Received: by 2002:a05:6358:a55:b0:ec:fcf4:3ecf with SMTP id 21csp1164571rwb; Fri, 13 Jan 2023 08:40:17 -0800 (PST) X-Google-Smtp-Source: AMrXdXsleE2HUKAOVH/Fdt+HpaNj1fRVHJE3jsVk0c9f2ueG0FnbgMi04JRY2B388YrjYOnezBt6 X-Received: by 2002:a17:903:240b:b0:192:991f:d8e8 with SMTP id e11-20020a170903240b00b00192991fd8e8mr62715521plo.53.1673628016893; Fri, 13 Jan 2023 08:40:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1673628016; cv=none; d=google.com; s=arc-20160816; b=IBgcAcoqYenQ6R116pHAfxtrR4AETIf/5ZQmpt2Te0KDr8V8ark2X4gcLGG0cEw7DI TV1/B4CFKbVuvPOzb9NuTMalABFpaVIoev4obeYMZVswqKmeJ0Sa0oq7ym8LNkaN94wm IHV3o6lEFFSzsgKgpSRKnSZX9ScFvUl+xJ1uUiIjvu+bfu4vHK3Xr2Jf8NbDG65Q5+GQ +nKU6gqFfB0DtlMoXKHBtC+J911bvE2s6ghEEqnl7bdvvdy2bkJqlV473Nf0BEV9FzZz 4bUxj5WbetxlCRMQI1n0sTjXxsKeNKt/1zbBj0vT7x0e26eaCySct5Njuru+NkIUc7j9 FBjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=BGdNwhWC2nx39kKuJePWqu266y+kjaLMibNSTdSx5qI=; b=pLAm1cILjBwav+3PNisZHR7wnNtNMD0JmPtJ2zUHesOz67pYFFqMliqiYtaWbWc2Wa 7/H/Yf8fOLo8zgX7a+h/ujCus81OpuYGGNtPSQA9/HhY9UXwl1Dr+bOLEbjhm1m/xSdI wg1HYxEK1yZ1l1j2wzxKlDZikDT18PORX00UkUxSvDUiHZfMEQtAfzjgxOu7x/gLzJWR YmGJIT7a6E+MS09COf2lYeh+dW5ikVXye2PN+iQ+jBmfJpwTXDytaEYiiyhJPZSh7mCT wNTPRmLwccDQ4CvDAYAJExGcv8KfPcIcadhDVj2i/5KComEsuq9mEHyWyUL/8kvRRaRF /ugQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p13-20020a170902ebcd00b0019305638dfdsi19922911plg.77.2023.01.13.08.40.08; Fri, 13 Jan 2023 08:40:16 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230085AbjAMQ31 (ORCPT + 53 others); Fri, 13 Jan 2023 11:29:27 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42638 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229926AbjAMQ2R (ORCPT ); Fri, 13 Jan 2023 11:28:17 -0500 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E9BA97FC9C; Fri, 13 Jan 2023 08:22:51 -0800 (PST) Received: from sslproxy03.your-server.de ([88.198.220.132]) by www62.your-server.de with esmtpsa (TLS1.3) tls TLS_AES_256_GCM_SHA384 (Exim 4.94.2) (envelope-from ) id 1pGMp4-000DRc-S9; Fri, 13 Jan 2023 17:22:30 +0100 Received: from [85.1.206.226] (helo=linux.home) by sslproxy03.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1pGMp4-000Dff-6W; Fri, 13 Jan 2023 17:22:30 +0100 Subject: Re: [PATCH] bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation To: Luis Gerhorst , Alexei Starovoitov , John Fastabend , Andrii Nakryiko , Martin KaFai Lau , Song Liu , Yonghong Song , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Nathan Chancellor , Nick Desaulniers , Tom Rix , Piotr Krysiuk , Benedict Schlueter , bpf@vger.kernel.org, linux-kernel@vger.kernel.org, llvm@lists.linux.dev Cc: stefan.saecherl@use.startmail.com, Henriette Hofmeier References: <20230109150544.41465-1-gerhorst@cs.fau.de> From: Daniel Borkmann Message-ID: Date: Fri, 13 Jan 2023 17:22:28 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20230109150544.41465-1-gerhorst@cs.fau.de> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.7/26780/Fri Jan 13 09:37:02 2023) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 1/9/23 4:05 PM, Luis Gerhorst wrote: > To mitigate Spectre v4, 2039f26f3aca ("bpf: Fix leakage due to > insufficient speculative store bypass mitigation") inserts lfence > instructions after 1) initializing a stack slot and 2) spilling a > pointer to the stack. > > However, this does not cover cases where a stack slot is first > initialized with a pointer (subject to sanitization) but then > overwritten with a scalar (not subject to sanitization because the slot > was already initialized). In this case, the second write may be subject > to speculative store bypass (SSB) creating a speculative > pointer-as-scalar type confusion. This allows the program to > subsequently leak the numerical pointer value using, for example, a > branch-based cache side channel. > > To fix this, also sanitize scalars if they write a stack slot that > previously contained a pointer. Assuming that pointer-spills are only > generated by LLVM on register-pressure, the performance impact on most > real-world BPF programs should be small. > > The following unprivileged BPF bytecode drafts a minimal exploit and the > mitigation: > > [...] > // r6 = 0 or 1 (skalar, unknown user input) > // r7 = accessible ptr for side channel > // r10 = frame pointer (fp), to be leaked > // > r9 = r10 # fp alias to encourage ssb > *(u64 *)(r9 - 8) = r10 // fp[-8] = ptr, to be leaked > // lfence added here because of pointer spill to stack. > // > // Ommitted: Dummy bpf_ringbuf_output() here to train alias predictor > // for no r9-r10 dependency. > // > *(u64 *)(r10 - 8) = r6 // fp[-8] = scalar, overwrites ptr > // 2039f26f3aca: no lfence added because stack slot was not STACK_INVALID, > // store may be subject to SSB > // > // fix: also add an lfence when the slot contained a ptr > // > r8 = *(u64 *)(r9 - 8) > // r8 = architecturally a scalar, speculatively a ptr > // > // leak ptr using branch-based cache side channel: > r8 &= 1 // choose bit to leak > if r8 == 0 goto SLOW // no mispredict > // architecturally dead code if input r6 is 0, > // only executes speculatively iff ptr bit is 1 > r8 = *(u64 *)(r7 + 0) # encode bit in cache (0: slow, 1: fast) > SLOW: > [...] > > After running this, the program can time the access to *(r7 + 0) to > determine whether the chosen pointer bit was 0 or 1. Repeat this 64 > times to recover the whole address on amd64. > > In summary, sanitization can only be skipped if one scalar is > overwritten with another scalar. Scalar-confusion due to speculative > store bypass can not lead to invalid accesses because the pointer bounds > deducted during verification are enforced using branchless logic. See > 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer > arithmetic") for details. > > Do not make the mitigation depend on > !env->allow_{uninit_stack,ptr_leaks} because speculative leaks are > likely unexpected if these were enabled. For example, leaking the > address to a protected log file may be acceptable while disabling the > mitigation might unintentionally leak the address into the cached-state > of a map that is accessible to unprivileged processes. > > Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation") > Signed-off-by: Luis Gerhorst > Acked-by: Henriette Hofmeier This looks good to me, thank you for the research on this topic! Applied to bpf tree. (I've also added a link tag to your other mail.) https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf.git/commit/?id=e4f4db47794c9f474b184ee1418f42e6a07412b6 Thanks, Daniel