Merge branch 'bpf-verifier-sec-fixes'

Alexei Starovoitov says: ==================== This patch set addresses a set of security vulnerabilities in bpf verifier logic discovered by Jann Horn. All of the patches are candidates for 4.14 stable. ==================== Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: Daniel Borkmann <daniel@iogearbox.net> 2017-12-21 02:15:42 +0100
committer: Daniel Borkmann <daniel@iogearbox.net> 2017-12-21 02:15:42 +0100
commit: 3db9128fcf02dcaafa3860a69a8a55d5529b6e30 (patch)
tree: 117e4805d7777db771898351ebdc71994371d9e3 /include
parent: 19c832ed9b8f7b49fa5eeef06b4338af5fe5c1dc (diff)
parent: 2255f8d520b0a318fc6d387d0940854b2f522a7f (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index c561b986bab0..1632bb13ad8a 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -15,11 +15,11 @@
  * In practice this is far bigger than any realistic pointer offset; this limit
  * ensures that umax_value + (int)off + (int)size cannot overflow a u64.
  */
-#define BPF_MAX_VAR_OFF	(1ULL << 31)
+#define BPF_MAX_VAR_OFF	(1 << 29)
 /* Maximum variable size permitted for ARG_CONST_SIZE[_OR_ZERO].  This ensures
  * that converting umax_value to int cannot overflow.
  */
-#define BPF_MAX_VAR_SIZ	INT_MAX
+#define BPF_MAX_VAR_SIZ	(1 << 29)
 
 /* Liveness marks, used for registers and spilled-regs (in stack slots).
  * Read marks propagate upwards until they find a write mark; they record that
author	Daniel Borkmann <daniel@iogearbox.net>	2017-12-21 02:15:42 +0100
committer	Daniel Borkmann <daniel@iogearbox.net>	2017-12-21 02:15:42 +0100
commit	3db9128fcf02dcaafa3860a69a8a55d5529b6e30 (patch)
tree	117e4805d7777db771898351ebdc71994371d9e3 /include
parent	19c832ed9b8f7b49fa5eeef06b4338af5fe5c1dc (diff)
parent	2255f8d520b0a318fc6d387d0940854b2f522a7f (diff)