Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932550AbeAHM7e convert rfc822-to-8bit (ORCPT + 1 other); Mon, 8 Jan 2018 07:59:34 -0500 Received: from mga01.intel.com ([192.55.52.88]:64051 "EHLO mga01.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1756687AbeAHM7a (ORCPT ); Mon, 8 Jan 2018 07:59:30 -0500 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.46,330,1511856000"; d="scan'208";a="9017004" From: "Reshetova, Elena" To: Alexei Starovoitov , Mark Rutland CC: "linux-kernel@vger.kernel.org" , "linux-arch@vger.kernel.org" , "Williams, Dan J" , "corbet@lwn.net" , "alan@linux.intel.com" , "peterz@infradead.org" , "will.deacon@arm.com" , "gregkh@linuxfoundation.org" , "tglx@linutronix.de" , Linus Torvalds , "David S. Miller" , "netdev@vger.kernel.org" Subject: RE: [RFCv2 4/4] bpf: inhibit speculated out-of-bounds pointers Thread-Topic: [RFCv2 4/4] bpf: inhibit speculated out-of-bounds pointers Thread-Index: AQHThjWjwxLVp0RXqUKj8CRKzsGnwqNlgi8AgARrlUA= Date: Mon, 8 Jan 2018 12:59:25 +0000 Message-ID: <2236FBA76BA1254E88B949DDB74E612B802D72C7@IRSMSX102.ger.corp.intel.com> References: <20180105145750.53294-1-mark.rutland@arm.com> <20180105145750.53294-5-mark.rutland@arm.com> <20180105170450.4trcy6qxr44nqglf@ast-mbp> In-Reply-To: <20180105170450.4trcy6qxr44nqglf@ast-mbp> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: dlp-product: dlpe-windows dlp-version: 11.0.0.116 dlp-reaction: no-action x-ctpclassification: CTP_NT x-titus-metadata-40: eyJDYXRlZ29yeUxhYmVscyI6IiIsIk1ldGFkYXRhIjp7Im5zIjoiaHR0cDpcL1wvd3d3LnRpdHVzLmNvbVwvbnNcL0ludGVsMyIsImlkIjoiOGQwNjhiMjYtNDU1MS00ZWY2LTk2ZWEtMWZjYWViOTYyNjkzIiwicHJvcHMiOlt7Im4iOiJDVFBDbGFzc2lmaWNhdGlvbiIsInZhbHMiOlt7InZhbHVlIjoiQ1RQX05UIn1dfV19LCJTdWJqZWN0TGFiZWxzIjpbXSwiVE1DVmVyc2lvbiI6IjE3LjIuNS4xOCIsIlRydXN0ZWRMYWJlbEhhc2giOiJGckdFNzlPOUpNUHRGWUljcmxYc1pNTm9ZWm1ObVRnTnJ5OVlTa3phVUw0aWh1ZkFlYVpjTEJNWk5ZQ1ZZV1l6In0= x-originating-ip: [163.33.239.180] Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Return-Path: > On Fri, Jan 05, 2018 at 02:57:50PM +0000, Mark Rutland wrote: > > Note: this patch is an *example* use of the nospec API. It is understood > > that this is incomplete, etc. > > > > Under speculation, CPUs may mis-predict branches in bounds checks. Thus, > > memory accesses under a bounds check may be speculated even if the > > bounds check fails, providing a primitive for building a side channel. > > > > The EBPF map code has a number of such bounds-checks accesses in > > map_lookup_elem implementations. This patch modifies these to use the > > nospec helpers to inhibit such side channels. > > > > The JITted lookup_elem implementations remain potentially vulnerable, > > and are disabled (with JITted code falling back to the C > > implementations). > > > > Signed-off-by: Mark Rutland > > Signed-off-by: Will Deacon > > Cc: Dan Williams > > Cc: Peter Zijlstra > > --- > > kernel/bpf/arraymap.c | 20 +++++++++++++------- > > kernel/bpf/cpumap.c | 5 ++--- > > kernel/bpf/devmap.c | 3 ++- > > kernel/bpf/sockmap.c | 3 ++- > > 4 files changed, 19 insertions(+), 12 deletions(-) > > Mark, did you see my email with this patch yesterday ? > https://patchwork.ozlabs.org/patch/855911/ > > btw your patch does not fix the variant 1 exploit. > > Also all of the pre-embargo patches from Elena that add lfence > in the bpf interpreter and x64 JIT also do not fix it. > > The exploit works via bpf_tail_call and not via map_lookup. Could you please clarify this part? The actual jump to the out-of-bounds index is indeed made by bpf_tail_call, but the "speculation" bypassing step happens when it does map_lookup_elem on the out-of-bound index. Best Regards, Elena.