commit bb7f0f989ca7de1153bd128a40a71709e339fa03
author Alexei Starovoitov <ast@kernel.org> Mon Dec 18 20:12:00 2017 -0800
committer Daniel Borkmann <daniel@iogearbox.net> Thu Dec 21 02:15:41 2017 +0100
tree 1667911dc70762b44fac20651cd8e23b73c257cf
parent 179d1c5602997fef5a940c6ddcf31212cbfebd14

bpf: fix integer overflows

There were various issues related to the limited size of integers used in
the verifier:
 - `off + size` overflow in __check_map_access()
 - `off + reg->off` overflow in check_mem_access()
 - `off + reg->var_off.value` overflow or 32-bit truncation of
   `reg->var_off.value` in check_mem_access()
 - 32-bit truncation in check_stack_boundary()

Make sure that any integer math cannot overflow by not allowing
pointer math with large values.

Also reduce the scope of "scalar op scalar" tracking.

Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>