CVE-2023-52920

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> bpf: support non-r10 register spill/fill to/from stack in precision tracking<br /> <br /> Use instruction (jump) history to record instructions that performed<br /> register spill/fill to/from stack, regardless if this was done through<br /> read-only r10 register, or any other register after copying r10 into it<br /> *and* potentially adjusting offset.<br /> <br /> To make this work reliably, we push extra per-instruction flags into<br /> instruction history, encoding stack slot index (spi) and stack frame<br /> number in extra 10 bit flags we take away from prev_idx in instruction<br /> history. We don&amp;#39;t touch idx field for maximum performance, as it&amp;#39;s<br /> checked most frequently during backtracking.<br /> <br /> This change removes basically the last remaining practical limitation of<br /> precision backtracking logic in BPF verifier. It fixes known<br /> deficiencies, but also opens up new opportunities to reduce number of<br /> verified states, explored in the subsequent patches.<br /> <br /> There are only three differences in selftests&amp;#39; BPF object files<br /> according to veristat, all in the positive direction (less states).<br /> <br /> File Program Insns (A) Insns (B) Insns (DIFF) States (A) States (B) States (DIFF)<br /> -------------------------------------- ------------- --------- --------- ------------- ---------- ---------- -------------<br /> test_cls_redirect_dynptr.bpf.linked3.o cls_redirect 2987 2864 -123 (-4.12%) 240 231 -9 (-3.75%)<br /> xdp_synproxy_kern.bpf.linked3.o syncookie_tc 82848 82661 -187 (-0.23%) 5107 5073 -34 (-0.67%)<br /> xdp_synproxy_kern.bpf.linked3.o syncookie_xdp 85116 84964 -152 (-0.18%) 5162 5130 -32 (-0.62%)<br /> <br /> Note, I avoided renaming jmp_history to more generic insn_hist to<br /> minimize number of lines changed and potential merge conflicts between<br /> bpf and bpf-next trees.<br /> <br /> Notice also cur_hist_entry pointer reset to NULL at the beginning of<br /> instruction verification loop. This pointer avoids the problem of<br /> relying on last jump history entry&amp;#39;s insn_idx to determine whether we<br /> already have entry for current instruction or not. It can happen that we<br /> added jump history entry because current instruction is_jmp_point(), but<br /> also we need to add instruction flags for stack access. In this case, we<br /> don&amp;#39;t want to entries, so we need to reuse last added entry, if it is<br /> present.<br /> <br /> Relying on insn_idx comparison has the same ambiguity problem as the one<br /> that was fixed recently in [0], so we avoid that.<br /> <br /> [0] https://patchwork.kernel.org/project/netdevbpf/patch/20231110002638.4168352-3-andrii@kernel.org/