From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Alexei Starovoitov <ast@kernel.org>,
Thomas Gleixner <tglx@linutronix.de>,
Ben Hutchings <ben.hutchings@codethink.co.uk>
Subject: [PATCH 4.9 060/101] bpf: Prevent memory disambiguation attack
Date: Thu, 6 Dec 2018 15:38:59 +0100 [thread overview]
Message-ID: <20181206143015.089926003@linuxfoundation.org> (raw)
In-Reply-To: <20181206143011.174892052@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexei Starovoitov <ast@kernel.org>
commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream.
Detect code patterns where malicious 'speculative store bypass' can be used
and sanitize such patterns.
39: (bf) r3 = r10
40: (07) r3 += -216
41: (79) r8 = *(u64 *)(r7 +0) // slow read
42: (7a) *(u64 *)(r10 -72) = 0 // verifier inserts this instruction
43: (7b) *(u64 *)(r8 +0) = r3 // this store becomes slow due to r8
44: (79) r1 = *(u64 *)(r6 +0) // cpu speculatively executes this load
45: (71) r2 = *(u8 *)(r1 +0) // speculatively arbitrary 'load byte'
// is now sanitized
Above code after x86 JIT becomes:
e5: mov %rbp,%rdx
e8: add $0xffffffffffffff28,%rdx
ef: mov 0x0(%r13),%r14
f3: movq $0x0,-0x48(%rbp)
fb: mov %rdx,0x0(%r14)
ff: mov 0x0(%rbx),%rdi
103: movzbq 0x0(%rdi),%rsi
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 4.9:
- Add bpf_verifier_env parameter to check_stack_write()
- Look up stack slot_types with state->stack_slot_type[] rather than
state->stack[].slot_type[]
- Drop bpf_verifier_env argument to verbose()
- Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/bpf_verifier.h | 1
kernel/bpf/verifier.c | 62 ++++++++++++++++++++++++++++++++++++++++---
2 files changed, 59 insertions(+), 4 deletions(-)
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -71,6 +71,7 @@ struct bpf_insn_aux_data {
enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */
};
+ int sanitize_stack_off; /* stack slot to be cleared */
bool seen; /* this insn was processed by the verifier */
};
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -540,8 +540,9 @@ static bool is_spillable_regtype(enum bp
/* check_stack_read/write functions track spill/fill of registers,
* stack boundary and alignment are checked in check_mem_access()
*/
-static int check_stack_write(struct bpf_verifier_state *state, int off,
- int size, int value_regno)
+static int check_stack_write(struct bpf_verifier_env *env,
+ struct bpf_verifier_state *state, int off,
+ int size, int value_regno, int insn_idx)
{
int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE;
/* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0,
@@ -560,8 +561,32 @@ static int check_stack_write(struct bpf_
/* save register state */
state->spilled_regs[spi] = state->regs[value_regno];
- for (i = 0; i < BPF_REG_SIZE; i++)
+ for (i = 0; i < BPF_REG_SIZE; i++) {
+ if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC &&
+ !env->allow_ptr_leaks) {
+ int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
+ int soff = (-spi - 1) * BPF_REG_SIZE;
+
+ /* detected reuse of integer stack slot with a pointer
+ * which means either llvm is reusing stack slot or
+ * an attacker is trying to exploit CVE-2018-3639
+ * (speculative store bypass)
+ * Have to sanitize that slot with preemptive
+ * store of zero.
+ */
+ if (*poff && *poff != soff) {
+ /* disallow programs where single insn stores
+ * into two different stack slots, since verifier
+ * cannot sanitize them
+ */
+ verbose("insn %d cannot access two stack slots fp%d and fp%d",
+ insn_idx, *poff, soff);
+ return -EINVAL;
+ }
+ *poff = soff;
+ }
state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL;
+ }
} else {
/* regular write of data into stack */
state->spilled_regs[spi] = (struct bpf_reg_state) {};
@@ -841,7 +866,8 @@ static int check_mem_access(struct bpf_v
verbose("attempt to corrupt spilled pointer on stack\n");
return -EACCES;
}
- err = check_stack_write(state, off, size, value_regno);
+ err = check_stack_write(env, state, off, size,
+ value_regno, insn_idx);
} else {
err = check_stack_read(state, off, size, value_regno);
}
@@ -3367,6 +3393,34 @@ static int convert_ctx_accesses(struct b
else
continue;
+ if (type == BPF_WRITE &&
+ env->insn_aux_data[i + delta].sanitize_stack_off) {
+ struct bpf_insn patch[] = {
+ /* Sanitize suspicious stack slot with zero.
+ * There are no memory dependencies for this store,
+ * since it's only using frame pointer and immediate
+ * constant of zero
+ */
+ BPF_ST_MEM(BPF_DW, BPF_REG_FP,
+ env->insn_aux_data[i + delta].sanitize_stack_off,
+ 0),
+ /* the original STX instruction will immediately
+ * overwrite the same stack slot with appropriate value
+ */
+ *insn,
+ };
+
+ cnt = ARRAY_SIZE(patch);
+ new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
+ if (!new_prog)
+ return -ENOMEM;
+
+ delta += cnt - 1;
+ env->prog = new_prog;
+ insn = new_prog->insnsi + i + delta;
+ continue;
+ }
+
if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
continue;
next prev parent reply other threads:[~2018-12-06 14:52 UTC|newest]
Thread overview: 115+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-12-06 14:37 [PATCH 4.9 000/101] 4.9.144-stable review Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 001/101] Kbuild: suppress packed-not-aligned warning for default setting only Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 002/101] disable stringop truncation warnings for now Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 003/101] test_hexdump: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 004/101] kobject: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 005/101] unifdef: use memcpy instead of strncpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 006/101] kernfs: Replace strncpy with memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 007/101] ip_tunnel: Fix name string concatenate in __ip_tunnel_create() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 008/101] drm: gma500: fix logic error Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 009/101] scsi: bfa: convert to strlcpy/strlcat Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 010/101] staging: rts5208: fix gcc-8 logic error warning Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 011/101] kdb: use memmove instead of overlapping memcpy Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 012/101] x86/power/64: Use char arrays for asm function names Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 013/101] iser: set sector for ambiguous mr status errors Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 014/101] uprobes: Fix handle_swbp() vs. unregister() + register() race once more Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 015/101] MIPS: ralink: Fix mt7620 nd_sd pinmux Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 016/101] mips: fix mips_get_syscall_arg o32 check Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 017/101] IB/mlx5: Avoid load failure due to unknown link width Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 018/101] drm/ast: Fix incorrect free on ioregs Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 019/101] drm: set is_master to 0 upon drm_new_set_master() failure Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 020/101] scsi: scsi_devinfo: cleanly zero-pad devinfo strings Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 021/101] ALSA: trident: Suppress gcc string warning Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 022/101] scsi: csiostor: Avoid content leaks and casts Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 023/101] kgdboc: Fix restrict error Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 024/101] kgdboc: Fix warning with module build Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 025/101] binder: fix proc->files use-after-free Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 026/101] svm: Add mutex_lock to protect apic_access_page_done on AMD systems Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 027/101] drm/mediatek: fix OF sibling-node lookup Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 028/101] Input: xpad - quirk all PDP Xbox One gamepads Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 029/101] Input: matrix_keypad - check for errors from of_get_named_gpio() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 030/101] Input: elan_i2c - add ELAN0620 to the ACPI table Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 031/101] Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15ARR Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 032/101] Input: elan_i2c - add support for ELAN0621 touchpad Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 033/101] btrfs: Always try all copies when reading extent buffers Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 034/101] Btrfs: fix use-after-free when dumping free space Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 035/101] ARC: change defconfig defaults to ARCv2 Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 036/101] arc: [devboards] Add support of NFSv3 ACL Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 037/101] udf: Allow mounting volumes with incorrect identification strings Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 038/101] reset: make optional functions really optional Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 039/101] reset: core: fix reset_control_put Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 040/101] reset: fix optional reset_control_get stubs to return NULL Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 041/101] reset: add exported __reset_control_get, return NULL if optional Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 042/101] reset: make device_reset_optional() really optional Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 043/101] reset: remove remaining WARN_ON() in <linux/reset.h> Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 044/101] mm: cleancache: fix corruption on missed inode invalidation Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 045/101] usb: gadget: dummy: fix nonsensical comparisons Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 046/101] net: qed: use correct strncpy() size Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 047/101] tipc: use destination length for copy string Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 048/101] libceph: drop len argument of *verify_authorizer_reply() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 049/101] libceph: no need to drop con->mutex for ->get_authorizer() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 050/101] libceph: store ceph_auth_handshake pointer in ceph_connection Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 051/101] libceph: factor out __prepare_write_connect() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 052/101] libceph: factor out __ceph_x_decrypt() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 053/101] libceph: factor out encrypt_authorizer() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 054/101] libceph: add authorizer challenge Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 055/101] libceph: implement CEPHX_V2 calculation mode Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 056/101] libceph: weaken sizeof check in ceph_x_verify_authorizer_reply() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 057/101] libceph: check authorizer reply/challenge length before reading Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 058/101] bpf/verifier: Add spi variable to check_stack_write() Greg Kroah-Hartman
2018-12-06 14:38 ` [PATCH 4.9 059/101] bpf/verifier: Pass instruction index to check_mem_access() and check_xadd() Greg Kroah-Hartman
2018-12-06 14:38 ` Greg Kroah-Hartman [this message]
2018-12-06 14:39 ` [PATCH 4.9 061/101] wil6210: missing length check in wmi_set_ie Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 062/101] mm/hugetlb.c: dont call region_abort if region_chg fails Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 063/101] hugetlbfs: fix offset overflow in hugetlbfs mmap Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 064/101] hugetlbfs: check for pgoff value overflow Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 065/101] btrfs: validate type when reading a chunk Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 066/101] btrfs: Verify that every chunk has corresponding block group at mount time Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 067/101] btrfs: Refactor check_leaf function for later expansion Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 068/101] btrfs: Check if item pointer overlaps with the item itself Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 069/101] btrfs: Add sanity check for EXTENT_DATA when reading out leaf Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 070/101] btrfs: Add checker for EXTENT_CSUM Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 071/101] btrfs: Move leaf and node validation checker to tree-checker.c Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 072/101] btrfs: struct-funcs, constify readers Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 073/101] btrfs: tree-checker: Enhance btrfs_check_node output Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 074/101] btrfs: tree-checker: Fix false panic for sanity test Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 075/101] btrfs: tree-checker: Add checker for dir item Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 076/101] btrfs: tree-checker: use %zu format string for size_t Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 077/101] btrfs: tree-check: reduce stack consumption in check_dir_item Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 078/101] btrfs: tree-checker: Verify block_group_item Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 079/101] btrfs: tree-checker: Detect invalid and empty essential trees Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 080/101] btrfs: Check that each block group has corresponding chunk at mount time Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 081/101] btrfs: tree-checker: Check level for leaves and nodes Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 082/101] btrfs: tree-checker: Fix misleading group system information Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 083/101] f2fs: fix a panic caused by NULL flush_cmd_control Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 084/101] f2fs: fix race condition in between free nid allocator/initializer Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 085/101] f2fs: detect wrong layout Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 086/101] f2fs: return error during fill_super Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 087/101] f2fs: check blkaddr more accuratly before issue a bio Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 088/101] f2fs: sanity check on sit entry Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 089/101] f2fs: enhance sanity_check_raw_super() to avoid potential overflow Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 090/101] f2fs: clean up with is_valid_blkaddr() Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 091/101] f2fs: introduce and spread verify_blkaddr Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 092/101] f2fs: fix to do sanity check with secs_per_zone Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 093/101] f2fs: fix to do sanity check with user_block_count Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 094/101] f2fs: Add sanity_check_inode() function Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 095/101] f2fs: fix to do sanity check with node footer and iblocks Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 096/101] f2fs: fix to do sanity check with block address in main area Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 097/101] f2fs: fix missing up_read Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 098/101] f2fs: fix to do sanity check with block address in main area v2 Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 099/101] f2fs: free meta pages if sanity check for ckpt is failed Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 100/101] f2fs: fix to do sanity check with cp_pack_start_sum Greg Kroah-Hartman
2018-12-07 18:12 ` Ben Hutchings
2018-12-08 9:01 ` Greg Kroah-Hartman
2018-12-06 14:39 ` [PATCH 4.9 101/101] xfs: dont fail when converting shortform attr to long form during ATTR_REPLACE Greg Kroah-Hartman
2018-12-06 20:12 ` [PATCH 4.9 000/101] 4.9.144-stable review kernelci.org bot
2018-12-06 22:08 ` shuah
2018-12-07 9:03 ` Jon Hunter
2018-12-07 14:41 ` Greg Kroah-Hartman
2018-12-07 9:10 ` Naresh Kamboju
2018-12-07 14:41 ` Greg Kroah-Hartman
2018-12-07 15:34 ` Ben Hutchings
2018-12-07 15:51 ` Greg Kroah-Hartman
2018-12-07 17:53 ` Naresh Kamboju
2018-12-08 8:39 ` Greg Kroah-Hartman
2018-12-07 23:38 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181206143015.089926003@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=ast@kernel.org \
--cc=ben.hutchings@codethink.co.uk \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).