• Alexei Starovoitov's avatar
    bpf: Prevent memory disambiguation attack · def8c1d0
    Alexei Starovoitov authored
    commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream.
    Detect code patterns where malicious 'speculative store bypass' can be used
    and sanitize such patterns.
     39: (bf) r3 = r10
     40: (07) r3 += -216
     41: (79) r8 = *(u64 *)(r7 +0)   // slow read
     42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
     43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
     44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
     45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                     // is now sanitized
    Above code after x86 JIT becomes:
     e5: mov    %rbp,%rdx
     e8: add    $0xffffffffffffff28,%rdx
     ef: mov    0x0(%r13),%r14
     f3: movq   $0x0,-0x48(%rbp)
     fb: mov    %rdx,0x0(%r14)
     ff: mov    0x0(%rbx),%rdi
    103: movzbq 0x0(%rdi),%rsi
    Signed-off-by: 's avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: 's avatarThomas Gleixner <tglx@linutronix.de>
    [bwh: Backported to 4.9:
     - Add bpf_verifier_env parameter to check_stack_write()
     - Look up stack slot_types with state->stack_slot_type[] rather than
     - Drop bpf_verifier_env argument to verbose()
     - Adjust context]
    Signed-off-by: 's avatarBen Hutchings <ben.hutchings@codethink.co.uk>
    Signed-off-by: 's avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Last commit
Last update
Makefile Loading commit data...
arraymap.c Loading commit data...
core.c Loading commit data...
hashtab.c Loading commit data...
helpers.c Loading commit data...
inode.c Loading commit data...
percpu_freelist.c Loading commit data...
percpu_freelist.h Loading commit data...
stackmap.c Loading commit data...
syscall.c Loading commit data...
verifier.c Loading commit data...