Description: out-of-bounds speculation on pointer arithmetic in various cases
References:
 https://bugs.chromium.org/p/project-zero/issues/detail?id=1711
Notes:
 carnil> At last be95a845cc4402272994ce290e3ad928aff06cb9 was backported to 4.9.x
 carnil> as 5cb917aa1f1e03df9a4c29b363e3900d73508fa8 and included in 4.9.79.
 bwh> Before commit f1174f77b50c "bpf/verifier: rework value tracking",
 bwh> the only case where pointer arithmetic was permitted with a variable
 bwh> offset was packet (context) access. The upstream fixes don't cover
 bwh> that case (though it's not clear to me why) so I don't believe this
 bwh> issue is applicable to any version before that rework.
Bugs:
upstream: released (5.0-rc1) [979d63d50c0c0f7bc537bf821e056cc9fe5abd38], (5.0-rc3) [d3bd7413e0ca40b60cf60d4003246d067cafdeda]
4.19-upstream-stable: released (4.19.19) [f92a819b4cbef8c9527d9797110544b2055a4b96, eed84f94ff8d97abcbc5706f6f9427520fd60a10]
4.9-upstream-stable: N/A "Vulnerable code not present"
3.16-upstream-stable: N/A "Vulnerable code not present"
sid: released (4.19.20-1)
4.9-stretch-security: N/A "Vulnerable code not present"
3.16-jessie-security: N/A "Vulnerable code not present"