• Alexei Starovoitov's avatar
    bpf: Prevent memory disambiguation attack · def8c1d0
    Alexei Starovoitov authored
    commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream.
    
    Detect code patterns where malicious 'speculative store bypass' can be used
    and sanitize such patterns.
    
     39: (bf) r3 = r10
     40: (07) r3 += -216
     41: (79) r8 = *(u64 *)(r7 +0)   // slow read
     42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
     43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
     44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
     45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                     // is now sanitized
    
    Above code after x86 JIT becomes:
     e5: mov    %rbp,%rdx
     e8: add    $0xffffffffffffff28,%rdx
     ef: mov    0x0(%r13),%r14
     f3: movq   $0x0,-0x48(%rbp)
     fb: mov    %rdx,0x0(%r14)
     ff: mov    0x0(%rbx),%rdi
    103: movzbq 0x0(%rdi),%rsi
    Signed-off-by: 's avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: 's avatarThomas Gleixner <tglx@linutronix.de>
    [bwh: Backported to 4.9:
     - Add bpf_verifier_env parameter to check_stack_write()
     - Look up stack slot_types with state->stack_slot_type[] rather than
       state->stack[].slot_type[]
     - Drop bpf_verifier_env argument to verbose()
     - Adjust context]
    Signed-off-by: 's avatarBen Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
    def8c1d0
Name
Last commit
Last update
..
Makefile Loading commit data...
arraymap.c Loading commit data...
core.c Loading commit data...
hashtab.c Loading commit data...
helpers.c Loading commit data...
inode.c Loading commit data...
percpu_freelist.c Loading commit data...
percpu_freelist.h Loading commit data...
stackmap.c Loading commit data...
syscall.c Loading commit data...
verifier.c Loading commit data...