Headline
CVE-2017-17854: bpf: fix integer overflows · torvalds/linux@bb7f0f9
kernel/bpf/verifier.c in the Linux kernel through 4.14.8 allows local users to cause a denial of service (integer overflow and memory corruption) or possibly have unspecified other impact by leveraging unrestricted integer values for pointer arithmetic.
Permalink
Browse files
bpf: fix integer overflows
There were various issues related to the limited size of integers used in the verifier:
- `off + size` overflow in __check_map_access()
- `off + reg->off` overflow in check_mem_access()
- `off + reg->var_off.value` overflow or 32-bit truncation of `reg->var_off.value` in check_mem_access()
- 32-bit truncation in check_stack_boundary()
Make sure that any integer math cannot overflow by not allowing pointer math with large values.
Also reduce the scope of “scalar op scalar” tracking.
Fixes: f1174f7 (“bpf/verifier: rework value tracking”) Reported-by: Jann Horn jannh@google.com Signed-off-by: Alexei Starovoitov ast@kernel.org Signed-off-by: Daniel Borkmann daniel@iogearbox.net
- Loading branch information