[00/13,SRU,B] Multiple BPF security issues
mbox series

Message ID 1549862710-24224-1-git-send-email-tyhicks@canonical.com
Headers show
Series
  • Multiple BPF security issues
Related show

Message

Tyler Hicks Feb. 11, 2019, 5:24 a.m. UTC
The original intent of this set of backports was to addess CVE-2019-7308 which
represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:

 kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
 undesirable out-of-bounds speculation on pointer arithmetic in various
 cases, including cases of different branches with different state or limits
 to sanitize, leading to side-channel attacks.

 - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html

However, as I started to backport patches I noticed other necessary fixes to
the Spectre Variant 1 BPF verifier mitigation and included them, as well.
They're marked with the original Spectre Variant 1 CVE ID which is
CVE-2017-5753.

Additionally, a potential security issue that I believe is unrelated to Spectre
Variant 1 is fixed by patch #2. The need for that patch was discovered while I
was inspecting BPF selftest results.

I've backported *minimal* related BPF selftest changes and included them in
this patch set. I did that partly because I wanted to be able to use the new
tests to verify my backports and partly because the backports were needed to
continue to have successful runs of the test_verifier selftest which is part of
our SRU testing. There are less selftests changes included in this Bionic
backport than my Cosmic backport because the BPF selftests in Bionic don't
support all the functionality needed for some tests and I had to draw the line
somewhere while backported.

I've tested these backports with the updated selftests and they pass. I've also
tested the backports with the current upstream BPF selftests and ensured that
no tests show regressions.

Tyler

Alexei Starovoitov (1):
  bpf/verifier: disallow pointer subtraction

Daniel Borkmann (12):
  bpf: properly enforce index mask to prevent out-of-bounds speculation
  bpf: move {prev_,}insn_idx into verifier env
  bpf: move tmp variable into ax register in interpreter
  bpf: enable access to ax register also from verifier rewrite
  bpf: restrict map value pointer arithmetic for unprivileged
  bpf: restrict stack pointer arithmetic for unprivileged
  bpf: restrict unknown scalars of mixed signed bounds for unprivileged
  bpf: fix check_map_access smin_value test when pointer contains offset
  bpf: prevent out of bounds speculation on pointer arithmetic
  bpf: fix sanitation of alu op with pointer / scalar type from
    different paths
  bpf: fix inner map masking to prevent oob under speculation
  bpf: add various test cases to selftests

 include/linux/bpf_verifier.h                |  15 +-
 include/linux/filter.h                      |  10 +-
 kernel/bpf/core.c                           |  52 ++-
 kernel/bpf/map_in_map.c                     |  17 +-
 kernel/bpf/verifier.c                       | 449 ++++++++++++++++----
 tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++
 6 files changed, 1048 insertions(+), 105 deletions(-)

Comments

Stefan Bader Feb. 13, 2019, 3:37 p.m. UTC | #1
On 11.02.19 06:24, Tyler Hicks wrote:
> The original intent of this set of backports was to addess CVE-2019-7308 which
> represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:
> 
>  kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
>  undesirable out-of-bounds speculation on pointer arithmetic in various
>  cases, including cases of different branches with different state or limits
>  to sanitize, leading to side-channel attacks.
> 
>  - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html
> 
> However, as I started to backport patches I noticed other necessary fixes to
> the Spectre Variant 1 BPF verifier mitigation and included them, as well.
> They're marked with the original Spectre Variant 1 CVE ID which is
> CVE-2017-5753.
> 
> Additionally, a potential security issue that I believe is unrelated to Spectre
> Variant 1 is fixed by patch #2. The need for that patch was discovered while I
> was inspecting BPF selftest results.
> 
> I've backported *minimal* related BPF selftest changes and included them in
> this patch set. I did that partly because I wanted to be able to use the new
> tests to verify my backports and partly because the backports were needed to
> continue to have successful runs of the test_verifier selftest which is part of
> our SRU testing. There are less selftests changes included in this Bionic
> backport than my Cosmic backport because the BPF selftests in Bionic don't
> support all the functionality needed for some tests and I had to draw the line
> somewhere while backported.
> 
> I've tested these backports with the updated selftests and they pass. I've also
> tested the backports with the current upstream BPF selftests and ensured that
> no tests show regressions.
> 
> Tyler
> 
> Alexei Starovoitov (1):
>   bpf/verifier: disallow pointer subtraction
> 
> Daniel Borkmann (12):
>   bpf: properly enforce index mask to prevent out-of-bounds speculation
>   bpf: move {prev_,}insn_idx into verifier env
>   bpf: move tmp variable into ax register in interpreter
>   bpf: enable access to ax register also from verifier rewrite
>   bpf: restrict map value pointer arithmetic for unprivileged
>   bpf: restrict stack pointer arithmetic for unprivileged
>   bpf: restrict unknown scalars of mixed signed bounds for unprivileged
>   bpf: fix check_map_access smin_value test when pointer contains offset
>   bpf: prevent out of bounds speculation on pointer arithmetic
>   bpf: fix sanitation of alu op with pointer / scalar type from
>     different paths
>   bpf: fix inner map masking to prevent oob under speculation
>   bpf: add various test cases to selftests
> 
>  include/linux/bpf_verifier.h                |  15 +-
>  include/linux/filter.h                      |  10 +-
>  kernel/bpf/core.c                           |  52 ++-
>  kernel/bpf/map_in_map.c                     |  17 +-
>  kernel/bpf/verifier.c                       | 449 ++++++++++++++++----
>  tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++
>  6 files changed, 1048 insertions(+), 105 deletions(-)
> 
As for the Cosmic set, based on good testing:

Acked-by: Stefan Bader <stefan.bader@canonical.com>
You-Sheng Yang Feb. 22, 2019, 10:58 a.m. UTC | #2
Acked-By: You-Sheng Yang <vicamo.yang@canonical.com>
Khaled Elmously March 4, 2019, 4:45 a.m. UTC | #3
On 2019-02-11 05:24:57 , Tyler Hicks wrote:
> The original intent of this set of backports was to addess CVE-2019-7308 which
> represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:
> 
>  kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
>  undesirable out-of-bounds speculation on pointer arithmetic in various
>  cases, including cases of different branches with different state or limits
>  to sanitize, leading to side-channel attacks.
> 
>  - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html
> 
> However, as I started to backport patches I noticed other necessary fixes to
> the Spectre Variant 1 BPF verifier mitigation and included them, as well.
> They're marked with the original Spectre Variant 1 CVE ID which is
> CVE-2017-5753.
> 
> Additionally, a potential security issue that I believe is unrelated to Spectre
> Variant 1 is fixed by patch #2. The need for that patch was discovered while I
> was inspecting BPF selftest results.
> 
> I've backported *minimal* related BPF selftest changes and included them in
> this patch set. I did that partly because I wanted to be able to use the new
> tests to verify my backports and partly because the backports were needed to
> continue to have successful runs of the test_verifier selftest which is part of
> our SRU testing. There are less selftests changes included in this Bionic
> backport than my Cosmic backport because the BPF selftests in Bionic don't
> support all the functionality needed for some tests and I had to draw the line
> somewhere while backported.
> 
> I've tested these backports with the updated selftests and they pass. I've also
> tested the backports with the current upstream BPF selftests and ensured that
> no tests show regressions.
> 
> Tyler
> 
> Alexei Starovoitov (1):
>   bpf/verifier: disallow pointer subtraction
> 
> Daniel Borkmann (12):
>   bpf: properly enforce index mask to prevent out-of-bounds speculation
>   bpf: move {prev_,}insn_idx into verifier env
>   bpf: move tmp variable into ax register in interpreter
>   bpf: enable access to ax register also from verifier rewrite
>   bpf: restrict map value pointer arithmetic for unprivileged
>   bpf: restrict stack pointer arithmetic for unprivileged
>   bpf: restrict unknown scalars of mixed signed bounds for unprivileged
>   bpf: fix check_map_access smin_value test when pointer contains offset
>   bpf: prevent out of bounds speculation on pointer arithmetic
>   bpf: fix sanitation of alu op with pointer / scalar type from
>     different paths
>   bpf: fix inner map masking to prevent oob under speculation
>   bpf: add various test cases to selftests
> 
>  include/linux/bpf_verifier.h                |  15 +-
>  include/linux/filter.h                      |  10 +-
>  kernel/bpf/core.c                           |  52 ++-
>  kernel/bpf/map_in_map.c                     |  17 +-
>  kernel/bpf/verifier.c                       | 449 ++++++++++++++++----
>  tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++
>  6 files changed, 1048 insertions(+), 105 deletions(-)
> 
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team@lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team