Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1347767pxf; Fri, 19 Mar 2021 05:23:39 -0700 (PDT) X-Google-Smtp-Source: ABdhPJy+Lth7os/jU6sfTzZAX7s39nMq1FxzpR+zbXurB2CixQR0VV7BVycvVWl+6vvXknF5Zc+R X-Received: by 2002:a17:906:a94b:: with SMTP id hh11mr4043844ejb.459.1616156618809; Fri, 19 Mar 2021 05:23:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616156618; cv=none; d=google.com; s=arc-20160816; b=uU3BRA+o15Q8gHwy59WJ3ULVe9rndAhWPbKwKLDq8xTAm7X6wRr8qJrLd2eLRbxwD6 2381HAp0JE8nB2X1Fh+qQuxSxtx3927HG2c7mPt8lqVFZ/e+r8X4WBfVtmA3FDOu0sL2 8eCH5f8FBZilAyTCIS83w2N41OrrmIpWJLOngiX9OxfpuCP+RlMSv0YIpTJe3CXZtBQU dBD7vxId0iurxZn/9kefoQ6RbkNUiR5XK6ub6K1kAyghzRl3vmiKVUwqmuLLQVAuw/mr pXTBGgiBWpp63RHu9N3DAUfTNjeRY4ldSLYB0eKH/rHsSTKIq1h1xXgPfuGbLTYkh8Z8 ZLcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=63RiPNCdsDPDjXFzcIFg5mUO0qXVWhvYU69GxlK9KJM=; b=ON93diFVUuedTw1Jw2m/+0gjPm0ok5aqwzo9uZHQQIBxZBXeLbAo/IQ8Y1jGtlHyGP rOsdKfo1SIrq5J++MuJwb6nPm4c1O9RYVTAXQAZMwDw9kZIz+3FjiEMfnZdfrLalnKyY FkJdT1CxE3wN9ncPSoy07zYE6/RFYftB/lJuH75dBXubTD8p4HaxjpEk+UKePz2THscr zaIuLtofklcO8CeDpr7BhMHZ/6QYcCS4Tl0IzQmsYgaGrZJMuY081mP1S70sPjj+p+tr FbTkC6ySJQ98ARyp/1zZWYoAXFxegG8y8tWqQ8CexBu+HdnOMS1A6Ht5tZkZQgH5KEx5 mC/Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=I2721kd6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p25si3816840edm.297.2021.03.19.05.23.15; Fri, 19 Mar 2021 05:23:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=I2721kd6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230215AbhCSMTm (ORCPT + 99 others); Fri, 19 Mar 2021 08:19:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:56874 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230090AbhCSMTK (ORCPT ); Fri, 19 Mar 2021 08:19:10 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 2EE6B64E6B; Fri, 19 Mar 2021 12:19:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616156349; bh=SE75/lYRPOieO1CqQorbNFtQEubIVY0pkknrxHEdQqg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=I2721kd6nPfFRzTu09I1s3rMSW5mnH1bcemVwZv5r2HJouNvMkZBGqSxrIDH9kTMB J6vqkwlS1zMUNMifMNDCXLDhlEH2OAucoD60AvDXR5ZRt7dPrse1a4Q8rD8rif068G IzH0JXWPdoLcyrUnf2NwT1azBgOKJBMY+cHuyNYE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Piotr Krysiuk , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.4 03/18] bpf: Fix off-by-one for area size in creating mask to left Date: Fri, 19 Mar 2021 13:18:41 +0100 Message-Id: <20210319121745.563006347@linuxfoundation.org> X-Mailer: git-send-email 2.31.0 In-Reply-To: <20210319121745.449875976@linuxfoundation.org> References: <20210319121745.449875976@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Piotr Krysiuk commit 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 upstream. retrieve_ptr_limit() computes the ptr_limit for registers with stack and map_value type. ptr_limit is the size of the memory area that is still valid / in-bounds from the point of the current position and direction of the operation (add / sub). This size will later be used for masking the operation such that attempting out-of-bounds access in the speculative domain is redirected to remain within the bounds of the current map value. When masking to the right the size is correct, however, when masking to the left, the size is off-by-one which would lead to an incorrect mask and thus incorrect arithmetic operation in the non-speculative domain. Piotr found that if the resulting alu_limit value is zero, then the BPF_MOV32_IMM() from the fixup_bpf_calls() rewrite will end up loading 0xffffffff into AX instead of sign-extending to the full 64 bit range, and as a result, this allows abuse for executing speculatively out-of- bounds loads against 4GB window of address space and thus extracting the contents of kernel memory via side-channel. Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by: Piotr Krysiuk Co-developed-by: Daniel Borkmann Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/verifier.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -4277,13 +4277,13 @@ static int retrieve_ptr_limit(const stru */ off = ptr_reg->off + ptr_reg->var_off.value; if (mask_to_left) - *ptr_limit = MAX_BPF_STACK + off; + *ptr_limit = MAX_BPF_STACK + off + 1; else *ptr_limit = -off; return 0; case PTR_TO_MAP_VALUE: if (mask_to_left) { - *ptr_limit = ptr_reg->umax_value + ptr_reg->off; + *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1; } else { off = ptr_reg->smin_value + ptr_reg->off; *ptr_limit = ptr_reg->map_ptr->value_size - off;