Message ID | 1549862710-24224-1-git-send-email-tyhicks@canonical.com |
---|---|
Headers | show |
Series | Multiple BPF security issues | expand |
On 11.02.19 06:24, Tyler Hicks wrote: > The original intent of this set of backports was to addess CVE-2019-7308 which > represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: > > kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs > undesirable out-of-bounds speculation on pointer arithmetic in various > cases, including cases of different branches with different state or limits > to sanitize, leading to side-channel attacks. > > - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html > > However, as I started to backport patches I noticed other necessary fixes to > the Spectre Variant 1 BPF verifier mitigation and included them, as well. > They're marked with the original Spectre Variant 1 CVE ID which is > CVE-2017-5753. > > Additionally, a potential security issue that I believe is unrelated to Spectre > Variant 1 is fixed by patch #2. The need for that patch was discovered while I > was inspecting BPF selftest results. > > I've backported *minimal* related BPF selftest changes and included them in > this patch set. I did that partly because I wanted to be able to use the new > tests to verify my backports and partly because the backports were needed to > continue to have successful runs of the test_verifier selftest which is part of > our SRU testing. There are less selftests changes included in this Bionic > backport than my Cosmic backport because the BPF selftests in Bionic don't > support all the functionality needed for some tests and I had to draw the line > somewhere while backported. > > I've tested these backports with the updated selftests and they pass. I've also > tested the backports with the current upstream BPF selftests and ensured that > no tests show regressions. > > Tyler > > Alexei Starovoitov (1): > bpf/verifier: disallow pointer subtraction > > Daniel Borkmann (12): > bpf: properly enforce index mask to prevent out-of-bounds speculation > bpf: move {prev_,}insn_idx into verifier env > bpf: move tmp variable into ax register in interpreter > bpf: enable access to ax register also from verifier rewrite > bpf: restrict map value pointer arithmetic for unprivileged > bpf: restrict stack pointer arithmetic for unprivileged > bpf: restrict unknown scalars of mixed signed bounds for unprivileged > bpf: fix check_map_access smin_value test when pointer contains offset > bpf: prevent out of bounds speculation on pointer arithmetic > bpf: fix sanitation of alu op with pointer / scalar type from > different paths > bpf: fix inner map masking to prevent oob under speculation > bpf: add various test cases to selftests > > include/linux/bpf_verifier.h | 15 +- > include/linux/filter.h | 10 +- > kernel/bpf/core.c | 52 ++- > kernel/bpf/map_in_map.c | 17 +- > kernel/bpf/verifier.c | 449 ++++++++++++++++---- > tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++ > 6 files changed, 1048 insertions(+), 105 deletions(-) > As for the Cosmic set, based on good testing: Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-By: You-Sheng Yang <vicamo.yang@canonical.com>
On 2019-02-11 05:24:57 , Tyler Hicks wrote: > The original intent of this set of backports was to addess CVE-2019-7308 which > represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier: > > kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs > undesirable out-of-bounds speculation on pointer arithmetic in various > cases, including cases of different branches with different state or limits > to sanitize, leading to side-channel attacks. > > - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html > > However, as I started to backport patches I noticed other necessary fixes to > the Spectre Variant 1 BPF verifier mitigation and included them, as well. > They're marked with the original Spectre Variant 1 CVE ID which is > CVE-2017-5753. > > Additionally, a potential security issue that I believe is unrelated to Spectre > Variant 1 is fixed by patch #2. The need for that patch was discovered while I > was inspecting BPF selftest results. > > I've backported *minimal* related BPF selftest changes and included them in > this patch set. I did that partly because I wanted to be able to use the new > tests to verify my backports and partly because the backports were needed to > continue to have successful runs of the test_verifier selftest which is part of > our SRU testing. There are less selftests changes included in this Bionic > backport than my Cosmic backport because the BPF selftests in Bionic don't > support all the functionality needed for some tests and I had to draw the line > somewhere while backported. > > I've tested these backports with the updated selftests and they pass. I've also > tested the backports with the current upstream BPF selftests and ensured that > no tests show regressions. > > Tyler > > Alexei Starovoitov (1): > bpf/verifier: disallow pointer subtraction > > Daniel Borkmann (12): > bpf: properly enforce index mask to prevent out-of-bounds speculation > bpf: move {prev_,}insn_idx into verifier env > bpf: move tmp variable into ax register in interpreter > bpf: enable access to ax register also from verifier rewrite > bpf: restrict map value pointer arithmetic for unprivileged > bpf: restrict stack pointer arithmetic for unprivileged > bpf: restrict unknown scalars of mixed signed bounds for unprivileged > bpf: fix check_map_access smin_value test when pointer contains offset > bpf: prevent out of bounds speculation on pointer arithmetic > bpf: fix sanitation of alu op with pointer / scalar type from > different paths > bpf: fix inner map masking to prevent oob under speculation > bpf: add various test cases to selftests > > include/linux/bpf_verifier.h | 15 +- > include/linux/filter.h | 10 +- > kernel/bpf/core.c | 52 ++- > kernel/bpf/map_in_map.c | 17 +- > kernel/bpf/verifier.c | 449 ++++++++++++++++---- > tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++ > 6 files changed, 1048 insertions(+), 105 deletions(-) > > -- > 2.7.4 > > > -- > kernel-team mailing list > kernel-team@lists.ubuntu.com > https://lists.ubuntu.com/mailman/listinfo/kernel-team