]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit
projects / mirror_ubuntu-hirsute-kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 3d6ab35) | patch
bpf: Tighten speculative pointer arithmetic mask
authorDaniel Borkmann <daniel@iogearbox.net>
Wed, 24 Mar 2021 09:38:26 +0000 (10:38 +0100)
committerStefan Bader <stefan.bader@canonical.com>
Fri, 7 May 2021 07:54:11 +0000 (09:54 +0200)
commit70bd6fa1254a32278708f96ccd7bbcc853fcefc1
tree9d3549b61ca1ce0a08c3f93387b59626a9b27a66tree
parent3d6ab3507b912cc67e9347f038ab796488fbc385commit | diff
bpf: Tighten speculative pointer arithmetic mask

BugLink: https://bugs.launchpad.net/bugs/1927535
[ Upstream commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 ]

This work tightens the offset mask we use for unprivileged pointer arithmetic
in order to mitigate a corner case reported by Piotr and Benedict where in
the speculative domain it is possible to advance, for example, the map value
pointer by up to value_size-1 out-of-bounds in order to leak kernel memory
via side-channel to user space.

Before this change, the computed ptr_limit for retrieve_ptr_limit() helper
represents largest valid distance when moving pointer to the right or left
which is then fed as aux->alu_limit to generate masking instructions against
the offset register. After the change, the derived aux->alu_limit represents
the largest potential value of the offset register which we mask against which
is just a narrower subset of the former limit.

For minimal complexity, we call sanitize_ptr_alu() from 2 observation points
in adjust_ptr_min_max_vals(), that is, before and after the simulated alu
operation. In the first step, we retieve the alu_state and alu_limit before
the operation as well as we branch-off a verifier path and push it to the
verification stack as we did before which checks the dst_reg under truncation,
in other words, when the speculative domain would attempt to move the pointer
out-of-bounds.

In the second step, we retrieve the new alu_limit and calculate the absolute
distance between both. Moreover, we commit the alu_state and final alu_limit
via update_alu_sanitation_state() to the env's instruction aux data, and bail
out from there if there is a mismatch due to coming from different verification
paths with different states.

Reported-by: Piotr Krysiuk <piotras@gmail.com>
Reported-by: Benedict Schlueter <benedict.schlueter@rub.de>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Tested-by: Benedict Schlueter <benedict.schlueter@rub.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kelsey Skunberg <kelsey.skunberg@canonical.com>
kernel/bpf/verifier.c diff | blob | blame | history
Ubuntu Hirsute Linux kernel mirror