From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mga07.intel.com ([134.134.136.100]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fFpUH-0000KE-LQ for speck@linutronix.de; Tue, 08 May 2018 01:24:10 +0200 From: Dave Hansen Subject: [MODERATED] [PATCH 5/5] SSB extra v2 5 Date: Mon, 7 May 2018 16:18:46 -0700 Message-Id: =?utf-8?q?=3C3c3bda6cd68a91d9e79ef1da60d481180d544d20=2E152573?= =?utf-8?q?4796=2Egit=2Edave=2Ehansen=40intel=2Ecom=3E?= In-Reply-To: References: In-Reply-To: References: Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit MIME-Version: 1.0 To: speck@linutronix.de Cc: Dave Hansen List-ID: From: Dave Hansen Think of this more as an example of what we can do than a full-blown mitigation. Since we go through and verify BFP programs and we also know that speculative-store-bypass requires stores (aka writes), we have the verifier record if it saw a memory write. If not, like if the program operates on registers alone, then do not bother with mitigation. Signed-off-by: Dave Hansen --- include/linux/bpf_verifier.h | 1 + kernel/bpf/syscall.c | 2 -- kernel/bpf/verifier.c | 11 +++++++++++ 3 files changed, 12 insertions(+), 2 deletions(-) diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h index 7e61c39..396b5f1 100644 --- a/include/linux/bpf_verifier.h +++ b/include/linux/bpf_verifier.h @@ -189,6 +189,7 @@ struct bpf_verifier_env { u32 id_gen; /* used to generate unique reg IDs */ bool allow_ptr_leaks; bool seen_direct_write; + bool saw_memory_write; /* Did the program write to memory? */ struct bpf_insn_aux_data *insn_aux_data; /* array of per-insn state */ struct bpf_verifier_log log; u32 subprog_starts[BPF_MAX_SUBPROGS]; diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index fa4d9e3..4ca46df 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -1292,8 +1292,6 @@ static int bpf_prog_load(union bpf_attr *attr) bpf_prog_insn_size(prog)) != 0) goto free_prog; - /* Mitigate all programs loaded without CAP_SYS_ADMIN: */ - prog->need_mitigation = !capable(CAP_SYS_ADMIN); prog->orig_prog = NULL; prog->jited = 0; diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index ee454b6..83fc611 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -1601,6 +1601,9 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn struct bpf_func_state *state; int size, err = 0; + if (t == BPF_WRITE) + env->saw_memory_write = true; + size = bpf_size_to_bytes(bpf_size); if (size < 0) return size; @@ -5739,6 +5742,14 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr) convert_pseudo_ld_imm64(env); } + /* To mitigate speculative-store-bypass, we only need + * mitigation for programs that write to memory. Mark that + * the program needs mitigation if loaded without + * CAP_SYS_ADMIN: + */ + if (env->saw_memory_write && !capable(CAP_SYS_ADMIN)) + env->prog->need_mitigation = true; + err_release_maps: if (!env->prog->aux->used_maps) /* if we didn't copy map pointers into bpf_prog_info, release -- 2.9.5