| Message ID | 1549862631-24152-1-git-send-email-tyhicks@canonical.com |
|---|---|
| Headers | show |
| Series | Multiple BPF security issues | expand |
On 11.02.19 06:23, Tyler Hicks wrote: > The original intent of this set of backports was to addess CVE-2019-7308 which > represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: > > kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs > undesirable out-of-bounds speculation on pointer arithmetic in various > cases, including cases of different branches with different state or limits > to sanitize, leading to side-channel attacks. > > - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html > > However, as I started to backport patches I noticed other necessary fixes to > the Spectre Variant 1 BPF verifier mitigation and included them, as well. > They're marked with the original Spectre Variant 1 CVE ID which is > CVE-2017-5753. > > I've backported related BPF selftest changes and included them in this patch > set. I did that partly because I wanted to be able to use the new tests to > verify my backports and partly because the backports were needed to continue to > have successful runs of the test_verifier selftest which is part of our SRU > testing. > > I've tested these backports with the updated selftests and they pass. I've also > tested the backports with the current upstream BPF selftests and ensured that > no tests show regressions. > > Tyler > > Daniel Borkmann (12): > bpf: move {prev_,}insn_idx into verifier env > bpf: move tmp variable into ax register in interpreter > bpf: enable access to ax register also from verifier rewrite > bpf: restrict map value pointer arithmetic for unprivileged > bpf: restrict stack pointer arithmetic for unprivileged > bpf: restrict unknown scalars of mixed signed bounds for unprivileged > bpf: fix check_map_access smin_value test when pointer contains offset > bpf: prevent out of bounds speculation on pointer arithmetic > bpf: fix sanitation of alu op with pointer / scalar type from > different paths > bpf: fix inner map masking to prevent oob under speculation > bpf: add various test cases to test_verifier > bpf: add various test cases to selftests > > include/linux/bpf_verifier.h | 13 + > include/linux/filter.h | 10 +- > kernel/bpf/core.c | 54 +- > kernel/bpf/map_in_map.c | 17 +- > kernel/bpf/verifier.c | 370 +++++-- > tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++- > 6 files changed, 1748 insertions(+), 104 deletions(-) > The delta is rather big, however most of it is in the verifier and the selftest, so I am mostly basing the ack on the successful run there. Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-By: You-Sheng Yang <vicamo.yang@canonical.com>
On 2019-02-11 05:23:39 , Tyler Hicks wrote: > The original intent of this set of backports was to addess CVE-2019-7308 which > represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: > > kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs > undesirable out-of-bounds speculation on pointer arithmetic in various > cases, including cases of different branches with different state or limits > to sanitize, leading to side-channel attacks. > > - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html > > However, as I started to backport patches I noticed other necessary fixes to > the Spectre Variant 1 BPF verifier mitigation and included them, as well. > They're marked with the original Spectre Variant 1 CVE ID which is > CVE-2017-5753. > > I've backported related BPF selftest changes and included them in this patch > set. I did that partly because I wanted to be able to use the new tests to > verify my backports and partly because the backports were needed to continue to > have successful runs of the test_verifier selftest which is part of our SRU > testing. > > I've tested these backports with the updated selftests and they pass. I've also > tested the backports with the current upstream BPF selftests and ensured that > no tests show regressions. > > Tyler > > Daniel Borkmann (12): > bpf: move {prev_,}insn_idx into verifier env > bpf: move tmp variable into ax register in interpreter > bpf: enable access to ax register also from verifier rewrite > bpf: restrict map value pointer arithmetic for unprivileged > bpf: restrict stack pointer arithmetic for unprivileged > bpf: restrict unknown scalars of mixed signed bounds for unprivileged > bpf: fix check_map_access smin_value test when pointer contains offset > bpf: prevent out of bounds speculation on pointer arithmetic > bpf: fix sanitation of alu op with pointer / scalar type from > different paths > bpf: fix inner map masking to prevent oob under speculation > bpf: add various test cases to test_verifier > bpf: add various test cases to selftests > > include/linux/bpf_verifier.h | 13 + > include/linux/filter.h | 10 +- > kernel/bpf/core.c | 54 +- > kernel/bpf/map_in_map.c | 17 +- > kernel/bpf/verifier.c | 370 +++++-- > tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++- > 6 files changed, 1748 insertions(+), 104 deletions(-) > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team
The original intent of this set of backports was to addess CVE-2019-7308 which represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs undesirable out-of-bounds speculation on pointer arithmetic in various cases, including cases of different branches with different state or limits to sanitize, leading to side-channel attacks. - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html However, as I started to backport patches I noticed other necessary fixes to the Spectre Variant 1 BPF verifier mitigation and included them, as well. They're marked with the original Spectre Variant 1 CVE ID which is CVE-2017-5753. I've backported related BPF selftest changes and included them in this patch set. I did that partly because I wanted to be able to use the new tests to verify my backports and partly because the backports were needed to continue to have successful runs of the test_verifier selftest which is part of our SRU testing. I've tested these backports with the updated selftests and they pass. I've also tested the backports with the current upstream BPF selftests and ensured that no tests show regressions. Tyler Daniel Borkmann (12): bpf: move {prev_,}insn_idx into verifier env bpf: move tmp variable into ax register in interpreter bpf: enable access to ax register also from verifier rewrite bpf: restrict map value pointer arithmetic for unprivileged bpf: restrict stack pointer arithmetic for unprivileged bpf: restrict unknown scalars of mixed signed bounds for unprivileged bpf: fix check_map_access smin_value test when pointer contains offset bpf: prevent out of bounds speculation on pointer arithmetic bpf: fix sanitation of alu op with pointer / scalar type from different paths bpf: fix inner map masking to prevent oob under speculation bpf: add various test cases to test_verifier bpf: add various test cases to selftests include/linux/bpf_verifier.h | 13 + include/linux/filter.h | 10 +- kernel/bpf/core.c | 54 +- kernel/bpf/map_in_map.c | 17 +- kernel/bpf/verifier.c | 370 +++++-- tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++- 6 files changed, 1748 insertions(+), 104 deletions(-)