mbox series

[linux-5.15.y,00/10] Fix bpf mem read/write vulnerability.

Message ID 20220428235751.103203-1-haoluo@google.com
Headers show
Series Fix bpf mem read/write vulnerability. | expand

Message

Hao Luo April 28, 2022, 11:57 p.m. UTC
Hi Greg,

Please cherry-pick this patch series into 5.15.y stable. It
includes a feature that fixes CVE-2022-0500 which allows a user with
cap_bpf privileges to get root privileges. The patch that fixes
the bug is

 patch 7/10: bpf: Make per_cpu_ptr return rdonly

The rest are the depedences required by the fix patch. Note that v5.10 and
below are not affected by this bug.

This patchset has been merged in mainline v5.17 and backported to v5.16[1],
except patch 10/10 ("bpf: Fix crash due to out of bounds access into reg2btf_ids."),
which fixes an out-of-bound access in the main feature in this series and
hasn't been backported to v5.16 yet. If it's convenient, could you
apply patch 10/10 to 5.16? I can send a separate patch for v5.16, if you
prefer.

Tested by compile, build and run through the bpf selftest test_progs.

[1] https://www.spinics.net/lists/stable/msg535877.html

Hao Luo (9):
  bpf: Introduce composable reg, ret and arg types.
  bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL
  bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL
  bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL
  bpf: Introduce MEM_RDONLY flag
  bpf: Convert PTR_TO_MEM_OR_NULL to composable types.
  bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.
  bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem.
  bpf/selftests: Test PTR_TO_RDONLY_MEM

Kumar Kartikeya Dwivedi (1):
  bpf: Fix crash due to out of bounds access into reg2btf_ids.

 include/linux/bpf.h                           | 101 +++-
 include/linux/bpf_verifier.h                  |  18 +
 kernel/bpf/btf.c                              |  16 +-
 kernel/bpf/cgroup.c                           |   2 +-
 kernel/bpf/helpers.c                          |  12 +-
 kernel/bpf/map_iter.c                         |   4 +-
 kernel/bpf/ringbuf.c                          |   2 +-
 kernel/bpf/syscall.c                          |   2 +-
 kernel/bpf/verifier.c                         | 488 +++++++++---------
 kernel/trace/bpf_trace.c                      |  22 +-
 net/core/bpf_sk_storage.c                     |   2 +-
 net/core/filter.c                             |  64 +--
 net/core/sock_map.c                           |   2 +-
 .../selftests/bpf/prog_tests/ksyms_btf.c      |  14 +
 .../bpf/progs/test_ksyms_btf_write_check.c    |  29 ++
 15 files changed, 445 insertions(+), 333 deletions(-)
 create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c

Comments

Greg Kroah-Hartman April 29, 2022, 9:01 a.m. UTC | #1
On Thu, Apr 28, 2022 at 04:57:41PM -0700, Hao Luo wrote:
> Hi Greg,
> 
> Please cherry-pick this patch series into 5.15.y stable. It
> includes a feature that fixes CVE-2022-0500 which allows a user with
> cap_bpf privileges to get root privileges. The patch that fixes
> the bug is
> 
>  patch 7/10: bpf: Make per_cpu_ptr return rdonly
> 
> The rest are the depedences required by the fix patch. Note that v5.10 and
> below are not affected by this bug.
> 
> This patchset has been merged in mainline v5.17 and backported to v5.16[1],
> except patch 10/10 ("bpf: Fix crash due to out of bounds access into reg2btf_ids."),
> which fixes an out-of-bound access in the main feature in this series and
> hasn't been backported to v5.16 yet. If it's convenient, could you
> apply patch 10/10 to 5.16? I can send a separate patch for v5.16, if you
> prefer.

5.16 is long end-of-life, sorry, I can't add any more patches to that
tree and no one should be using it anymore.

I'll go queue these up now for 5.15, thanks for the backports!

greg k-h
Hao Luo April 29, 2022, 5:22 p.m. UTC | #2
On Fri, Apr 29, 2022 at 2:01 AM Greg KH <gregkh@linuxfoundation.org> wrote:
>
> On Thu, Apr 28, 2022 at 04:57:41PM -0700, Hao Luo wrote:
> > Hi Greg,
> >
> > Please cherry-pick this patch series into 5.15.y stable. It
> > includes a feature that fixes CVE-2022-0500 which allows a user with
> > cap_bpf privileges to get root privileges. The patch that fixes
> > the bug is
> >
> >  patch 7/10: bpf: Make per_cpu_ptr return rdonly
> >
> > The rest are the depedences required by the fix patch. Note that v5.10 and
> > below are not affected by this bug.
> >
> > This patchset has been merged in mainline v5.17 and backported to v5.16[1],
> > except patch 10/10 ("bpf: Fix crash due to out of bounds access into reg2btf_ids."),
> > which fixes an out-of-bound access in the main feature in this series and
> > hasn't been backported to v5.16 yet. If it's convenient, could you
> > apply patch 10/10 to 5.16? I can send a separate patch for v5.16, if you
> > prefer.
>
> 5.16 is long end-of-life, sorry, I can't add any more patches to that
> tree and no one should be using it anymore.
>
> I'll go queue these up now for 5.15, thanks for the backports!
>
> greg k-h

Thank you Greg! I double checked and found that patch 10/10 is already
in v5.16. So we're good.

Hao