Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2002759imu; Fri, 14 Dec 2018 04:20:12 -0800 (PST) X-Google-Smtp-Source: AFSGD/XzNI0klBqF0/QVN561SNCU8KI2/+Wxk1U24OpWBr6gau7GMsYvWMuABTOh3rD7LOvoH5N0 X-Received: by 2002:a63:d5e:: with SMTP id 30mr2545100pgn.54.1544790012768; Fri, 14 Dec 2018 04:20:12 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544790012; cv=none; d=google.com; s=arc-20160816; b=ZP5iqBVRQq9+PDT1gbMVDcIBBFLFo7uW9AXfR5KNgLhGOrffFhtZ2Ki+Exj0mVDlsJ Jj0gaBzobmSNHaJqDDOue7h0TlO2v7D9K81xhHzip4etiYkNVqOSgCiy9j2Hei5UL41t gZ8yQsxKdNzqWHaZpeloIwf5kOgJUYMye4xk1Ak7emMZk87sQp1ErFB5j/NXEtqe3BwU ZVggnTssI0D10cVAyyD8TY2Hh9dxbUmejjBehxf58XxNS0GFm5tqESbbR8TJVs0FWt1H Otit30JlCH1pQof7PnGKscCMWrfN5+ZIML3F6dVih1Evv83pIhC5Sx3/PAlc9NPCLduH GdJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=dOz5nlDIcT9D5CdTjiMDOBdpr1JoHtLYRBGxjOUtInU=; b=h4f7xCc78GKAVRh1dUJW/kdS/gEwGzOky5YNF35/nqB8ZNpziAfTxVg+HwjXKxEq8V /TA7qcOf3GhD4GyGYRiEy+s0TxJuKBompghPMRNsFoDJ95NeFLcYhrP9gUckLJ6dO7Yj EwousKRpTNfMg84M7eYHdD7HUHJCVuoIWiYjeT/5XDg2gBw357MIRwpFlXMLrC11aQsE H6h27434dzoqVIcn6OY//jwrHDIteZEHxTy42/WWTaIdH96JOfyY29y1+eEIgOsPglel Wu1m7CcE4xEmh8x6Q5uSq3YlMMlMHlx6UF/xdUbubZ12z+6gwK4zLQBNwbAmqIC9l+no tNJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wF2+0wpm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g18si4013519pgg.522.2018.12.14.04.19.57; Fri, 14 Dec 2018 04:20:12 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wF2+0wpm; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732663AbeLNMQA (ORCPT + 99 others); Fri, 14 Dec 2018 07:16:00 -0500 Received: from mail.kernel.org ([198.145.29.99]:36044 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732369AbeLNMP5 (ORCPT ); Fri, 14 Dec 2018 07:15:57 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 4422621479; Fri, 14 Dec 2018 12:15:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544789755; bh=GOJ6cCnek1ymHYbP1KywIiqd+3O9ZhpRbXrz9IW9FH4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wF2+0wpmf2EzR26EIUtqz0KL+5nSIMyIFD3aA+bGiJqqzzbQRnYeu2bfo9Z4bEM4T nFhDUstwB/GseMCUlubXoVzk1XWgv2DskEj9jLcUG3/lFlAZZPPCv5ckEndDxNcC8s mK8WIdDN8getMSLxf+Du51XWQHB2O9ZZEF2gAUi8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexei Starovoitov , Thomas Gleixner , Ben Hutchings Subject: [PATCH 4.4 65/88] bpf: Prevent memory disambiguation attack Date: Fri, 14 Dec 2018 13:00:39 +0100 Message-Id: <20181214115707.681167481@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181214115702.151309521@linuxfoundation.org> References: <20181214115702.151309521@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.4-stable review patch. If anyone has any objections, please let me know. ------------------ From: Alexei Starovoitov commit af86ca4e3088fe5eacf2f7e58c01fa68ca067672 upstream. Detect code patterns where malicious 'speculative store bypass' can be used and sanitize such patterns. 39: (bf) r3 = r10 40: (07) r3 += -216 41: (79) r8 = *(u64 *)(r7 +0) // slow read 42: (7a) *(u64 *)(r10 -72) = 0 // verifier inserts this instruction 43: (7b) *(u64 *)(r8 +0) = r3 // this store becomes slow due to r8 44: (79) r1 = *(u64 *)(r6 +0) // cpu speculatively executes this load 45: (71) r2 = *(u8 *)(r1 +0) // speculatively arbitrary 'load byte' // is now sanitized Above code after x86 JIT becomes: e5: mov %rbp,%rdx e8: add $0xffffffffffffff28,%rdx ef: mov 0x0(%r13),%r14 f3: movq $0x0,-0x48(%rbp) fb: mov %rdx,0x0(%r14) ff: mov 0x0(%rbx),%rdi 103: movzbq 0x0(%rdi),%rsi Signed-off-by: Alexei Starovoitov Signed-off-by: Thomas Gleixner [bwh: Backported to 4.4: - Add verifier_env parameter to check_stack_write() - Look up stack slot_types with state->stack_slot_type[] rather than state->stack[].slot_type[] - Drop bpf_verifier_env argument to verbose() - Adjust filename, context] Signed-off-by: Ben Hutchings Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 63 ++++++++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 59 insertions(+), 4 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -191,6 +191,7 @@ struct bpf_insn_aux_data { enum bpf_reg_type ptr_type; /* pointer type for load/store insns */ struct bpf_map *map_ptr; /* pointer for call insn into lookup_elem */ }; + int sanitize_stack_off; /* stack slot to be cleared */ bool seen; /* this insn was processed by the verifier */ }; @@ -569,8 +570,9 @@ static bool is_spillable_regtype(enum bp /* check_stack_read/write functions track spill/fill of registers, * stack boundary and alignment are checked in check_mem_access() */ -static int check_stack_write(struct verifier_state *state, int off, int size, - int value_regno) +static int check_stack_write(struct verifier_env *env, + struct verifier_state *state, int off, + int size, int value_regno, int insn_idx) { int i, spi = (MAX_BPF_STACK + off) / BPF_REG_SIZE; /* caller checked that off % size == 0 and -MAX_BPF_STACK <= off < 0, @@ -589,8 +591,32 @@ static int check_stack_write(struct veri /* save register state */ state->spilled_regs[spi] = state->regs[value_regno]; - for (i = 0; i < BPF_REG_SIZE; i++) + for (i = 0; i < BPF_REG_SIZE; i++) { + if (state->stack_slot_type[MAX_BPF_STACK + off + i] == STACK_MISC && + !env->allow_ptr_leaks) { + int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off; + int soff = (-spi - 1) * BPF_REG_SIZE; + + /* detected reuse of integer stack slot with a pointer + * which means either llvm is reusing stack slot or + * an attacker is trying to exploit CVE-2018-3639 + * (speculative store bypass) + * Have to sanitize that slot with preemptive + * store of zero. + */ + if (*poff && *poff != soff) { + /* disallow programs where single insn stores + * into two different stack slots, since verifier + * cannot sanitize them + */ + verbose("insn %d cannot access two stack slots fp%d and fp%d", + insn_idx, *poff, soff); + return -EINVAL; + } + *poff = soff; + } state->stack_slot_type[MAX_BPF_STACK + off + i] = STACK_SPILL; + } } else { /* regular write of data into stack */ state->spilled_regs[spi] = (struct reg_state) {}; @@ -746,7 +772,8 @@ static int check_mem_access(struct verif verbose("attempt to corrupt spilled pointer on stack\n"); return -EACCES; } - err = check_stack_write(state, off, size, value_regno); + err = check_stack_write(env, state, off, size, + value_regno, insn_idx); } else { err = check_stack_read(state, off, size, value_regno); } @@ -2228,6 +2255,34 @@ static int convert_ctx_accesses(struct v else continue; + if (type == BPF_WRITE && + env->insn_aux_data[i + delta].sanitize_stack_off) { + struct bpf_insn patch[] = { + /* Sanitize suspicious stack slot with zero. + * There are no memory dependencies for this store, + * since it's only using frame pointer and immediate + * constant of zero + */ + BPF_ST_MEM(BPF_DW, BPF_REG_FP, + env->insn_aux_data[i + delta].sanitize_stack_off, + 0), + /* the original STX instruction will immediately + * overwrite the same stack slot with appropriate value + */ + *insn, + }; + + cnt = ARRAY_SIZE(patch); + new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt); + if (!new_prog) + return -ENOMEM; + + delta += cnt - 1; + env->prog = new_prog; + insn = new_prog->insnsi + i + delta; + continue; + } + if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX) continue;