[PATCH 00/12][SRU][C] Multiple BPF security issues

Tyler Hicks tyhicks at canonical.com
Mon Feb 11 05:23:39 UTC 2019 

The original intent of this set of backports was to addess CVE-2019-7308 which
represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:

 kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
 undesirable out-of-bounds speculation on pointer arithmetic in various
 cases, including cases of different branches with different state or limits
 to sanitize, leading to side-channel attacks.

 - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html

However, as I started to backport patches I noticed other necessary fixes to
the Spectre Variant 1 BPF verifier mitigation and included them, as well.
They're marked with the original Spectre Variant 1 CVE ID which is
CVE-2017-5753.

I've backported related BPF selftest changes and included them in this patch
set. I did that partly because I wanted to be able to use the new tests to
verify my backports and partly because the backports were needed to continue to
have successful runs of the test_verifier selftest which is part of our SRU
testing.

I've tested these backports with the updated selftests and they pass. I've also
tested the backports with the current upstream BPF selftests and ensured that
no tests show regressions.

Tyler

Daniel Borkmann (12):
  bpf: move {prev_,}insn_idx into verifier env
  bpf: move tmp variable into ax register in interpreter
  bpf: enable access to ax register also from verifier rewrite
  bpf: restrict map value pointer arithmetic for unprivileged
  bpf: restrict stack pointer arithmetic for unprivileged
  bpf: restrict unknown scalars of mixed signed bounds for unprivileged
  bpf: fix check_map_access smin_value test when pointer contains offset
  bpf: prevent out of bounds speculation on pointer arithmetic
  bpf: fix sanitation of alu op with pointer / scalar type from
    different paths
  bpf: fix inner map masking to prevent oob under speculation
  bpf: add various test cases to test_verifier
  bpf: add various test cases to selftests

 include/linux/bpf_verifier.h                |   13 +
 include/linux/filter.h                      |   10 +-
 kernel/bpf/core.c                           |   54 +-
 kernel/bpf/map_in_map.c                     |   17 +-
 kernel/bpf/verifier.c                       |  370 +++++--
 tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++-
 6 files changed, 1748 insertions(+), 104 deletions(-)

-- 
2.7.4

More information about the kernel-team mailing list