[bpf,v2,0/9] bpf fix to prevent oob under speculation
mbox series

Message ID 20190101232046.2880-1-daniel@iogearbox.net
Headers show
Series
  • bpf fix to prevent oob under speculation
Related show

Message

Daniel Borkmann Jan. 1, 2019, 11:20 p.m. UTC
This set fixes an out of bounds case under speculative execution
by implementing masking of pointer alu into the verifier. For
details please see the individual patches.

Thanks!

v1 -> v2:
  - Typo fixes in commit msg and a comment, thanks David!

Daniel Borkmann (9):
  bpf: move {prev_,}insn_idx into verifier env
  bpf: move tmp variable into ax register in interpreter
  bpf: enable access to ax register also from verifier rewrite
  bpf: restrict map value pointer arithmetic for unprivileged
  bpf: restrict stack pointer arithmetic for unprivileged
  bpf: restrict unknown scalars of mixed signed bounds for unprivileged
  bpf: fix check_map_access smin_value test when pointer contains offset
  bpf: prevent out of bounds speculation on pointer arithmetic
  bpf: add various test cases to selftests

 include/linux/bpf_verifier.h                |   12 +
 include/linux/filter.h                      |   10 +-
 kernel/bpf/core.c                           |   54 +-
 kernel/bpf/verifier.c                       |  342 ++++++--
 tools/testing/selftests/bpf/test_verifier.c | 1146 ++++++++++++++++++++++++++-
 5 files changed, 1457 insertions(+), 107 deletions(-)