. .cocciconfig
  24. .get_maintainer.ignore
  25. .gitattributes
  26. .gitignore
  27. .mailmap
  28. COPYING
  29. CREDITS
  30. Kbuild
  31. Kconfig
  32. MAINTAINERS
  33. Makefile
  34. README
  35. REPORTING-BUGS