To groeck@ for triage.

Upstream commit 0d0e57697f1 ("bpf: don't let ldimm64 leak map addresses on unprivileged").

Applies to chromeos-4.4 and chromeos-3.18. Older releases not affected.

Not important enough to apply to stable releases.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/963af7824c4e232d4fa62bab2f7d3bbde895de53

commit 963af7824c4e232d4fa62bab2f7d3bbde895de53
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon Jun 05 20:01:50 2017

BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged

The patch fixes two things at once:

1) It checks the env->allow_ptr_leaks and only prints the map address to
   the log if we have the privileges to do so, otherwise it just dumps 0
   as we would when kptr_restrict is enabled on %pK. Given the latter is
   off by default and not every distro sets it, I don't want to rely on
   this, hence the 0 by default for unprivileged.

2) Printing of ldimm64 in the verifier log is currently broken in that
   we don't print the full immediate, but only the 32 bit part of the
   first insn part for ldimm64. Thus, fix this up as well; it's okay to
   access, since we verified all ldimm64 earlier already (including just
   constants) through replace_map_fd_with_map_ptr().

BUG= chromium:727008 
TEST=Build and run

Change-Id: I60bc456ba385fd875374e35ebe4689e03d84357b
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[backport: struct bpf_verifier_env used to be struct verifier_env]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 0d0e57697f1)
Reviewed-on: https://chromium-review.googlesource.com/517992

[modify] https://crrev.com/963af7824c4e232d4fa62bab2f7d3bbde895de53/kernel/bpf/verifier.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/093b5e8b3cb1d919fdf87175b3e46dadb70642dd

commit 093b5e8b3cb1d919fdf87175b3e46dadb70642dd
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Mon Jun 05 20:01:52 2017

BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged

The patch fixes two things at once:

1) It checks the env->allow_ptr_leaks and only prints the map address to
   the log if we have the privileges to do so, otherwise it just dumps 0
   as we would when kptr_restrict is enabled on %pK. Given the latter is
   off by default and not every distro sets it, I don't want to rely on
   this, hence the 0 by default for unprivileged.

2) Printing of ldimm64 in the verifier log is currently broken in that
   we don't print the full immediate, but only the 32 bit part of the
   first insn part for ldimm64. Thus, fix this up as well; it's okay to
   access, since we verified all ldimm64 earlier already (including just
   constants) through replace_map_fd_with_map_ptr().

BUG= chromium:727008 
TEST=Build and run

Change-Id: I60bc456ba385fd875374e35ebe4689e03d84357b
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[backport: struct bpf_verifier_env used to be struct verifier_env]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 0d0e57697f1)
Reviewed-on: https://chromium-review.googlesource.com/517672
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>

[modify] https://crrev.com/093b5e8b3cb1d919fdf87175b3e46dadb70642dd/kernel/bpf/verifier.c

Your change meets the bar and is auto-approved for M60. Please go ahead and merge the CL to branch 3112 manually. Please contact milestone owner if you have questions.
Owners: amineer@(Android), cmasso@(iOS), josafat@(ChromeOS), bustamante@(Desktop)

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ecf3cba3f8f830f731cfbfd57cf738c47cbca586

commit ecf3cba3f8f830f731cfbfd57cf738c47cbca586
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed Jun 07 02:37:06 2017

BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged

The patch fixes two things at once:

1) It checks the env->allow_ptr_leaks and only prints the map address to
   the log if we have the privileges to do so, otherwise it just dumps 0
   as we would when kptr_restrict is enabled on %pK. Given the latter is
   off by default and not every distro sets it, I don't want to rely on
   this, hence the 0 by default for unprivileged.

2) Printing of ldimm64 in the verifier log is currently broken in that
   we don't print the full immediate, but only the 32 bit part of the
   first insn part for ldimm64. Thus, fix this up as well; it's okay to
   access, since we verified all ldimm64 earlier already (including just
   constants) through replace_map_fd_with_map_ptr().

BUG= chromium:727008 
TEST=Build and run

Change-Id: I60bc456ba385fd875374e35ebe4689e03d84357b
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[backport: struct bpf_verifier_env used to be struct verifier_env]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 0d0e57697f1)
Reviewed-on: https://chromium-review.googlesource.com/517992
(cherry picked from commit 963af7824c4e232d4fa62bab2f7d3bbde895de53)
Reviewed-on: https://chromium-review.googlesource.com/526973

[modify] https://crrev.com/ecf3cba3f8f830f731cfbfd57cf738c47cbca586/kernel/bpf/verifier.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/29b96e742763422c309e0a054e14b487617195a2

commit 29b96e742763422c309e0a054e14b487617195a2
Author: Daniel Borkmann <daniel@iogearbox.net>
Date: Wed Jun 07 02:37:10 2017

BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged

The patch fixes two things at once:

1) It checks the env->allow_ptr_leaks and only prints the map address to
   the log if we have the privileges to do so, otherwise it just dumps 0
   as we would when kptr_restrict is enabled on %pK. Given the latter is
   off by default and not every distro sets it, I don't want to rely on
   this, hence the 0 by default for unprivileged.

2) Printing of ldimm64 in the verifier log is currently broken in that
   we don't print the full immediate, but only the 32 bit part of the
   first insn part for ldimm64. Thus, fix this up as well; it's okay to
   access, since we verified all ldimm64 earlier already (including just
   constants) through replace_map_fd_with_map_ptr().

BUG= chromium:727008 
TEST=Build and run

Change-Id: I60bc456ba385fd875374e35ebe4689e03d84357b
Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
[backport: struct bpf_verifier_env used to be struct verifier_env]
Signed-off-by: Guenter Roeck <groeck@chromium.org>
(cherry picked from commit 0d0e57697f1)
Reviewed-on: https://chromium-review.googlesource.com/517672
Reviewed-by: Dmitry Torokhov <dtor@chromium.org>
(cherry picked from commit 093b5e8b3cb1d919fdf87175b3e46dadb70642dd)
Reviewed-on: https://chromium-review.googlesource.com/526972

[modify] https://crrev.com/29b96e742763422c309e0a054e14b487617195a2/kernel/bpf/verifier.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/d99af821993c63faed6bfb801282953127889aad

commit d99af821993c63faed6bfb801282953127889aad
Author: Guenter Roeck <groeck@chromium.org>
Date: Wed Jun 07 19:05:58 2017

Revert "BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged"

This reverts commit ecf3cba3f8f830f731cfbfd57cf738c47cbca586.

Reason for revert: Not needed in 3.18, and causes compile failure if enabled.

Original change's description:
> BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged
> 
> The patch fixes two things at once:
> 
> 1) It checks the env->allow_ptr_leaks and only prints the map address to
>    the log if we have the privileges to do so, otherwise it just dumps 0
>    as we would when kptr_restrict is enabled on %pK. Given the latter is
>    off by default and not every distro sets it, I don't want to rely on
>    this, hence the 0 by default for unprivileged.
> 
> 2) Printing of ldimm64 in the verifier log is currently broken in that
>    we don't print the full immediate, but only the 32 bit part of the
>    first insn part for ldimm64. Thus, fix this up as well; it's okay to
>    access, since we verified all ldimm64 earlier already (including just
>    constants) through replace_map_fd_with_map_ptr().
> 
> BUG= chromium:727008 
> TEST=Build and run
> 
> Change-Id: I60bc456ba385fd875374e35ebe4689e03d84357b
> Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
> Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
> Reported-by: Jann Horn <jannh@google.com>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Acked-by: Alexei Starovoitov <ast@kernel.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> [backport: struct bpf_verifier_env used to be struct verifier_env]
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (cherry picked from commit 0d0e57697f1)
> Reviewed-on: https://chromium-review.googlesource.com/517992
> (cherry picked from commit 963af7824c4e232d4fa62bab2f7d3bbde895de53)
> Reviewed-on: https://chromium-review.googlesource.com/526973

BUG= chromium:727008 

Change-Id: I65782a57345d7ec7b2daacf2ff6e7f56181f0370
Reviewed-on: https://chromium-review.googlesource.com/527259
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Commit-Queue: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/d99af821993c63faed6bfb801282953127889aad/kernel/bpf/verifier.c

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/e16795345e978e5318cbb60bf1faafb9d4d5758e

commit e16795345e978e5318cbb60bf1faafb9d4d5758e
Author: Guenter Roeck <groeck@chromium.org>
Date: Wed Jun 07 23:59:02 2017

Revert "BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged"

This reverts commit 963af7824c4e232d4fa62bab2f7d3bbde895de53.

Reason for revert:

Turns out this patch isn't needed in 3.18 since the patch it fixes was only introduced post-3.18. In fact, if the added code is build enabled, it causes a build error discovered by 0day.

kernel/bpf/verifier.c: In function 'print_bpf_insn':
kernel/bpf/verifier.c:391:23: error: 'const struct verifier_env' has no member named 'allow_ptr_leaks'

Original change's description:
> BACKPORT: bpf: don't let ldimm64 leak map addresses on unprivileged
>
> The patch fixes two things at once:
>
> 1) It checks the env->allow_ptr_leaks and only prints the map address to
>    the log if we have the privileges to do so, otherwise it just dumps 0
>    as we would when kptr_restrict is enabled on %pK. Given the latter is
>    off by default and not every distro sets it, I don't want to rely on
>    this, hence the 0 by default for unprivileged.
>
> 2) Printing of ldimm64 in the verifier log is currently broken in that
>    we don't print the full immediate, but only the 32 bit part of the
>    first insn part for ldimm64. Thus, fix this up as well; it's okay to
>    access, since we verified all ldimm64 earlier already (including just
>    constants) through replace_map_fd_with_map_ptr().
>
> BUG= chromium:727008 
> TEST=Build and run
>
> Change-Id: I60bc456ba385fd875374e35ebe4689e03d84357b
> Fixes: 1be7f75d1668 ("bpf: enable non-root eBPF programs")
> Fixes: cbd357008604 ("bpf: verifier (add ability to receive verification log)")
> Reported-by: Jann Horn <jannh@google.com>
> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
> Acked-by: Alexei Starovoitov <ast@kernel.org>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> [backport: struct bpf_verifier_env used to be struct verifier_env]
> Signed-off-by: Guenter Roeck <groeck@chromium.org>
> (cherry picked from commit 0d0e57697f1)
> Reviewed-on: https://chromium-review.googlesource.com/517992

BUG= chromium:727008 

Change-Id: I7b92ed28b8f03546a1e51c6c0ff2e285be9e5e0b
Reviewed-on: https://chromium-review.googlesource.com/527258
Commit-Ready: Guenter Roeck <groeck@chromium.org>
Tested-by: Guenter Roeck <groeck@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/e16795345e978e5318cbb60bf1faafb9d4d5758e/kernel/bpf/verifier.c

This issue has been approved for a merge. Please merge the fix to any appropriate branches as soon as possible!

If all merges have been completed, please remove any remaining Merge-Approved labels from this issue.

Thanks for your time! To disable nags, add the Disable-Nags label.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot