This set fixes an out of bounds case under speculative execution
by implementing masking of pointer alu into the verifier. For
details please see the individual patches.
Thanks!
Daniel Borkmann (9):
bpf: move {prev_,}insn_idx into verifier env
bpf: move tmp variable into ax register in interpreter
bpf: enable access to ax register also from verifier rewrite
bpf: restrict map value pointer arithmetic for unpriviledged
bpf: restrict stack pointer arithmetic for unpriviledged
bpf: restrict unknown scalars of mixed signed bounds for unpriviledged
bpf: fix check_map_access smin_value test when pointer contains offset
bpf: prevent out of bounds speculation on pointer arithmetic
bpf: add various test cases to selftests
include/linux/bpf_verifier.h | 12 +
include/linux/filter.h | 10 +-
kernel/bpf/core.c | 54 +-
kernel/bpf/verifier.c | 342 ++++++--
tools/testing/selftests/bpf/test_verifier.c | 1146 ++++++++++++++++++++++++++-
5 files changed, 1457 insertions(+), 107 deletions(-)
--
2.9.5
