979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Jason Yan]

Hi, Daniel & Greg

This patch (979d63d50c0c bpf: prevent out of bounds speculation on 
pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:

CVSS v3.0 Severity and Metrics:
Base Score: 9.8 CRITICAL

And this patch is not in stable-4.4, would you please backport this 
patch to 4.4?

Thanks,
Jason

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Daniel Borkmann]

Hi Jason,

On 03/11/2019 10:18 AM, Jason Yan wrote:
> Hi, Daniel & Greg
> 
> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
> 
> CVSS v3.0 Severity and Metrics:
> Base Score: 9.8 CRITICAL
> 
> And this patch is not in stable-4.4, would you please backport this patch to 4.4?

We don't handle kernels as old as 4.4, so someone else would need to
do the backporting e.g. from your side. The series has been backported
to the last two most-recent stable kernels at that time (we usually
follow netdev practice here), and there have been asks about 4.14 as
well; I've been looking into backporting for the latter last two weeks
on and off, but there are conflicts all over the place in fragile core
areas where I didn't have enough free cycles to complete it yet. For
old kernels, you're probably better off doing something like this in
your tree instead of the huge complexity with a backport:

diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
index bc34cf9..2cea2de 100644
--- a/kernel/bpf/syscall.c
+++ b/kernel/bpf/syscall.c
@@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock);
 static DEFINE_IDR(map_idr);
 static DEFINE_SPINLOCK(map_idr_lock);

-int sysctl_unprivileged_bpf_disabled __read_mostly;
+int sysctl_unprivileged_bpf_disabled __read_mostly = 1;

 static const struct bpf_map_ops * const bpf_map_types[] = {
 #define BPF_PROG_TYPE(_id, _ops)

Thanks,
Daniel

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Jason Yan]

On 2019/3/11 17:41, Daniel Borkmann wrote:
> Hi Jason,
> 
> On 03/11/2019 10:18 AM, Jason Yan wrote:
>> Hi, Daniel & Greg
>>
>> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
>>
>> CVSS v3.0 Severity and Metrics:
>> Base Score: 9.8 CRITICAL
>>
>> And this patch is not in stable-4.4, would you please backport this patch to 4.4?
> 
> We don't handle kernels as old as 4.4, so someone else would need to
> do the backporting e.g. from your side. The series has been backported
> to the last two most-recent stable kernels at that time (we usually
> follow netdev practice here), and there have been asks about 4.14 as
> well; I've been looking into backporting for the latter last two weeks
> on and off, but there are conflicts all over the place in fragile core
> areas where I didn't have enough free cycles to complete it yet. For
> old kernels, you're probably better off doing something like this in
> your tree instead of the huge complexity with a backport:
> 

Thanks for you kindly reply.

> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> index bc34cf9..2cea2de 100644
> --- a/kernel/bpf/syscall.c
> +++ b/kernel/bpf/syscall.c
> @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock);
>   static DEFINE_IDR(map_idr);
>   static DEFINE_SPINLOCK(map_idr_lock);
> 
> -int sysctl_unprivileged_bpf_disabled __read_mostly;
> +int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
> 

Greg, is it possible to get this kind of mitigation into 4.4?

Thanks,
Jason

>   static const struct bpf_map_ops * const bpf_map_types[] = {
>   #define BPF_PROG_TYPE(_id, _ops)
> 
> Thanks,
> Daniel
> 
> .
> 

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Greg KH]

On Mon, Mar 11, 2019 at 07:13:14PM +0800, Jason Yan wrote:
> 
> 
> On 2019/3/11 17:41, Daniel Borkmann wrote:
> > Hi Jason,
> > 
> > On 03/11/2019 10:18 AM, Jason Yan wrote:
> > > Hi, Daniel & Greg
> > > 
> > > This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
> > > 
> > > CVSS v3.0 Severity and Metrics:
> > > Base Score: 9.8 CRITICAL
> > > 
> > > And this patch is not in stable-4.4, would you please backport this patch to 4.4?
> > 
> > We don't handle kernels as old as 4.4, so someone else would need to
> > do the backporting e.g. from your side. The series has been backported
> > to the last two most-recent stable kernels at that time (we usually
> > follow netdev practice here), and there have been asks about 4.14 as
> > well; I've been looking into backporting for the latter last two weeks
> > on and off, but there are conflicts all over the place in fragile core
> > areas where I didn't have enough free cycles to complete it yet. For
> > old kernels, you're probably better off doing something like this in
> > your tree instead of the huge complexity with a backport:
> > 
> 
> Thanks for you kindly reply.
> 
> > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
> > index bc34cf9..2cea2de 100644
> > --- a/kernel/bpf/syscall.c
> > +++ b/kernel/bpf/syscall.c
> > @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock);
> >   static DEFINE_IDR(map_idr);
> >   static DEFINE_SPINLOCK(map_idr_lock);
> > 
> > -int sysctl_unprivileged_bpf_disabled __read_mostly;
> > +int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
> > 
> 
> Greg, is it possible to get this kind of mitigation into 4.4?

Why are you using a 4.4 kernel with untrusted userspace?  The only
reason to use 4.4.y at this point in time is if you have a huge SoC tree
patchset that is not upstream.  If you are using x86, you should be
using 4.14.y or newer right now.

That being said, no, I am not going to change the default here, that
could break people's working setups.  I would recommend you just setting
this value in your initrd/setup scripts if you want it, that's why it is
a sysctl :)

thanks,

greg k-h

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Jason Yan]

On 2019/3/12 2:54, Greg KH wrote:
> On Mon, Mar 11, 2019 at 07:13:14PM +0800, Jason Yan wrote:
>>
>>
>> On 2019/3/11 17:41, Daniel Borkmann wrote:
>>> Hi Jason,
>>>
>>> On 03/11/2019 10:18 AM, Jason Yan wrote:
>>>> Hi, Daniel & Greg
>>>>
>>>> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
>>>>
>>>> CVSS v3.0 Severity and Metrics:
>>>> Base Score: 9.8 CRITICAL
>>>>
>>>> And this patch is not in stable-4.4, would you please backport this patch to 4.4?
>>>
>>> We don't handle kernels as old as 4.4, so someone else would need to
>>> do the backporting e.g. from your side. The series has been backported
>>> to the last two most-recent stable kernels at that time (we usually
>>> follow netdev practice here), and there have been asks about 4.14 as
>>> well; I've been looking into backporting for the latter last two weeks
>>> on and off, but there are conflicts all over the place in fragile core
>>> areas where I didn't have enough free cycles to complete it yet. For
>>> old kernels, you're probably better off doing something like this in
>>> your tree instead of the huge complexity with a backport:
>>>
>>
>> Thanks for you kindly reply.
>>
>>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c
>>> index bc34cf9..2cea2de 100644
>>> --- a/kernel/bpf/syscall.c
>>> +++ b/kernel/bpf/syscall.c
>>> @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock);
>>>    static DEFINE_IDR(map_idr);
>>>    static DEFINE_SPINLOCK(map_idr_lock);
>>>
>>> -int sysctl_unprivileged_bpf_disabled __read_mostly;
>>> +int sysctl_unprivileged_bpf_disabled __read_mostly = 1;
>>>
>>
>> Greg, is it possible to get this kind of mitigation into 4.4?
> 
> Why are you using a 4.4 kernel with untrusted userspace?  The only
> reason to use 4.4.y at this point in time is if you have a huge SoC tree
> patchset that is not upstream.  If you are using x86, you should be
> using 4.14.y or newer right now.
> 
> That being said, no, I am not going to change the default here, that
> could break people's working setups.  I would recommend you just setting
> this value in your initrd/setup scripts if you want it, that's why it is
> a sysctl :)
> 

Got it, thanks.

Jason

> thanks,
> 
> greg k-h
> 
> .
> 

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Greg KH]

On Mon, Mar 11, 2019 at 05:18:33PM +0800, Jason Yan wrote:
> Hi, Daniel & Greg
> 
> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer
> arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
> 
> CVSS v3.0 Severity and Metrics:
> Base Score: 9.8 CRITICAL
> 
> And this patch is not in stable-4.4, would you please backport this patch to
> 4.4?

For a bit more context, it's also not in 4.14.y, 4.9.y, or 4.4.y.  I
found a backported series for 4.4.y in the SLES kernel tree that I could
try to import here if it really is a big deal.

I'm on the road this week, but if you could take a look at the SLES
patches and see if those work for you, and then forward them here, I
will be glad to queue them up.  Also if you could do the work for 4.14.y
and 4.9.y I'm sure lots of people would appreciate it :)

thanks,

greg k-h

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Jason Yan]

On 2019/3/12 19:52, Greg KH wrote:
> On Mon, Mar 11, 2019 at 05:18:33PM +0800, Jason Yan wrote:
>> Hi, Daniel & Greg
>>
>> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer
>> arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
>>
>> CVSS v3.0 Severity and Metrics:
>> Base Score: 9.8 CRITICAL
>>
>> And this patch is not in stable-4.4, would you please backport this patch to
>> 4.4?
> 
> For a bit more context, it's also not in 4.14.y, 4.9.y, or 4.4.y.  I
> found a backported series for 4.4.y in the SLES kernel tree that I could
> try to import here if it really is a big deal.
> 

I'm sorry that I did not find them. I only know the SLES  kernel tree 
at: https://github.com/openSUSE/kernel.
Is there another place for the SLES kernel tree?

> I'm on the road this week, but if you could take a look at the SLES
> patches and see if those work for you, and then forward them here, I
> will be glad to queue them up.  Also if you could do the work for 4.14.y
> and 4.9.y I'm sure lots of people would appreciate it :)
> 
> thanks,
> 
> greg k-h
> 
> .
> 

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Greg KH]

On Tue, Mar 12, 2019 at 10:58:39PM +0800, Jason Yan wrote:
> 
> 
> On 2019/3/12 19:52, Greg KH wrote:
> > On Mon, Mar 11, 2019 at 05:18:33PM +0800, Jason Yan wrote:
> > > Hi, Daniel & Greg
> > > 
> > > This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer
> > > arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
> > > 
> > > CVSS v3.0 Severity and Metrics:
> > > Base Score: 9.8 CRITICAL
> > > 
> > > And this patch is not in stable-4.4, would you please backport this patch to
> > > 4.4?
> > 
> > For a bit more context, it's also not in 4.14.y, 4.9.y, or 4.4.y.  I
> > found a backported series for 4.4.y in the SLES kernel tree that I could
> > try to import here if it really is a big deal.
> > 
> 
> I'm sorry that I did not find them. I only know the SLES  kernel tree at:
> https://github.com/openSUSE/kernel.
> Is there another place for the SLES kernel tree?

That's the tree you want, look at the SLES branches.  I see the patches
backported to the SLE12-SP4 branch already, so that is hopefully a
working set of patches for 4.4.y.

thanks,

greg k-h

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Jason Yan]

On 2019/3/13 0:22, Greg KH wrote:
> On Tue, Mar 12, 2019 at 10:58:39PM +0800, Jason Yan wrote:
>>
>>
>> On 2019/3/12 19:52, Greg KH wrote:
>>> On Mon, Mar 11, 2019 at 05:18:33PM +0800, Jason Yan wrote:
>>>> Hi, Daniel & Greg
>>>>
>>>> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer
>>>> arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
>>>>
>>>> CVSS v3.0 Severity and Metrics:
>>>> Base Score: 9.8 CRITICAL
>>>>
>>>> And this patch is not in stable-4.4, would you please backport this patch to
>>>> 4.4?
>>>
>>> For a bit more context, it's also not in 4.14.y, 4.9.y, or 4.4.y.  I
>>> found a backported series for 4.4.y in the SLES kernel tree that I could
>>> try to import here if it really is a big deal.
>>>
>>
>> I'm sorry that I did not find them. I only know the SLES  kernel tree at:
>> https://github.com/openSUSE/kernel.
>> Is there another place for the SLES kernel tree?
> 
> That's the tree you want, look at the SLES branches.  I see the patches
> backported to the SLE12-SP4 branch already, so that is hopefully a
> working set of patches for 4.4.y.
> 

I checked the SLE12-SP4 branch and the kernel version is 4.12. There is
still a lot of conflicts even with 4.14.y. So it's hard to backport to
4.4.y. I will try to solve the conflicts with 4.14.y but I'm not sure if
I can solve all the conflicts and finish this job.

> thanks,
> 
> greg k-h
> 
> .
> 

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Greg KH]

On Thu, Mar 14, 2019 at 10:41:57PM +0800, Jason Yan wrote:
> 
> 
> On 2019/3/13 0:22, Greg KH wrote:
> > On Tue, Mar 12, 2019 at 10:58:39PM +0800, Jason Yan wrote:
> > > 
> > > 
> > > On 2019/3/12 19:52, Greg KH wrote:
> > > > On Mon, Mar 11, 2019 at 05:18:33PM +0800, Jason Yan wrote:
> > > > > Hi, Daniel & Greg
> > > > > 
> > > > > This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer
> > > > > arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
> > > > > 
> > > > > CVSS v3.0 Severity and Metrics:
> > > > > Base Score: 9.8 CRITICAL
> > > > > 
> > > > > And this patch is not in stable-4.4, would you please backport this patch to
> > > > > 4.4?
> > > > 
> > > > For a bit more context, it's also not in 4.14.y, 4.9.y, or 4.4.y.  I
> > > > found a backported series for 4.4.y in the SLES kernel tree that I could
> > > > try to import here if it really is a big deal.
> > > > 
> > > 
> > > I'm sorry that I did not find them. I only know the SLES  kernel tree at:
> > > https://github.com/openSUSE/kernel.
> > > Is there another place for the SLES kernel tree?
> > 
> > That's the tree you want, look at the SLES branches.  I see the patches
> > backported to the SLE12-SP4 branch already, so that is hopefully a
> > working set of patches for 4.4.y.
> > 
> 
> I checked the SLE12-SP4 branch and the kernel version is 4.12. There is
> still a lot of conflicts even with 4.14.y. So it's hard to backport to
> 4.4.y. I will try to solve the conflicts with 4.14.y but I'm not sure if
> I can solve all the conflicts and finish this job.

Oops, try looking at the SLE12-SP3 branch, that is 4.4 based.  I don't
know if they backported the patches there or not though.

thanks,

greg k-h

Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic

[Jason Yan]

On 2019/3/14 22:57, Greg KH wrote:
> On Thu, Mar 14, 2019 at 10:41:57PM +0800, Jason Yan wrote:
>>
>>
>> On 2019/3/13 0:22, Greg KH wrote:
>>> On Tue, Mar 12, 2019 at 10:58:39PM +0800, Jason Yan wrote:
>>>>
>>>>
>>>> On 2019/3/12 19:52, Greg KH wrote:
>>>>> On Mon, Mar 11, 2019 at 05:18:33PM +0800, Jason Yan wrote:
>>>>>> Hi, Daniel & Greg
>>>>>>
>>>>>> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer
>>>>>> arithmetic) was assigned a CVE (CVE-2019-7308) with a high score:
>>>>>>
>>>>>> CVSS v3.0 Severity and Metrics:
>>>>>> Base Score: 9.8 CRITICAL
>>>>>>
>>>>>> And this patch is not in stable-4.4, would you please backport this patch to
>>>>>> 4.4?
>>>>>
>>>>> For a bit more context, it's also not in 4.14.y, 4.9.y, or 4.4.y.  I
>>>>> found a backported series for 4.4.y in the SLES kernel tree that I could
>>>>> try to import here if it really is a big deal.
>>>>>
>>>>
>>>> I'm sorry that I did not find them. I only know the SLES  kernel tree at:
>>>> https://github.com/openSUSE/kernel.
>>>> Is there another place for the SLES kernel tree?
>>>
>>> That's the tree you want, look at the SLES branches.  I see the patches
>>> backported to the SLE12-SP4 branch already, so that is hopefully a
>>> working set of patches for 4.4.y.
>>>
>>
>> I checked the SLE12-SP4 branch and the kernel version is 4.12. There is
>> still a lot of conflicts even with 4.14.y. So it's hard to backport to
>> 4.4.y. I will try to solve the conflicts with 4.14.y but I'm not sure if
>> I can solve all the conflicts and finish this job.
> 
> Oops, try looking at the SLE12-SP3 branch, that is 4.4 based.  I don't
> know if they backported the patches there or not though.
> 

No, SLE12-SP3 branch do not have these patches backported.

> thanks,
> 
> greg k-h
> 
> .
>