linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-10-01 22:54:01 +00:00

No description

Find a file

Daniel Borkmann 19e4f40ce7 bpf: Fix leakage of uninitialized bpf stack under speculation commit `801c6058d1` upstream. The current implemented mechanisms to mitigate data disclosure under speculation mainly address stack and map value oob access from the speculative domain. However, Piotr discovered that uninitialized BPF stack is not protected yet, and thus old data from the kernel stack, potentially including addresses of kernel structures, could still be extracted from that 512 bytes large window. The BPF stack is special compared to map values since it's not zero initialized for every program invocation, whereas map values /are/ zero initialized upon their initial allocation and thus cannot leak any prior data in either domain. In the non-speculative domain, the verifier ensures that every stack slot read must have a prior stack slot write by the BPF program to avoid such data leaking issue. However, this is not enough: for example, when the pointer arithmetic operation moves the stack pointer from the last valid stack offset to the first valid offset, the sanitation logic allows for any intermediate offsets during speculative execution, which could then be used to extract any restricted stack content via side-channel. Given for unprivileged stack pointer arithmetic the use of unknown but bounded scalars is generally forbidden, we can simply turn the register-based arithmetic operation into an immediate-based arithmetic operation without the need for masking. This also gives the benefit of reducing the needed instructions for the operation. Given after the work in `7fedb63a83` ("bpf: Tighten speculative pointer arithmetic mask"), the aux->alu_limit already holds the final immediate value for the offset register with the known scalar. Thus, a simple mov of the immediate to AX register with using AX as the source for the original instruction is sufficient and possible now in this case. Reported-by: Piotr Krysiuk <piotras@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Piotr Krysiuk <piotras@gmail.com> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: fixed minor 4.14 conflict because of renamed function] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2021-06-10 12:43:53 +02:00
arch	MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c	2021-06-03 08:36:25 +02:00
block	blk-mq: Swap two calls in blk_mq_exit_queue()	2021-05-22 10:57:40 +02:00
certs	certs: Fix blacklist flag type confusion	2021-03-03 18:22:46 +01:00
crypto	crypto: api - check for ERR pointers in crypto_destroy_tfm()	2021-05-22 10:57:16 +02:00
Documentation	tweewide: Fix most Shebang lines	2021-06-03 08:36:11 +02:00
drivers	HID: i2c-hid: fix format string mismatch	2021-06-10 12:43:50 +02:00
firmware	Fix built-in early-load Intel microcode alignment	2020-01-23 08:20:30 +01:00
fs	btrfs: fixup error handling in fixup_inode_link_counts	2021-06-10 12:43:51 +02:00
include	bpf: Fix leakage of uninitialized bpf stack under speculation	2021-06-10 12:43:53 +02:00
init	pid: take a reference when initializing `cad_pid`	2021-06-10 12:43:51 +02:00
ipc	ipc/util.c: sysvipc_find_ipc() incorrectly updates position index	2020-05-20 08:17:07 +02:00
kernel	bpf: Fix leakage of uninitialized bpf stack under speculation	2021-06-10 12:43:53 +02:00
lib	lib: stackdepot: turn depot_lock spinlock to raw_spinlock	2021-05-22 10:57:43 +02:00
mm	mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY	2021-06-10 12:43:51 +02:00
net	nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect	2021-06-10 12:43:51 +02:00
samples	samples/bpf: Fix broken tracex1 due to kprobe argument change	2021-05-22 10:57:37 +02:00
scripts	scripts: switch explicitly to Python 3	2021-06-03 08:36:11 +02:00
security	security: commoncap: fix -Wstringop-overread warning	2021-05-22 10:57:21 +02:00
sound	ALSA: timer: Fix master timer notification	2021-06-10 12:43:51 +02:00
tools	selftests/bpf: make 'dubious pointer arithmetic' test useful	2021-06-10 12:43:53 +02:00
usr	initramfs: restore default compression behavior	2020-04-13 10:34:19 +02:00
virt	KVM: arm64: Fix exclusive limit for IPA size	2021-03-17 16:34:35 +01:00
.cocciconfig
.get_maintainer.ignore
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	kbuild: rpm-pkg: keep spec file until make mrproper	2018-02-13 10:19:46 +01:00
.mailmap	.mailmap: Add Maciej W. Rozycki's Imagination e-mail address	2017-11-10 12:16:15 -08:00
COPYING
CREDITS	MAINTAINERS: update TPM driver infrastructure changes	2017-11-09 17:58:40 -08:00
Kbuild	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
Kconfig	License cleanup: add SPDX GPL-2.0 license identifier to files with no license	2017-11-02 11:10:55 +01:00
MAINTAINERS	MAINTAINERS: Update drm/i915 bug filing URL	2020-02-28 16:36:12 +01:00
Makefile	Linux 4.14.235	2021-06-03 08:36:26 +02:00
README	README: add a new README file, pointing to the Documentation/	2016-10-24 08:12:35 -02:00

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.