From patchwork Wed Jan 2 23:58:26 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Daniel Borkmann X-Patchwork-Id: 1020106 Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=iogearbox.net Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43VSgY5pFQz9s4s for ; Thu, 3 Jan 2019 10:58:49 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729031AbfABX6m (ORCPT ); Wed, 2 Jan 2019 18:58:42 -0500 Received: from www62.your-server.de ([213.133.104.62]:42862 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727621AbfABX6m (ORCPT ); Wed, 2 Jan 2019 18:58:42 -0500 Received: from [83.9.48.238] (helo=localhost) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1geqPH-0007uI-SF; Thu, 03 Jan 2019 00:58:40 +0100 From: Daniel Borkmann To: ast@kernel.org Cc: jannh@google.com, davem@davemloft.net, jakub.kicinski@netronome.com, netdev@vger.kernel.org, Daniel Borkmann Subject: [PATCH bpf v3 0/9] bpf fix to prevent oob under speculation Date: Thu, 3 Jan 2019 00:58:26 +0100 Message-Id: <20190102235835.3311-1-daniel@iogearbox.net> X-Mailer: git-send-email 2.9.5 X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.100.2/25263/Wed Jan 2 23:16:03 2019) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org This set fixes an out of bounds case under speculative execution by implementing masking of pointer alu into the verifier. For details please see the individual patches. Thanks! v2 -> v3: - 8/9: change states_equal condition into old->speculative && !cur->speculative, thanks Jakub! - 8/9: remove incorrect speculative state test in propagate_liveness(), thanks Jakub! v1 -> v2: - Typo fixes in commit msg and a comment, thanks David! Daniel Borkmann (9): bpf: move {prev_,}insn_idx into verifier env bpf: move tmp variable into ax register in interpreter bpf: enable access to ax register also from verifier rewrite bpf: restrict map value pointer arithmetic for unprivileged bpf: restrict stack pointer arithmetic for unprivileged bpf: restrict unknown scalars of mixed signed bounds for unprivileged bpf: fix check_map_access smin_value test when pointer contains offset bpf: prevent out of bounds speculation on pointer arithmetic bpf: add various test cases to selftests include/linux/bpf_verifier.h | 12 + include/linux/filter.h | 10 +- kernel/bpf/core.c | 54 +- kernel/bpf/verifier.c | 336 ++++++-- tools/testing/selftests/bpf/test_verifier.c | 1146 ++++++++++++++++++++++++++- 5 files changed, 1451 insertions(+), 107 deletions(-)