[v3.1] kernel: crafted BPF filters may crash kernel during JIT optimisation (CVE-2015-4700)
In the problematic case, the compiler fails to optimise a set of specially crafted instructions. This creates a problem when this faulty instruction list is used during filtering and the CPU can execute an invalid instruction (in receive_pkt).
This can be triggered as an non-root user, as they can start a server on a ephemeral port and the packet filter with a specially crafted filter.
These incorrect instructions will run when the server receives a packet and execute the buggy instructions.
x86: bpf_jit: fix compilation of large bpf programs
x86 has variable length encoding. x86 JIT compiler is trying to pick the
shortest encoding for given bpf instruction. While doing so the jump
targets are changing, so JIT is doing multiple passes over the program.
Typical program needs 3 passes. Some very short programs converge with 2
passes. Large programs may need 4 or 5. But specially crafted bpf
programs may hit the pass limit and if the program converges on the last
iteration the JIT compiler will be producing an
image full of ‘int 3’ insns. Fix this corner case by doing final
iteration over bpf program.
- for (pass = 0; pass < 10; pass) {
- for (pass = 0; pass < 10 || image; pass) {
v3.14
commit 4ca11e9fe811defdf228d7f579e77b5350c96d02
Upstream commit: 3f7352bf21f8fd7ba3e2fcef9488756f188e12be
Reference:
http://seclists.org/oss-sec/2015/q2/785
(from redmine: issue id 4383, created on 2015-06-23, closed on 2015-06-29)
- Relations:
- parent #4382 (closed)