]>
Commit | Line | Data |
---|---|---|
035dbe67 FG |
1 | From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 |
2 | From: Elena Reshetova <elena.reshetova@intel.com> | |
3 | Date: Mon, 4 Sep 2017 13:11:44 +0300 | |
4 | Subject: [PATCH] bpf: prevent speculative execution in eBPF interpreter | |
5 | MIME-Version: 1.0 | |
6 | Content-Type: text/plain; charset=UTF-8 | |
7 | Content-Transfer-Encoding: 8bit | |
8 | ||
9 | CVE-2017-5753 | |
10 | CVE-2017-5715 | |
11 | ||
12 | This adds a generic memory barrier before LD_IMM_DW and | |
13 | LDX_MEM_B/H/W/DW eBPF instructions during eBPF program | |
14 | execution in order to prevent speculative execution on out | |
15 | of bound BFP_MAP array indexes. This way an arbitary kernel | |
16 | memory is not exposed through side channel attacks. | |
17 | ||
18 | For more details, please see this Google Project Zero report: tbd | |
19 | ||
20 | Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> | |
21 | Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> | |
22 | Signed-off-by: Andy Whitcroft <apw@canonical.com> | |
23 | Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com> | |
24 | (cherry picked from commit dd13f73106c260dea7a689d33d1457639af820aa) | |
25 | Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com> | |
26 | --- | |
27 | kernel/bpf/core.c | 3 +++ | |
28 | 1 file changed, 3 insertions(+) | |
29 | ||
30 | diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c | |
31 | index 9a1bed1f3029..3f83c60e3e86 100644 | |
32 | --- a/kernel/bpf/core.c | |
33 | +++ b/kernel/bpf/core.c | |
34 | @@ -33,6 +33,7 @@ | |
35 | #include <linux/rcupdate.h> | |
36 | ||
37 | #include <asm/unaligned.h> | |
38 | +#include <asm/barrier.h> | |
39 | ||
40 | /* Registers */ | |
41 | #define BPF_R0 regs[BPF_REG_0] | |
42 | @@ -920,6 +921,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, | |
43 | DST = IMM; | |
44 | CONT; | |
45 | LD_IMM_DW: | |
46 | + gmb(); | |
47 | DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32; | |
48 | insn++; | |
49 | CONT; | |
50 | @@ -1133,6 +1135,7 @@ static unsigned int ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, | |
51 | *(SIZE *)(unsigned long) (DST + insn->off) = IMM; \ | |
52 | CONT; \ | |
53 | LDX_MEM_##SIZEOP: \ | |
54 | + gmb(); \ | |
55 | DST = *(SIZE *)(unsigned long) (SRC + insn->off); \ | |
56 | CONT; | |
57 | ||
58 | -- | |
59 | 2.14.2 | |
60 |