[arch-commits] Commit in linux-lts/trunk (2 files)

Levente Polyak anthraxx at archlinux.org
Mon Mar 30 20:37:20 UTC 2020 

    Date: Monday, March 30, 2020 @ 20:37:19
  Author: anthraxx
Revision: 378766

upgpkg: linux-lts 5.4.28-2: CVE-2020-8835

Added:
  linux-lts/trunk/0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch
Modified:
  linux-lts/trunk/PKGBUILD

-----------------------------------------------------------------+
 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch |   68 ++++++++++
 PKGBUILD                                                        |    6 
 2 files changed, 72 insertions(+), 2 deletions(-)

Added: 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch
===================================================================
--- 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch	                        (rev 0)
+++ 0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch	2020-03-30 20:37:19 UTC (rev 378766)
@@ -0,0 +1,68 @@
+From 6f2896ad2981c70be7caf0e44e0adc25f76d9937 Mon Sep 17 00:00:00 2001
+From: Levente Polyak <levente at leventepolyak.net>
+Date: Mon, 30 Mar 2020 20:42:07 +0200
+Subject: [PATCH] CVE-2020-8835: Revert "bpf: Provide better register bounds
+ after jmp32 instructions"
+
+This reverts commit b4de258dede528f88f401259aab3147fb6da1ddf which is a
+backport of 581738a681b6.
+
+Manfred Paul, as part of the ZDI pwn2own competition, demonstrated
+that a flaw existed in the bpf verifier for 32bit operations. This
+was introduced in commit:
+
+  581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions")
+
+The result is that register bounds were improperly calculated,
+allowing out-of-bounds reads and writes to occur.
+---
+ kernel/bpf/verifier.c | 19 -------------------
+ 1 file changed, 19 deletions(-)
+
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index b2817d0929b3..a0b76b360d6f 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -979,17 +979,6 @@ static void __reg_bound_offset(struct bpf_reg_state *reg)
+ 						 reg->umax_value));
+ }
+ 
+-static void __reg_bound_offset32(struct bpf_reg_state *reg)
+-{
+-	u64 mask = 0xffffFFFF;
+-	struct tnum range = tnum_range(reg->umin_value & mask,
+-				       reg->umax_value & mask);
+-	struct tnum lo32 = tnum_cast(reg->var_off, 4);
+-	struct tnum hi32 = tnum_lshift(tnum_rshift(reg->var_off, 32), 32);
+-
+-	reg->var_off = tnum_or(hi32, tnum_intersect(lo32, range));
+-}
+-
+ /* Reset the min/max bounds of a register */
+ static void __mark_reg_unbounded(struct bpf_reg_state *reg)
+ {
+@@ -5452,10 +5441,6 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
+ 	/* We might have learned some bits from the bounds. */
+ 	__reg_bound_offset(false_reg);
+ 	__reg_bound_offset(true_reg);
+-	if (is_jmp32) {
+-		__reg_bound_offset32(false_reg);
+-		__reg_bound_offset32(true_reg);
+-	}
+ 	/* Intersecting with the old var_off might have improved our bounds
+ 	 * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
+ 	 * then new var_off is (0; 0x7f...fc) which improves our umax.
+@@ -5565,10 +5550,6 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg,
+ 	/* We might have learned some bits from the bounds. */
+ 	__reg_bound_offset(false_reg);
+ 	__reg_bound_offset(true_reg);
+-	if (is_jmp32) {
+-		__reg_bound_offset32(false_reg);
+-		__reg_bound_offset32(true_reg);
+-	}
+ 	/* Intersecting with the old var_off might have improved our bounds
+ 	 * slightly.  e.g. if umax was 0x7f...f and var_off was (0; 0xf...fc),
+ 	 * then new var_off is (0; 0x7f...fc) which improves our umax.
+-- 
+2.26.0
+

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2020-03-30 19:22:34 UTC (rev 378765)
+++ PKGBUILD	2020-03-30 20:37:19 UTC (rev 378766)
@@ -2,7 +2,7 @@
 
 pkgbase=linux-lts
 pkgver=5.4.28
-pkgrel=1
+pkgrel=2
 pkgdesc='LTS Linux'
 url="https://www.kernel.org/"
 arch=(x86_64)
@@ -17,6 +17,7 @@
   https://www.kernel.org/pub/linux/kernel/v${pkgver%%.*}.x/${_srcname}.tar.{xz,sign}
   config         # the main kernel config file
   0001-add-sysctl-and-CONFIG-for-unprivileged_userns_clone.patch
+  0001-CVE-2020-8835-Revert-bpf-Provide-better-register-bou.patch
 )
 validpgpkeys=(
   'ABAF11C65A2970B130ABE3C479BE3E4300411886'  # Linus Torvalds
@@ -26,7 +27,8 @@
 sha256sums=('c863cc1346348f9a40083b4bc0d34375117b1c401af920994d42e855653ef7a4'
             'SKIP'
             '7a58467b4cf628306a0048993f43508e5da39d8495801602b25b035372651697'
-            'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2')
+            'a13581d3c6dc595206e4fe7fcf6b542e7a1bdbe96101f0f010fc5be49f99baf2'
+            'c6d203cb728fbe70f8bd60c9448f0cbcb36d8b535fc1cdd59bda4a26ead303bf')
 
 export KBUILD_BUILD_HOST=archlinux
 export KBUILD_BUILD_USER=$pkgbase

More information about the arch-commits mailing list