blob: 055455f24d595b8bb1378ba5bf2da06383b242e2 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
Description: out-of-bounds speculation on pointer arithmetic in various cases
References:
https://bugs.chromium.org/p/project-zero/issues/detail?id=1711
Notes:
carnil> At last be95a845cc4402272994ce290e3ad928aff06cb9 was backported to 4.9.x
carnil> as 5cb917aa1f1e03df9a4c29b363e3900d73508fa8 and included in 4.9.79.
bwh> Before commit f1174f77b50c "bpf/verifier: rework value tracking",
bwh> the only case where pointer arithmetic was permitted with a variable
bwh> offset was packet (context) access. The upstream fixes don't cover
bwh> that case (though it's not clear to me why) so I don't believe this
bwh> issue is applicable to any version before that rework.
Bugs:
upstream: released (5.0-rc1) [979d63d50c0c0f7bc537bf821e056cc9fe5abd38], (5.0-rc3) [d3bd7413e0ca40b60cf60d4003246d067cafdeda]
4.19-upstream-stable: released (4.19.19) [f92a819b4cbef8c9527d9797110544b2055a4b96, eed84f94ff8d97abcbc5706f6f9427520fd60a10]
4.9-upstream-stable: N/A "Vulnerable code not present"
3.16-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.19.20-1)
4.9-stretch-security: N/A "Vulnerable code not present"
3.16-jessie-security: N/A "Vulnerable code not present"
|
