Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp799405pxp; Fri, 11 Mar 2022 15:27:55 -0800 (PST) X-Google-Smtp-Source: ABdhPJxFDQtTbndkeQZnM2/84sdqezhpDyh7vCR4XsX2CqB0SaCvwPDZgmp6OXoObG6H4+8VDCX6 X-Received: by 2002:a17:902:6846:b0:151:cc47:1b19 with SMTP id f6-20020a170902684600b00151cc471b19mr12434584pln.109.1647041274928; Fri, 11 Mar 2022 15:27:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1647041274; cv=none; d=google.com; s=arc-20160816; b=hJSPzoIV/eASA2MJGyl0HzO+EH3ub8eHTKco3tx+DNCK9unn8RlWTbDWdd6yBa0lqm Isk3rFb7OqjppXWwkAs6oulDJca3ewDrcDa7rKk2H/cqblpcgljQuFSZCPcHYAolDznm RBQw/4Vz6PIMoRP5jEdJT43SWlZqFUoc+ZrXfGDfeVmkTRr8BNSh6iO6sIpNStKfot3g 1NZAFMYtCCx20DUmEHJ+n8TSDMUqifChbdhrgOiHDrzi7mkiLBJiTVXP2JAzc6CHRoR3 ATAnKfT40+GfRo1qwJvNaey2UiBXW7jz7inodIU5mTT7zSdYLYzuS/MGkK83a9GQfPtD kcgg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=rToQ2FINI6vi/ej7LSYtNQedmD4uzcYGT9HrwgSbkPQ=; b=w01Tklm036wBInHWphcEReGqQHILJwXNAZYJefKNgofk4p63AZrY0TXC81cU9j1jMk hdflqHxMDcD8VFxw31M7icye3Fzu21fU9FBmXYuOLSwvYaNZqy3Um2h/OW/j6kN5KFCN WUmNQwOPnxTjT4fgedphIfndW/ADTefJQI3IuZdRRHgJRGWUi019+Q5MZuWI0KAOQFcj xSp6NxFbN5y3woyUqPovkWROyc503bsYlM86eEsCGumdndsgWxcZc2c/gyWNfJFkVS3j 7JzIClQF/xIj/AWvh3bhAYFd3QeQoisLB6cRT6Lco4zbNVBbgYPlqAVa3XpgNM2E8C9E 3A6w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=X6DyEcpX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id c19-20020a63da13000000b00373facf1a0esi9593827pgh.137.2022.03.11.15.27.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 11 Mar 2022 15:27:54 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=X6DyEcpX; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0D224219EBE; Fri, 11 Mar 2022 14:14:19 -0800 (PST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1344097AbiCJOk1 (ORCPT + 99 others); Thu, 10 Mar 2022 09:40:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51942 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1343950AbiCJObb (ORCPT ); Thu, 10 Mar 2022 09:31:31 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D1009B82F5; Thu, 10 Mar 2022 06:29:08 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id 55238B825A7; Thu, 10 Mar 2022 14:29:07 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 3F223C340E8; Thu, 10 Mar 2022 14:29:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1646922546; bh=rKln5HfmJ7CAsIJqUftQHhI05Ko1JEKlKJ2HDsRvn3c=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=X6DyEcpX9RNrwgCr/grd7SetyrN/qJkv6k1DmbVa8Kg7khOQAbE7q8X7FGlX4RYvo C/iyJ0BdmusBtwSEEWWqNckA9jU5ZDGTa59n76c2gUozZa2VxBk5rqaLyEjbO8kzna OtHUN7DXUw0cEcOEoajAZQ1NPEtxhv5rxUbUykgE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Josh Poimboeuf , Borislav Petkov , Thomas Gleixner , Frank van der Linden Subject: [PATCH 5.15 06/58] x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting Date: Thu, 10 Mar 2022 15:18:55 +0100 Message-Id: <20220310140813.169073156@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220310140812.983088611@linuxfoundation.org> References: <20220310140812.983088611@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Josh Poimboeuf commit 44a3918c8245ab10c6c9719dd12e7a8d291980d8 upstream. With unprivileged eBPF enabled, eIBRS (without retpoline) is vulnerable to Spectre v2 BHB-based attacks. When both are enabled, print a warning message and report it in the 'spectre_v2' sysfs vulnerabilities file. Signed-off-by: Josh Poimboeuf Signed-off-by: Borislav Petkov Reviewed-by: Thomas Gleixner [fllinden@amazon.com: backported to 5.15] Signed-off-by: Frank van der Linden Signed-off-by: Greg Kroah-Hartman --- arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++++++++++------ include/linux/bpf.h | 12 ++++++++++++ kernel/sysctl.c | 7 +++++++ 3 files changed, 48 insertions(+), 6 deletions(-) --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -16,6 +16,7 @@ #include #include #include +#include #include #include @@ -650,6 +651,16 @@ static inline const char *spectre_v2_mod static inline const char *spectre_v2_module_string(void) { return ""; } #endif +#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n" + +#ifdef CONFIG_BPF_SYSCALL +void unpriv_ebpf_notify(int new_state) +{ + if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state) + pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); +} +#endif + static inline bool match_option(const char *arg, int arglen, const char *opt) { int len = strlen(opt); @@ -994,6 +1005,9 @@ static void __init spectre_v2_select_mit break; } + if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) + pr_err(SPECTRE_V2_EIBRS_EBPF_MSG); + if (spectre_v2_in_eibrs_mode(mode)) { /* Force it so VMEXIT will restore correctly */ x86_spec_ctrl_base |= SPEC_CTRL_IBRS; @@ -1780,6 +1794,20 @@ static char *ibpb_state(void) return ""; } +static ssize_t spectre_v2_show_state(char *buf) +{ + if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled()) + return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n"); + + return sprintf(buf, "%s%s%s%s%s%s\n", + spectre_v2_strings[spectre_v2_enabled], + ibpb_state(), + boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", + stibp_state(), + boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", + spectre_v2_module_string()); +} + static ssize_t srbds_show_state(char *buf) { return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]); @@ -1805,12 +1833,7 @@ static ssize_t cpu_show_common(struct de return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]); case X86_BUG_SPECTRE_V2: - return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], - ibpb_state(), - boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", - stibp_state(), - boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", - spectre_v2_module_string()); + return spectre_v2_show_state(buf); case X86_BUG_SPEC_STORE_BYPASS: return sprintf(buf, "%s\n", ssb_strings[ssb_mode]); --- a/include/linux/bpf.h +++ b/include/linux/bpf.h @@ -1666,6 +1666,12 @@ bool bpf_prog_has_kfunc_call(const struc const struct btf_func_model * bpf_jit_find_kfunc_model(const struct bpf_prog *prog, const struct bpf_insn *insn); + +static inline bool unprivileged_ebpf_enabled(void) +{ + return !sysctl_unprivileged_bpf_disabled; +} + #else /* !CONFIG_BPF_SYSCALL */ static inline struct bpf_prog *bpf_prog_get(u32 ufd) { @@ -1884,6 +1890,12 @@ bpf_jit_find_kfunc_model(const struct bp { return NULL; } + +static inline bool unprivileged_ebpf_enabled(void) +{ + return false; +} + #endif /* CONFIG_BPF_SYSCALL */ void __bpf_free_used_btfs(struct bpf_prog_aux *aux, --- a/kernel/sysctl.c +++ b/kernel/sysctl.c @@ -228,6 +228,10 @@ static int bpf_stats_handler(struct ctl_ return ret; } +void __weak unpriv_ebpf_notify(int new_state) +{ +} + static int bpf_unpriv_handler(struct ctl_table *table, int write, void *buffer, size_t *lenp, loff_t *ppos) { @@ -245,6 +249,9 @@ static int bpf_unpriv_handler(struct ctl return -EPERM; *(int *)table->data = unpriv_enable; } + + unpriv_ebpf_notify(unpriv_enable); + return ret; } #endif /* CONFIG_BPF_SYSCALL && CONFIG_SYSCTL */