Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says: ==================== pull-request: bpf 2018-10-05 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Fix to truncate input on ALU operations in 32 bit mode, from Jann. 2) Fixes for cgroup local storage to reject reserved flags on element update and rejection of map allocation with zero-sized value, from Roman. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
author: David S. Miller <davem@davemloft.net> 2018-10-05 10:53:13 -0700
committer: David S. Miller <davem@davemloft.net> 2018-10-05 10:53:13 -0700
commit: b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35 (patch)
tree: 02adf7f3451ecf1a7a397a86f705a9022d27ae09 /kernel
parent: net: phy: phylink: fix SFP interface autodetection (diff)
parent: bpf: 32-bit RSH verification must truncate input before the ALU op (diff)
download: linux-dev-b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35.tar.xz
linux-dev-b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35.zip
2 files changed, 13 insertions, 2 deletions
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c
index 22ad967d1e5f..830d7f095748 100644
--- a/kernel/bpf/local_storage.c
+++ b/kernel/bpf/local_storage.c
@@ -129,7 +129,7 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key,
 	struct bpf_cgroup_storage *storage;
 	struct bpf_storage_buffer *new;
 
-	if (flags & BPF_NOEXIST)
+	if (flags != BPF_ANY && flags != BPF_EXIST)
 		return -EINVAL;
 
 	storage = cgroup_storage_lookup((struct bpf_cgroup_storage_map *)map,
@@ -195,6 +195,9 @@ static struct bpf_map *cgroup_storage_map_alloc(union bpf_attr *attr)
 	if (attr->key_size != sizeof(struct bpf_cgroup_storage_key))
 		return ERR_PTR(-EINVAL);
 
+	if (attr->value_size == 0)
+		return ERR_PTR(-EINVAL);
+
 	if (attr->value_size > PAGE_SIZE)
 		return ERR_PTR(-E2BIG);
 
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index bb07e74b34a2..465952a8e465 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
 	u64 umin_val, umax_val;
 	u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32;
 
+	if (insn_bitness == 32) {
+		/* Relevant for 32-bit RSH: Information can propagate towards
+		 * LSB, so it isn't sufficient to only truncate the output to
+		 * 32 bits.
+		 */
+		coerce_reg_to_size(dst_reg, 4);
+		coerce_reg_to_size(&src_reg, 4);
+	}
+
 	smin_val = src_reg.smin_value;
 	smax_val = src_reg.smax_value;
 	umin_val = src_reg.umin_value;
@@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env,
 	if (BPF_CLASS(insn->code) != BPF_ALU64) {
 		/* 32-bit ALU ops are (32,32)->32 */
 		coerce_reg_to_size(dst_reg, 4);
-		coerce_reg_to_size(&src_reg, 4);
 	}
 
 	__reg_deduce_bounds(dst_reg);
author	David S. Miller <davem@davemloft.net>	2018-10-05 10:53:13 -0700
committer	David S. Miller <davem@davemloft.net>	2018-10-05 10:53:13 -0700
commit	b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35 (patch)
tree	02adf7f3451ecf1a7a397a86f705a9022d27ae09 /kernel
parent	net: phy: phylink: fix SFP interface autodetection (diff)
parent	bpf: 32-bit RSH verification must truncate input before the ALU op (diff)
download	linux-dev-b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35.tar.xz linux-dev-b8d5b7cec43618c8f91a9fbe80067ef2dcbc4d35.zip