| Message ID | 20220428235751.103203-1-haoluo@google.com |
|---|---|
| Headers | show |
| Series | Fix bpf mem read/write vulnerability. | expand |
On Thu, Apr 28, 2022 at 04:57:41PM -0700, Hao Luo wrote: > Hi Greg, > > Please cherry-pick this patch series into 5.15.y stable. It > includes a feature that fixes CVE-2022-0500 which allows a user with > cap_bpf privileges to get root privileges. The patch that fixes > the bug is > > patch 7/10: bpf: Make per_cpu_ptr return rdonly > > The rest are the depedences required by the fix patch. Note that v5.10 and > below are not affected by this bug. > > This patchset has been merged in mainline v5.17 and backported to v5.16[1], > except patch 10/10 ("bpf: Fix crash due to out of bounds access into reg2btf_ids."), > which fixes an out-of-bound access in the main feature in this series and > hasn't been backported to v5.16 yet. If it's convenient, could you > apply patch 10/10 to 5.16? I can send a separate patch for v5.16, if you > prefer. 5.16 is long end-of-life, sorry, I can't add any more patches to that tree and no one should be using it anymore. I'll go queue these up now for 5.15, thanks for the backports! greg k-h
On Fri, Apr 29, 2022 at 2:01 AM Greg KH <gregkh@linuxfoundation.org> wrote: > > On Thu, Apr 28, 2022 at 04:57:41PM -0700, Hao Luo wrote: > > Hi Greg, > > > > Please cherry-pick this patch series into 5.15.y stable. It > > includes a feature that fixes CVE-2022-0500 which allows a user with > > cap_bpf privileges to get root privileges. The patch that fixes > > the bug is > > > > patch 7/10: bpf: Make per_cpu_ptr return rdonly > > > > The rest are the depedences required by the fix patch. Note that v5.10 and > > below are not affected by this bug. > > > > This patchset has been merged in mainline v5.17 and backported to v5.16[1], > > except patch 10/10 ("bpf: Fix crash due to out of bounds access into reg2btf_ids."), > > which fixes an out-of-bound access in the main feature in this series and > > hasn't been backported to v5.16 yet. If it's convenient, could you > > apply patch 10/10 to 5.16? I can send a separate patch for v5.16, if you > > prefer. > > 5.16 is long end-of-life, sorry, I can't add any more patches to that > tree and no one should be using it anymore. > > I'll go queue these up now for 5.15, thanks for the backports! > > greg k-h Thank you Greg! I double checked and found that patch 10/10 is already in v5.16. So we're good. Hao
Hi Greg, Please cherry-pick this patch series into 5.15.y stable. It includes a feature that fixes CVE-2022-0500 which allows a user with cap_bpf privileges to get root privileges. The patch that fixes the bug is patch 7/10: bpf: Make per_cpu_ptr return rdonly The rest are the depedences required by the fix patch. Note that v5.10 and below are not affected by this bug. This patchset has been merged in mainline v5.17 and backported to v5.16[1], except patch 10/10 ("bpf: Fix crash due to out of bounds access into reg2btf_ids."), which fixes an out-of-bound access in the main feature in this series and hasn't been backported to v5.16 yet. If it's convenient, could you apply patch 10/10 to 5.16? I can send a separate patch for v5.16, if you prefer. Tested by compile, build and run through the bpf selftest test_progs. [1] https://www.spinics.net/lists/stable/msg535877.html Hao Luo (9): bpf: Introduce composable reg, ret and arg types. bpf: Replace ARG_XXX_OR_NULL with ARG_XXX | PTR_MAYBE_NULL bpf: Replace RET_XXX_OR_NULL with RET_XXX | PTR_MAYBE_NULL bpf: Replace PTR_TO_XXX_OR_NULL with PTR_TO_XXX | PTR_MAYBE_NULL bpf: Introduce MEM_RDONLY flag bpf: Convert PTR_TO_MEM_OR_NULL to composable types. bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM. bpf: Add MEM_RDONLY for helper args that are pointers to rdonly mem. bpf/selftests: Test PTR_TO_RDONLY_MEM Kumar Kartikeya Dwivedi (1): bpf: Fix crash due to out of bounds access into reg2btf_ids. include/linux/bpf.h | 101 +++- include/linux/bpf_verifier.h | 18 + kernel/bpf/btf.c | 16 +- kernel/bpf/cgroup.c | 2 +- kernel/bpf/helpers.c | 12 +- kernel/bpf/map_iter.c | 4 +- kernel/bpf/ringbuf.c | 2 +- kernel/bpf/syscall.c | 2 +- kernel/bpf/verifier.c | 488 +++++++++--------- kernel/trace/bpf_trace.c | 22 +- net/core/bpf_sk_storage.c | 2 +- net/core/filter.c | 64 +-- net/core/sock_map.c | 2 +- .../selftests/bpf/prog_tests/ksyms_btf.c | 14 + .../bpf/progs/test_ksyms_btf_write_check.c | 29 ++ 15 files changed, 445 insertions(+), 333 deletions(-) create mode 100644 tools/testing/selftests/bpf/progs/test_ksyms_btf_write_check.c