| Message ID | 20190102235835.3311-1-daniel@iogearbox.net |
|---|---|
| Headers | show |
| Series | bpf fix to prevent oob under speculation | expand |
On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: > This set fixes an out of bounds case under speculative execution > by implementing masking of pointer alu into the verifier. For > details please see the individual patches. > > Thanks! > > v2 -> v3: > - 8/9: change states_equal condition into old->speculative && > !cur->speculative, thanks Jakub! > - 8/9: remove incorrect speculative state test in > propagate_liveness(), thanks Jakub! > v1 -> v2: > - Typo fixes in commit msg and a comment, thanks David! Applied, Thanks
On Thu, Jan 3, 2019 at 1:08 AM Alexei Starovoitov <alexei.starovoitov@gmail.com> wrote: > On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: > > This set fixes an out of bounds case under speculative execution > > by implementing masking of pointer alu into the verifier. For > > details please see the individual patches. > > > > Thanks! > > > > v2 -> v3: > > - 8/9: change states_equal condition into old->speculative && > > !cur->speculative, thanks Jakub! > > - 8/9: remove incorrect speculative state test in > > propagate_liveness(), thanks Jakub! > > v1 -> v2: > > - Typo fixes in commit msg and a comment, thanks David! > > Applied, Thanks This series and the followup fix ("bpf: fix sanitation of alu op with pointer / scalar type from different paths") have been in Linus' tree for six days, but from what I can tell, they aren't queued up for stable yet. @davem: Are you going to send this through stable, or is this only going to be in 5.0?
From: Jann Horn <jannh@google.com> Date: Tue, 22 Jan 2019 15:36:54 +0100 > On Thu, Jan 3, 2019 at 1:08 AM Alexei Starovoitov > <alexei.starovoitov@gmail.com> wrote: >> On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: >> > This set fixes an out of bounds case under speculative execution >> > by implementing masking of pointer alu into the verifier. For >> > details please see the individual patches. >> > >> > Thanks! >> > >> > v2 -> v3: >> > - 8/9: change states_equal condition into old->speculative && >> > !cur->speculative, thanks Jakub! >> > - 8/9: remove incorrect speculative state test in >> > propagate_liveness(), thanks Jakub! >> > v1 -> v2: >> > - Typo fixes in commit msg and a comment, thanks David! >> >> Applied, Thanks > > This series and the followup fix ("bpf: fix sanitation of alu op with > pointer / scalar type from different paths") have been in Linus' tree > for six days, but from what I can tell, they aren't queued up for > stable yet. > > @davem: Are you going to send this through stable, or is this only > going to be in 5.0? The BPF developers handle their -stable submissions.
On 01/22/2019 05:44 PM, David Miller wrote: > From: Jann Horn <jannh@google.com> > Date: Tue, 22 Jan 2019 15:36:54 +0100 > >> On Thu, Jan 3, 2019 at 1:08 AM Alexei Starovoitov >> <alexei.starovoitov@gmail.com> wrote: >>> On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: >>>> This set fixes an out of bounds case under speculative execution >>>> by implementing masking of pointer alu into the verifier. For >>>> details please see the individual patches. >>>> >>>> Thanks! >>>> >>>> v2 -> v3: >>>> - 8/9: change states_equal condition into old->speculative && >>>> !cur->speculative, thanks Jakub! >>>> - 8/9: remove incorrect speculative state test in >>>> propagate_liveness(), thanks Jakub! >>>> v1 -> v2: >>>> - Typo fixes in commit msg and a comment, thanks David! >>> >>> Applied, Thanks >> >> This series and the followup fix ("bpf: fix sanitation of alu op with >> pointer / scalar type from different paths") have been in Linus' tree >> for six days, but from what I can tell, they aren't queued up for >> stable yet. >> >> @davem: Are you going to send this through stable, or is this only >> going to be in 5.0? > > The BPF developers handle their -stable submissions. Will get this to stable towards end of week. We wanted to let this sit for a while in Linus' tree given the complexity of the fix to get some more coverage. We also need 9d5564ddcf2a ("bpf: fix inner map masking to prevent oob under speculation") in addition. Thanks, Daniel
On Tue, Jan 22, 2019 at 03:36:54PM +0100, Jann Horn wrote: > On Thu, Jan 3, 2019 at 1:08 AM Alexei Starovoitov > <alexei.starovoitov@gmail.com> wrote: > > On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: > > > This set fixes an out of bounds case under speculative execution > > > by implementing masking of pointer alu into the verifier. For > > > details please see the individual patches. > > > > > > Thanks! > > > > > > v2 -> v3: > > > - 8/9: change states_equal condition into old->speculative && > > > !cur->speculative, thanks Jakub! > > > - 8/9: remove incorrect speculative state test in > > > propagate_liveness(), thanks Jakub! > > > v1 -> v2: > > > - Typo fixes in commit msg and a comment, thanks David! > > > > Applied, Thanks > > This series and the followup fix ("bpf: fix sanitation of alu op with > pointer / scalar type from different paths") have been in Linus' tree > for six days, but from what I can tell, they aren't queued up for > stable yet. What are the git commit ids of the patches you think should be backported? thanks, greg k-h
On Wed, Jan 23, 2019 at 6:04 PM Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote: > On Tue, Jan 22, 2019 at 03:36:54PM +0100, Jann Horn wrote: > > On Thu, Jan 3, 2019 at 1:08 AM Alexei Starovoitov > > <alexei.starovoitov@gmail.com> wrote: > > > On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: > > > > This set fixes an out of bounds case under speculative execution > > > > by implementing masking of pointer alu into the verifier. For > > > > details please see the individual patches. > > > > > > > > Thanks! > > > > > > > > v2 -> v3: > > > > - 8/9: change states_equal condition into old->speculative && > > > > !cur->speculative, thanks Jakub! > > > > - 8/9: remove incorrect speculative state test in > > > > propagate_liveness(), thanks Jakub! > > > > v1 -> v2: > > > > - Typo fixes in commit msg and a comment, thanks David! > > > > > > Applied, Thanks > > > > This series and the followup fix ("bpf: fix sanitation of alu op with > > pointer / scalar type from different paths") have been in Linus' tree > > for six days, but from what I can tell, they aren't queued up for > > stable yet. > > What are the git commit ids of the patches you think should be > backported? Daniel Borkmann said at https://marc.info/?l=linux-netdev&m=154820859831443&w=2 : | Will get this to stable towards end of week. We wanted to let this sit | for a while in Linus' tree given the complexity of the fix to get some | more coverage. We also need 9d5564ddcf2a ("bpf: fix inner map masking |to prevent oob under speculation") in addition. , so I expect that he's going to submit a request for stable inclusion in the next few days. The git commits are: c08435ec7f2bc8f4109401f696fd55159b4b40cb 144cd91c4c2bced6eb8a7e25e590f6618a11e854 9b73bfdd08e73231d6a90ae6db4b46b3fbf56c30 0d6303db7970e6f56ae700fa07e11eb510cda125 e4298d25830a866cc0f427d4bccb858e76715859 9d7eceede769f90b66cfa06ad5b357140d5141ed b7137c4eab85c1cf3d46acdde90ce1163b28c873 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 d3bd7413e0ca40b60cf60d4003246d067cafdeda 9d5564ddcf2a0f5ba3fa1c3a1f8a1b59ad309553
On 01/23/2019 06:12 PM, Jann Horn wrote: > On Wed, Jan 23, 2019 at 6:04 PM Greg Kroah-Hartman > <gregkh@linuxfoundation.org> wrote: >> On Tue, Jan 22, 2019 at 03:36:54PM +0100, Jann Horn wrote: >>> On Thu, Jan 3, 2019 at 1:08 AM Alexei Starovoitov >>> <alexei.starovoitov@gmail.com> wrote: >>>> On Thu, Jan 03, 2019 at 12:58:26AM +0100, Daniel Borkmann wrote: >>>>> This set fixes an out of bounds case under speculative execution >>>>> by implementing masking of pointer alu into the verifier. For >>>>> details please see the individual patches. >>>>> >>>>> Thanks! >>>>> >>>>> v2 -> v3: >>>>> - 8/9: change states_equal condition into old->speculative && >>>>> !cur->speculative, thanks Jakub! >>>>> - 8/9: remove incorrect speculative state test in >>>>> propagate_liveness(), thanks Jakub! >>>>> v1 -> v2: >>>>> - Typo fixes in commit msg and a comment, thanks David! >>>> >>>> Applied, Thanks >>> >>> This series and the followup fix ("bpf: fix sanitation of alu op with >>> pointer / scalar type from different paths") have been in Linus' tree >>> for six days, but from what I can tell, they aren't queued up for >>> stable yet. >> >> What are the git commit ids of the patches you think should be >> backported? > > Daniel Borkmann said at > https://marc.info/?l=linux-netdev&m=154820859831443&w=2 : > > | Will get this to stable towards end of week. We wanted to let this sit > | for a while in Linus' tree given the complexity of the fix to get some > | more coverage. We also need 9d5564ddcf2a ("bpf: fix inner map masking > |to prevent oob under speculation") in addition. > > , so I expect that he's going to submit a request for stable inclusion > in the next few days. The git commits are: Yep, correct.
This set fixes an out of bounds case under speculative execution by implementing masking of pointer alu into the verifier. For details please see the individual patches. Thanks! v2 -> v3: - 8/9: change states_equal condition into old->speculative && !cur->speculative, thanks Jakub! - 8/9: remove incorrect speculative state test in propagate_liveness(), thanks Jakub! v1 -> v2: - Typo fixes in commit msg and a comment, thanks David! Daniel Borkmann (9): bpf: move {prev_,}insn_idx into verifier env bpf: move tmp variable into ax register in interpreter bpf: enable access to ax register also from verifier rewrite bpf: restrict map value pointer arithmetic for unprivileged bpf: restrict stack pointer arithmetic for unprivileged bpf: restrict unknown scalars of mixed signed bounds for unprivileged bpf: fix check_map_access smin_value test when pointer contains offset bpf: prevent out of bounds speculation on pointer arithmetic bpf: add various test cases to selftests include/linux/bpf_verifier.h | 12 + include/linux/filter.h | 10 +- kernel/bpf/core.c | 54 +- kernel/bpf/verifier.c | 336 ++++++-- tools/testing/selftests/bpf/test_verifier.c | 1146 ++++++++++++++++++++++++++- 5 files changed, 1451 insertions(+), 107 deletions(-)