AZL-70214

In the Linux kernel, the following vulnerability has been resolved:

bpf: Do markchainprecision for ARGCONSTALLOCSIZEOR_ZERO

Precision markers need to be propagated whenever we have an ARGCONST* style argument, as the verifier cannot consider imprecise scalars to be equivalent for the purposes of statesequal check when such arguments refine the return value (in this case, set memsize for PTRTOMEM). The resultant memsize for the R0 is derived from the constant value, and if the verifier incorrectly prunes states considering them equivalent where such arguments exist (by seeing that both registers have reg->precise as false in regsafe), we can end up with invalid programs passing the verifier which can do access beyond what should have been the correct memsize in that explored state.

To show a concrete example of the problem:

0000000000000000 <prog>: 0: r2 = *(u32 *)(r1 + 80) 1: r1 = *(u32 *)(r1 + 76) 2: r3 = r1 3: r3 += 4 4: if r3 > r2 goto +18 <LBB5_5> 5: w2 = 0 6: *(u32 *)(r1 + 0) = r2 7: r1 = *(u32 *)(r1 + 0) 8: r2 = 1 9: if w1 == 0 goto +1 <LBB5_3> 10: r2 = -1

0000000000000058 <LBB5_3>: 11: r1 = 0 ll 13: r3 = 0 14: call bpfringbufreserve 15: if r0 == 0 goto +7 <LBB5_5> 16: r1 = r0 17: r1 += 16777215 18: w2 = 0 19: *(u8 *)(r1 + 0) = r2 20: r1 = r0 21: r2 = 0 22: call bpfringbufsubmit

00000000000000b8 <LBB5_5>: 23: w0 = 0 24: exit

For the first case, the single line execution's exploration will prune the search at insn 14 for the branch insn 9's second leg as it will be verified first using r2 = -1 (UINTMAX), while as w1 at insn 9 will always be 0 so at runtime we don't get error for being greater than UINTMAX/4 from bpfringbufreserve. The verifier during regsafe just sees reg->precise as false for both r2 registers in both states, hence considers them equal for purposes of states_equal.

If we propagated precise markers using the backtracking support, we would use the precise marking to then ensure that old r2 (UINT_MAX) was within the new r2 (1) and this would never be true, so the verification would rightfully fail.

The end result is that the out of bounds access at instruction 19 would be permitted without this fix.

Note that reg->precise is always set to true when user does not have CAPBPF (or when subprog count is greater than 1 (i.e. use of any static or global functions)), hence this is only a problem when precision marks need to be explicitly propagated (i.e. privileged users with CAPBPF).

A simplified test case has been included in the next patch to prevent future regressions.