bpf: Use correct permission flag for mixed signed bounds arithmetic

[ Upstream commit 9601148392 ]

Fix CVE: CVE-2021-46908

We forbid adding unknown scalars with mixed signed bounds due to the
spectre v1 masking mitigation. Hence this also needs bypass_spec_v1
flag instead of allow_ptr_leaks.

Fixes: 2c78ee898d ("bpf: Implement CAP_BPF")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Haisu Wang <haisuwang@tencent.com>
Signed-off-by: Jianping Liu <frankjpliu@tencent.com>
This commit is contained in:
Daniel Borkmann 2021-03-23 08:32:59 +01:00 committed by Jianping Liu
parent 88c84e098a
commit effb291aab
1 changed files with 1 additions and 1 deletions

View File

@ -5609,7 +5609,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
return -EACCES; return -EACCES;
case PTR_TO_MAP_KEY: case PTR_TO_MAP_KEY:
case PTR_TO_MAP_VALUE: case PTR_TO_MAP_VALUE:
if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { if (!env->bypass_spec_v1 && !known && (smin_val < 0) != (smax_val < 0)) {
verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
dst); dst);
return -EACCES; return -EACCES;