bpf: prevent speculative execution in eBPF interpreter

CVE-2017-5753 (Spectre v1 Intel)

This adds an observable speculation barrier before LD_IMM_DW and
LDX_MEM_B/H/W/DW eBPF instructions during eBPF program
execution in order to prevent speculative execution on out
of bound BFP_MAP array indexes. This way an arbitary kernel
memory is not exposed through side channel attacks.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Andy Whitcroft <apw@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 9a1bed1f30299b287b11de76f9300f42150f06f7..4003d1c9ea46617c4d897894a591def1eb3a5c7c 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -33,6 +33,7 @@
 #include <linux/rcupdate.h>
 
 #include <asm/unaligned.h>
+#include <asm/barrier.h>
 
 /* Registers */
 #define BPF_R0 regs[BPF_REG_0]
@@ -920,6 +921,7 @@ select_insn:
                DST = IMM;
                CONT;
        LD_IMM_DW:
+               osb();
                DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;
                insn++;
                CONT;
@@ -1133,6 +1135,7 @@ out:
                *(SIZE *)(unsigned long) (DST + insn->off) = IMM;       \
                CONT;                                                   \
        LDX_MEM_##SIZEOP:                                               \
+               osb();                                                  \
                DST = *(SIZE *)(unsigned long) (SRC + insn->off);       \
                CONT;