linux

mirror of https://github.com/torvalds/linux.git synced 2024-11-23 20:51:44 +00:00

History

Daniel Borkmann 9d5564ddcf bpf: fix inner map masking to prevent oob under speculation During review I noticed that inner meta map setup for map in map is buggy in that it does not propagate all needed data from the reference map which the verifier is later accessing. In particular one such case is index masking to prevent out of bounds access under speculative execution due to missing the map's unpriv_array/index_mask field propagation. Fix this such that the verifier is generating the correct code for inlined lookups in case of unpriviledged use. Before patch (test_verifier's 'map in map access' dump): # bpftool prog dump xla id 3 0: (62) (u32 )(r10 -4) = 0 1: (bf) r2 = r10 2: (07) r2 += -4 3: (18) r1 = map[id:4] 5: (07) r1 += 272 \| 6: (61) r0 = (u32 )(r2 +0) \| 7: (35) if r0 >= 0x1 goto pc+6 \| Inlined map in map lookup 8: (54) (u32) r0 &= (u32) 0 \| with index masking for 9: (67) r0 <<= 3 \| map->unpriv_array. 10: (0f) r0 += r1 \| 11: (79) r0 = (u64 )(r0 +0) \| 12: (15) if r0 == 0x0 goto pc+1 \| 13: (05) goto pc+1 \| 14: (b7) r0 = 0 \| 15: (15) if r0 == 0x0 goto pc+11 16: (62) (u32 )(r10 -4) = 0 17: (bf) r2 = r10 18: (07) r2 += -4 19: (bf) r1 = r0 20: (07) r1 += 272 \| 21: (61) r0 = (u32 )(r2 +0) \| Index masking missing (!) 22: (35) if r0 >= 0x1 goto pc+3 \| for inner map despite 23: (67) r0 <<= 3 \| map->unpriv_array set. 24: (0f) r0 += r1 \| 25: (05) goto pc+1 \| 26: (b7) r0 = 0 \| 27: (b7) r0 = 0 28: (95) exit After patch: # bpftool prog dump xla id 1 0: (62) (u32 )(r10 -4) = 0 1: (bf) r2 = r10 2: (07) r2 += -4 3: (18) r1 = map[id:2] 5: (07) r1 += 272 \| 6: (61) r0 = (u32 )(r2 +0) \| 7: (35) if r0 >= 0x1 goto pc+6 \| Same inlined map in map lookup 8: (54) (u32) r0 &= (u32) 0 \| with index masking due to 9: (67) r0 <<= 3 \| map->unpriv_array. 10: (0f) r0 += r1 \| 11: (79) r0 = (u64 )(r0 +0) \| 12: (15) if r0 == 0x0 goto pc+1 \| 13: (05) goto pc+1 \| 14: (b7) r0 = 0 \| 15: (15) if r0 == 0x0 goto pc+12 16: (62) (u32 )(r10 -4) = 0 17: (bf) r2 = r10 18: (07) r2 += -4 19: (bf) r1 = r0 20: (07) r1 += 272 \| 21: (61) r0 = (u32 )(r2 +0) \| 22: (35) if r0 >= 0x1 goto pc+4 \| Now fixed inlined inner map 23: (54) (u32) r0 &= (u32) 0 \| lookup with proper index masking 24: (67) r0 <<= 3 \| for map->unpriv_array. 25: (0f) r0 += r1 \| 26: (05) goto pc+1 \| 27: (b7) r0 = 0 \| 28: (b7) r0 = 0 29: (95) exit Fixes: `b2157399cc` ("bpf: prevent out-of-bounds speculation") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org>		2019-01-18 15:19:56 -08:00
..
bpf	bpf: fix inner map masking to prevent oob under speculation	2019-01-18 15:19:56 -08:00
cgroup	Merge branch 'for-4.21' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup	2018-12-29 10:57:20 -08:00
configs	kvm_config: add CONFIG_VIRTIO_MENU	2018-10-24 20:55:56 -04:00
debug	kdb: use bool for binary state indicators	2018-12-30 08:31:52 +00:00
dma	dma-direct: fix DMA_ATTR_NO_KERNEL_MAPPING for remapped allocations	2019-01-05 08:28:29 +01:00
events	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
gcov
irq	genirq/affinity: Add is_managed to struct irq_affinity_desc	2018-12-19 11:32:08 +01:00
livepatch	livepatch: Replace synchronize_sched() with synchronize_rcu()	2018-12-01 12:38:50 -08:00
locking	kernel/locking/mutex.c: remove caller signal_pending branch predictions	2019-01-04 13:13:48 -08:00
power	mm: convert totalram_pages and totalhigh_pages variables to atomic	2018-12-28 12:11:47 -08:00
printk	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
rcu	rcutorture: Don't do busted forward-progress testing	2018-12-01 12:45:42 -08:00
sched	jump_label: move 'asm goto' support test to Kconfig	2019-01-06 09:46:51 +09:00
time	y2038: more syscalls and cleanups	2018-12-28 12:45:04 -08:00
trace	tracing/kprobes: Fix NULL pointer dereference in trace_kprobe_create()	2019-01-15 11:33:45 -05:00
.gitignore
acct.c
async.c
audit_fsnotify.c	audit: minimize our use of audit_log_format()	2018-11-26 18:40:00 -05:00
audit_tree.c	audit: minimize our use of audit_log_format()	2018-11-26 18:40:00 -05:00
audit_watch.c	audit: minimize our use of audit_log_format()	2018-11-26 18:40:00 -05:00
audit.c	audit: remove duplicated include from audit.c	2018-12-14 12:09:30 -05:00
audit.h	audit: use current whenever possible	2018-11-26 18:41:21 -05:00
auditfilter.c
auditsc.c	audit: use current whenever possible	2018-11-26 18:41:21 -05:00
backtracetest.c
bounds.c	kbuild: fix kernel/bounds.c 'W=1' warning	2018-10-31 08:54:14 -07:00
capability.c
compat.c	make 'user_access_begin()' do 'access_ok()'	2019-01-04 12:56:09 -08:00
configs.c
context_tracking.c
cpu_pm.c
cpu.c	x86/speculation: Rework SMT state change	2018-11-28 11:57:07 +01:00
crash_core.c	kernel/crash_core.c: print timestamp using time64_t	2018-08-22 10:52:47 -07:00
crash_dump.c
cred.c	cred: export get_task_cred().	2018-12-19 13:52:44 -05:00
delayacct.c	delayacct: track delays from thrashing cache pages	2018-10-26 16:26:32 -07:00
dma.c
elfcore.c
exec_domain.c
exit.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2019-01-16 05:13:36 +12:00
extable.c
fail_function.c	kernel/fail_function.c: remove meaningless null pointer check before debugfs_remove_recursive	2018-10-31 08:54:12 -07:00
fork.c	Merge branch 'akpm' (patches from Andrew)	2019-01-08 18:58:29 -08:00
freezer.c	PM / reboot: Eliminate race between reboot and suspend	2018-08-06 12:35:20 +02:00
futex.c	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
groups.c
hung_task.c	kernel/hung_task.c: break RCU locks based on jiffies	2019-01-04 13:13:45 -08:00
iomem.c
irq_work.c
jump_label.c	jump_label: move 'asm goto' support test to Kconfig	2019-01-06 09:46:51 +09:00
kallsyms.c	kallsyms: reduce size a little on 64-bit	2018-09-10 22:54:33 +09:00
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt	kconfig: warn no new line at end of file	2018-12-15 17:44:35 +09:00
kcov.c	kernel/kcov.c: mark write_comp_data() as notrace	2019-01-04 13:13:47 -08:00
kexec_core.c	mm: convert totalram_pages and totalhigh_pages variables to atomic	2018-12-28 12:11:47 -08:00
kexec_file.c	kexec_file: kexec_walk_memblock() only walks a dedicated region at kdump	2018-12-06 14:38:50 +00:00
kexec_internal.h
kexec.c	kexec: add call to LSM hook in original kexec_load syscall	2018-07-16 12:31:57 -07:00
kmod.c
kprobes.c	Merge branch 'perf-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2018-12-26 14:45:18 -08:00
ksysfs.c
kthread.c	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2018-08-13 11:25:07 -07:00
latencytop.c
Makefile	kbuild: change filechk to surround the given command with { }	2019-01-06 09:46:51 +09:00
memremap.c	mm/hmm: fix memremap.h, move dev_page_fault_t callback to hmm	2018-12-28 12:11:52 -08:00
module_signing.c	modsign: use all trusted keys to verify module signature	2018-11-07 14:41:41 +01:00
module-internal.h
module.c	jump_label: move 'asm goto' support test to Kconfig	2019-01-06 09:46:51 +09:00
notifier.c
nsproxy.c
padata.c	padata: clean an indentation issue, remove extraneous space	2018-11-16 14:11:04 +08:00
panic.c	kernel/sysctl: add panic_print into sysctl	2019-01-04 13:13:47 -08:00
params.c
pid_namespace.c	signal: Use group_send_sig_info to kill all processes in a pid namespace	2018-09-16 16:08:25 +02:00
pid.c	Fix failure path in alloc_pid()	2018-12-28 12:42:30 -08:00
profile.c	mm: remove include/linux/bootmem.h	2018-10-31 08:54:16 -07:00
ptrace.c	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
range.c
reboot.c	kernel/reboot.c: export pm_power_off_prepare	2018-09-11 16:13:24 +01:00
relay.c
resource.c	kernel, resource: check for IORESOURCE_SYSRAM in release_mem_region_adjustable	2018-12-28 12:11:49 -08:00
rseq.c	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
seccomp.c	seccomp: fix poor type promotion	2018-12-13 16:49:01 -08:00
signal.c	Remove 'type' argument from access_ok() function	2019-01-03 18:57:57 -08:00
smp.c	smp,cpumask: introduce on_each_cpu_cond_mask	2018-10-09 16:51:11 +02:00
smpboot.c
smpboot.h
softirq.c	Merge branch 'irq-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2018-10-25 11:43:47 -07:00
stackleak.c	stackleak: Mark stackleak_track_stack() as notrace	2018-12-05 19:31:44 -08:00
stacktrace.c
stop_machine.c	Merge branch 'sched-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2018-08-13 11:25:07 -07:00
sys_ni.c	y2038: socket: Add compat_sys_recvmmsg_time64	2018-12-18 16:13:04 +01:00
sys.c	kernel/sys.c: Clarify that UNAME26 does not generate unique versions anymore	2019-01-14 10:38:03 +12:00
sysctl_binary.c	kernel/sysctl: add panic_print into sysctl	2019-01-04 13:13:47 -08:00
sysctl.c	kernel/sysctl: add panic_print into sysctl	2019-01-04 13:13:47 -08:00
task_work.c
taskstats.c
test_kprobes.c
torture.c	torture: Remove unnecessary "ret" variables	2018-12-01 12:45:35 -08:00
tracepoint.c	tracing: Replace synchronize_sched() and call_rcu_sched()	2018-11-27 09:21:41 -08:00
tsacct.c
ucount.c
uid16.c
uid16.h
umh.c	umh: add exit routine for UMH process	2019-01-11 18:05:40 -08:00
up.c	smp,cpumask: introduce on_each_cpu_cond_mask	2018-10-09 16:51:11 +02:00
user_namespace.c	userns: also map extents in the reverse map to kernel IDs	2018-11-07 23:51:16 -06:00
user-return-notifier.c
user.c	userns: use irqsave variant of refcount_dec_and_lock()	2018-08-22 10:52:47 -07:00
utsname_sysctl.c	sys: don't hold uts_sem while accessing userspace memory	2018-08-11 02:05:53 -05:00
utsname.c
watchdog_hld.c	watchdog: Mark watchdog touch functions as notrace	2018-08-30 12:56:40 +02:00
watchdog.c	watchdog: Mark watchdog touch functions as notrace	2018-08-30 12:56:40 +02:00
workqueue_internal.h
workqueue.c	workqueue: Replace call_rcu_sched() with call_rcu()	2018-11-27 09:21:44 -08:00