From mboxrd@z Thu Jan  1 00:00:00 1970
From: Daniel Borkmann <daniel@iogearbox.net>
Subject: [PATCH bpf v3 0/9] bpf fix to prevent oob under speculation
Date: Thu,  3 Jan 2019 00:58:26 +0100
Message-ID: <20190102235835.3311-1-daniel@iogearbox.net>
Cc: jannh@google.com, davem@davemloft.net,
        jakub.kicinski@netronome.com, netdev@vger.kernel.org,
        Daniel Borkmann <daniel@iogearbox.net>
To: ast@kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from www62.your-server.de ([213.133.104.62]:42862 "EHLO
        www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727621AbfABX6m (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 2 Jan 2019 18:58:42 -0500
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

This set fixes an out of bounds case under speculative execution
by implementing masking of pointer alu into the verifier. For
details please see the individual patches.

Thanks!

v2 -> v3:
  - 8/9: change states_equal condition into old->speculative &&
    !cur->speculative, thanks Jakub!
  - 8/9: remove incorrect speculative state test in
    propagate_liveness(), thanks Jakub!
v1 -> v2:
  - Typo fixes in commit msg and a comment, thanks David!

Daniel Borkmann (9):
  bpf: move {prev_,}insn_idx into verifier env
  bpf: move tmp variable into ax register in interpreter
  bpf: enable access to ax register also from verifier rewrite
  bpf: restrict map value pointer arithmetic for unprivileged
  bpf: restrict stack pointer arithmetic for unprivileged
  bpf: restrict unknown scalars of mixed signed bounds for unprivileged
  bpf: fix check_map_access smin_value test when pointer contains offset
  bpf: prevent out of bounds speculation on pointer arithmetic
  bpf: add various test cases to selftests

 include/linux/bpf_verifier.h                |   12 +
 include/linux/filter.h                      |   10 +-
 kernel/bpf/core.c                           |   54 +-
 kernel/bpf/verifier.c                       |  336 ++++++--
 tools/testing/selftests/bpf/test_verifier.c | 1146 ++++++++++++++++++++++++++-
 5 files changed, 1451 insertions(+), 107 deletions(-)

-- 
2.9.5