mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-07 09:09:23 +00:00
Code Issues Releases Wiki Activity
linux-stable/kernel/bpf
History
Alexei Starovoitov 83b570c004 bpf: Prevent memory disambiguation attack 
commit af86ca4e30 upstream.

Detect code patterns where malicious 'speculative store bypass' can be used
and sanitize such patterns.

 39: (bf) r3 = r10
 40: (07) r3 += -216
 41: (79) r8 = *(u64 *)(r7 +0)   // slow read
 42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
 43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
 44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
 45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                 // is now sanitized

Above code after x86 JIT becomes:
 e5: mov    %rbp,%rdx
 e8: add    $0xffffffffffffff28,%rdx
 ef: mov    0x0(%r13),%r14
 f3: movq   $0x0,-0x48(%rbp)
 fb: mov    %rdx,0x0(%r14)
 ff: mov    0x0(%rbx),%rdi
103: movzbq 0x0(%rdi),%rsi

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
[bwh: Backported to 4.14:
 - Add bpf_verifier_env parameter to check_stack_write()
 - Look up stack slot_types with state->stack_slot_type[] rather than
   state->stack[].slot_type[]
 - Drop bpf_verifier_env argument to verbose()
 - Adjust context]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2018-12-05 19:41:10 +01:00
..
arraymap.c bpf: sockmap, map_release does not hold refcnt for pinned maps 2018-11-04 14:52:44 +01:00
bpf_lru_list.c bpf: lru: Lower the PERCPU_NR_SCANS from 16 to 4 2017-04-17 13:55:52 -04:00
bpf_lru_list.h bpf: Only set node->ref = 1 if it has not been set 2017-09-01 09:57:39 -07:00
cgroup.c bpf: BPF support for sock_ops 2017-07-01 16:15:13 -07:00
core.c kmemcheck: remove annotations 2018-02-22 15:42:23 +01:00
devmap.c bpf: devmap fix arithmetic overflow in bitmap_size calculation 2017-10-22 00:54:09 +01:00
hashtab.c bpf: hash map: decrement counter on error 2018-08-24 13:09:12 +02:00
helpers.c bpf: rename ARG_PTR_TO_STACK 2017-01-09 16:56:27 -05:00
inode.c netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1' 2017-10-09 15:18:04 +02:00
lpm_trie.c bpf: fix rcu lockdep warning for lpm_trie map_free callback 2018-03-11 16:23:21 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
map_in_map.c bpf: Add syscall lookup support for fd array and htab 2017-06-29 13:13:25 -04:00
map_in_map.h bpf: Add syscall lookup support for fd array and htab 2017-06-29 13:13:25 -04:00
percpu_freelist.c bpf: fix lockdep splat 2017-12-14 09:53:11 +01:00
percpu_freelist.h bpf: introduce percpu_freelist 2016-03-08 15:28:31 -05:00
sockmap.c bpf: sockmap, map_release does not hold refcnt for pinned maps 2018-11-04 14:52:44 +01:00
stackmap.c bpf: Allow selecting numa node during map creation 2017-08-19 21:35:43 -07:00
syscall.c bpf: wait for running BPF programs when updating map-in-map 2018-11-13 11:15:18 -08:00
tnum.c bpf/verifier: track signed and unsigned min/max values 2017-08-08 17:51:34 -07:00
verifier.c bpf: Prevent memory disambiguation attack 2018-12-05 19:41:10 +01:00