android_kernel_zuk_msm8996.git

diff options

author	Jann Horn <jannh@google.com>	2017-12-22 16:29:05 +0100
committer	Michael Bestas <mkbestas@lineageos.org>	2022-04-19 00:51:18 +0300
commit	331501cd097baa6360a3cfd2f9d4a1122195ac39 (patch)
tree	885079f69ae299cf6b35dc5b36ea9154c0ff487e /kernel/bpf/arraymap.c
parent	93188ebdf304da5f3fe28a566e76ed5c468878b0 (diff)

bpf: fix incorrect sign extension in check_alu_op()

[ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ] Distinguish between BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit) and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit); only perform sign extension in the first case. Starting with v4.14, this is exploitable by unprivileged users as long as the unprivileged_bpf_disabled sysctl isn't set. Debian assigned CVE-2017-16995 for this issue. v3: - add CVE number (Ben Hutchings) Fixes: 484611357c19 ("bpf: allow access into map value arrays") Signed-off-by: Jann Horn <jannh@google.com> Acked-by: Edward Cree <ecree@solarflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Chatur27 <jasonbright2709@gmail.com>

Diffstat (limited to 'kernel/bpf/arraymap.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: