Message ID | 1549862631-24152-1-git-send-email-tyhicks@canonical.com |
---|---|
Headers | show |
Series | Multiple BPF security issues | expand |
On 11.02.19 06:23, Tyler Hicks wrote: > The original intent of this set of backports was to addess CVE-2019-7308 which > represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: > > kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs > undesirable out-of-bounds speculation on pointer arithmetic in various > cases, including cases of different branches with different state or limits > to sanitize, leading to side-channel attacks. > > - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html > > However, as I started to backport patches I noticed other necessary fixes to > the Spectre Variant 1 BPF verifier mitigation and included them, as well. > They're marked with the original Spectre Variant 1 CVE ID which is > CVE-2017-5753. > > I've backported related BPF selftest changes and included them in this patch > set. I did that partly because I wanted to be able to use the new tests to > verify my backports and partly because the backports were needed to continue to > have successful runs of the test_verifier selftest which is part of our SRU > testing. > > I've tested these backports with the updated selftests and they pass. I've also > tested the backports with the current upstream BPF selftests and ensured that > no tests show regressions. > > Tyler > > Daniel Borkmann (12): > bpf: move {prev_,}insn_idx into verifier env > bpf: move tmp variable into ax register in interpreter > bpf: enable access to ax register also from verifier rewrite > bpf: restrict map value pointer arithmetic for unprivileged > bpf: restrict stack pointer arithmetic for unprivileged > bpf: restrict unknown scalars of mixed signed bounds for unprivileged > bpf: fix check_map_access smin_value test when pointer contains offset > bpf: prevent out of bounds speculation on pointer arithmetic > bpf: fix sanitation of alu op with pointer / scalar type from > different paths > bpf: fix inner map masking to prevent oob under speculation > bpf: add various test cases to test_verifier > bpf: add various test cases to selftests > > include/linux/bpf_verifier.h | 13 + > include/linux/filter.h | 10 +- > kernel/bpf/core.c | 54 +- > kernel/bpf/map_in_map.c | 17 +- > kernel/bpf/verifier.c | 370 +++++-- > tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++- > 6 files changed, 1748 insertions(+), 104 deletions(-) > The delta is rather big, however most of it is in the verifier and the selftest, so I am mostly basing the ack on the successful run there. Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-By: You-Sheng Yang <vicamo.yang@canonical.com>
On 2019-02-11 05:23:39 , Tyler Hicks wrote: > The original intent of this set of backports was to addess CVE-2019-7308 which > represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: > > kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs > undesirable out-of-bounds speculation on pointer arithmetic in various > cases, including cases of different branches with different state or limits > to sanitize, leading to side-channel attacks. > > - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html > > However, as I started to backport patches I noticed other necessary fixes to > the Spectre Variant 1 BPF verifier mitigation and included them, as well. > They're marked with the original Spectre Variant 1 CVE ID which is > CVE-2017-5753. > > I've backported related BPF selftest changes and included them in this patch > set. I did that partly because I wanted to be able to use the new tests to > verify my backports and partly because the backports were needed to continue to > have successful runs of the test_verifier selftest which is part of our SRU > testing. > > I've tested these backports with the updated selftests and they pass. I've also > tested the backports with the current upstream BPF selftests and ensured that > no tests show regressions. > > Tyler > > Daniel Borkmann (12): > bpf: move {prev_,}insn_idx into verifier env > bpf: move tmp variable into ax register in interpreter > bpf: enable access to ax register also from verifier rewrite > bpf: restrict map value pointer arithmetic for unprivileged > bpf: restrict stack pointer arithmetic for unprivileged > bpf: restrict unknown scalars of mixed signed bounds for unprivileged > bpf: fix check_map_access smin_value test when pointer contains offset > bpf: prevent out of bounds speculation on pointer arithmetic > bpf: fix sanitation of alu op with pointer / scalar type from > different paths > bpf: fix inner map masking to prevent oob under speculation > bpf: add various test cases to test_verifier > bpf: add various test cases to selftests > > include/linux/bpf_verifier.h | 13 + > include/linux/filter.h | 10 +- > kernel/bpf/core.c | 54 +- > kernel/bpf/map_in_map.c | 17 +- > kernel/bpf/verifier.c | 370 +++++-- > tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++- > 6 files changed, 1748 insertions(+), 104 deletions(-) > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team