Daniel Borkmann 3695b3b185 bpf: fix incorrect sign extension in check_alu_op() ... From: Jann Horn <jannh@google.com> [ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ] Distinguish between BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); only perform sign extension in the first case. Starting with v4.14, this is exploitable by unprivileged users as long as the unprivileged_bpf_disabled sysctl isn't set. Debian assigned CVE-2017-16995 for this issue. v3: - add CVE number (Ben Hutchings) Fixes: 484611357c ("bpf: allow access into map value arrays") Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Edward Cree <ecree@solarflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2017-12-25 14:23:47 +01:00
..
arraymap.c	bpf: don't trigger OOM killer under pressure with map alloc	2017-07-05 14:40:21 +02:00
core.c	bpf: clean up put_cpu_var usage	2016-09-27 22:09:17 -04:00
hashtab.c	bpf: don't trigger OOM killer under pressure with map alloc	2017-07-05 14:40:21 +02:00
helpers.c	bpf: direct packet write and access for helpers for clsact progs	2016-09-20 23:32:11 -04:00
inode.c	fs: Replace CURRENT_TIME with current_time() for inode timestamps	2016-09-27 21:06:21 -04:00
Makefile	bpf: introduce percpu_freelist	2016-03-08 15:28:31 -05:00
percpu_freelist.c	bpf: fix lockdep splat	2017-12-14 09:28:23 +01:00
percpu_freelist.h	bpf: introduce percpu_freelist	2016-03-08 15:28:31 -05:00
stackmap.c	bpf: don't trigger OOM killer under pressure with map alloc	2017-07-05 14:40:21 +02:00
syscall.c	bpf: don't trigger OOM killer under pressure with map alloc	2017-07-05 14:40:21 +02:00
verifier.c	bpf: fix incorrect sign extension in check_alu_op()	2017-12-25 14:23:47 +01:00