Skip to content

Commit a67825f

Browse files
author
Alexei Starovoitov
committed
Merge branch 'prevent-oob-under-speculation'
Daniel Borkmann says: ==================== This set fixes an out of bounds case under speculative execution by implementing masking of pointer alu into the verifier. For details please see the individual patches. Thanks! v2 -> v3: - 8/9: change states_equal condition into old->speculative && !cur->speculative, thanks Jakub! - 8/9: remove incorrect speculative state test in propagate_liveness(), thanks Jakub! v1 -> v2: - Typo fixes in commit msg and a comment, thanks David! ==================== Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2 parents 8b6b25c + 80c9b2f commit a67825f

File tree

5 files changed

+1451
-107
lines changed

5 files changed

+1451
-107
lines changed

include/linux/bpf_verifier.h

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -148,6 +148,7 @@ struct bpf_verifier_state {
148148
/* call stack tracking */
149149
struct bpf_func_state *frame[MAX_CALL_FRAMES];
150150
u32 curframe;
151+
bool speculative;
151152
};
152153

153154
#define bpf_get_spilled_reg(slot, frame) \
@@ -167,15 +168,24 @@ struct bpf_verifier_state_list {
167168
struct bpf_verifier_state_list *next;
168169
};
169170

171+
/* Possible states for alu_state member. */
172+
#define BPF_ALU_SANITIZE_SRC 1U
173+
#define BPF_ALU_SANITIZE_DST 2U
174+
#define BPF_ALU_NEG_VALUE (1U << 2)
175+
#define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \
176+
BPF_ALU_SANITIZE_DST)
177+
170178
struct bpf_insn_aux_data {
171179
union {
172180
enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
173181
unsigned long map_state; /* pointer/poison value for maps */
174182
s32 call_imm; /* saved imm field of call insn */
183+
u32 alu_limit; /* limit for add/sub register with pointer */
175184
};
176185
int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
177186
int sanitize_stack_off; /* stack slot to be cleared */
178187
bool seen; /* this insn was processed by the verifier */
188+
u8 alu_state; /* used in combination with alu_limit */
179189
};
180190

181191
#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
@@ -212,6 +222,8 @@ struct bpf_subprog_info {
212222
* one verifier_env per bpf_check() call
213223
*/
214224
struct bpf_verifier_env {
225+
u32 insn_idx;
226+
u32 prev_insn_idx;
215227
struct bpf_prog *prog; /* eBPF program being verified */
216228
const struct bpf_verifier_ops *ops;
217229
struct bpf_verifier_stack_elem *head; /* stack of verifier states to be processed */

include/linux/filter.h

Lines changed: 3 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -53,14 +53,10 @@ struct sock_reuseport;
5353
#define BPF_REG_D BPF_REG_8 /* data, callee-saved */
5454
#define BPF_REG_H BPF_REG_9 /* hlen, callee-saved */
5555

56-
/* Kernel hidden auxiliary/helper register for hardening step.
57-
* Only used by eBPF JITs. It's nothing more than a temporary
58-
* register that JITs use internally, only that here it's part
59-
* of eBPF instructions that have been rewritten for blinding
60-
* constants. See JIT pre-step in bpf_jit_blind_constants().
61-
*/
56+
/* Kernel hidden auxiliary/helper register. */
6257
#define BPF_REG_AX MAX_BPF_REG
63-
#define MAX_BPF_JIT_REG (MAX_BPF_REG + 1)
58+
#define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
59+
#define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
6460

6561
/* unused opcode to mark special call to bpf_tail_call() helper */
6662
#define BPF_TAIL_CALL 0xf0

kernel/bpf/core.c

Lines changed: 37 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -54,6 +54,7 @@
5454
#define DST regs[insn->dst_reg]
5555
#define SRC regs[insn->src_reg]
5656
#define FP regs[BPF_REG_FP]
57+
#define AX regs[BPF_REG_AX]
5758
#define ARG1 regs[BPF_REG_ARG1]
5859
#define CTX regs[BPF_REG_CTX]
5960
#define IMM insn->imm
@@ -857,6 +858,26 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from,
857858
BUILD_BUG_ON(BPF_REG_AX + 1 != MAX_BPF_JIT_REG);
858859
BUILD_BUG_ON(MAX_BPF_REG + 1 != MAX_BPF_JIT_REG);
859860

861+
/* Constraints on AX register:
862+
*
863+
* AX register is inaccessible from user space. It is mapped in
864+
* all JITs, and used here for constant blinding rewrites. It is
865+
* typically "stateless" meaning its contents are only valid within
866+
* the executed instruction, but not across several instructions.
867+
* There are a few exceptions however which are further detailed
868+
* below.
869+
*
870+
* Constant blinding is only used by JITs, not in the interpreter.
871+
* The interpreter uses AX in some occasions as a local temporary
872+
* register e.g. in DIV or MOD instructions.
873+
*
874+
* In restricted circumstances, the verifier can also use the AX
875+
* register for rewrites as long as they do not interfere with
876+
* the above cases!
877+
*/
878+
if (from->dst_reg == BPF_REG_AX || from->src_reg == BPF_REG_AX)
879+
goto out;
880+
860881
if (from->imm == 0 &&
861882
(from->code == (BPF_ALU | BPF_MOV | BPF_K) ||
862883
from->code == (BPF_ALU64 | BPF_MOV | BPF_K))) {
@@ -1188,7 +1209,6 @@ bool bpf_opcode_in_insntable(u8 code)
11881209
*/
11891210
static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
11901211
{
1191-
u64 tmp;
11921212
#define BPF_INSN_2_LBL(x, y) [BPF_##x | BPF_##y] = &&x##_##y
11931213
#define BPF_INSN_3_LBL(x, y, z) [BPF_##x | BPF_##y | BPF_##z] = &&x##_##y##_##z
11941214
static const void *jumptable[256] = {
@@ -1268,36 +1288,36 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn, u64 *stack)
12681288
(*(s64 *) &DST) >>= IMM;
12691289
CONT;
12701290
ALU64_MOD_X:
1271-
div64_u64_rem(DST, SRC, &tmp);
1272-
DST = tmp;
1291+
div64_u64_rem(DST, SRC, &AX);
1292+
DST = AX;
12731293
CONT;
12741294
ALU_MOD_X:
1275-
tmp = (u32) DST;
1276-
DST = do_div(tmp, (u32) SRC);
1295+
AX = (u32) DST;
1296+
DST = do_div(AX, (u32) SRC);
12771297
CONT;
12781298
ALU64_MOD_K:
1279-
div64_u64_rem(DST, IMM, &tmp);
1280-
DST = tmp;
1299+
div64_u64_rem(DST, IMM, &AX);
1300+
DST = AX;
12811301
CONT;
12821302
ALU_MOD_K:
1283-
tmp = (u32) DST;
1284-
DST = do_div(tmp, (u32) IMM);
1303+
AX = (u32) DST;
1304+
DST = do_div(AX, (u32) IMM);
12851305
CONT;
12861306
ALU64_DIV_X:
12871307
DST = div64_u64(DST, SRC);
12881308
CONT;
12891309
ALU_DIV_X:
1290-
tmp = (u32) DST;
1291-
do_div(tmp, (u32) SRC);
1292-
DST = (u32) tmp;
1310+
AX = (u32) DST;
1311+
do_div(AX, (u32) SRC);
1312+
DST = (u32) AX;
12931313
CONT;
12941314
ALU64_DIV_K:
12951315
DST = div64_u64(DST, IMM);
12961316
CONT;
12971317
ALU_DIV_K:
1298-
tmp = (u32) DST;
1299-
do_div(tmp, (u32) IMM);
1300-
DST = (u32) tmp;
1318+
AX = (u32) DST;
1319+
do_div(AX, (u32) IMM);
1320+
DST = (u32) AX;
13011321
CONT;
13021322
ALU_END_TO_BE:
13031323
switch (IMM) {
@@ -1553,7 +1573,7 @@ STACK_FRAME_NON_STANDARD(___bpf_prog_run); /* jump table */
15531573
static unsigned int PROG_NAME(stack_size)(const void *ctx, const struct bpf_insn *insn) \
15541574
{ \
15551575
u64 stack[stack_size / sizeof(u64)]; \
1556-
u64 regs[MAX_BPF_REG]; \
1576+
u64 regs[MAX_BPF_EXT_REG]; \
15571577
\
15581578
FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
15591579
ARG1 = (u64) (unsigned long) ctx; \
@@ -1566,7 +1586,7 @@ static u64 PROG_NAME_ARGS(stack_size)(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5, \
15661586
const struct bpf_insn *insn) \
15671587
{ \
15681588
u64 stack[stack_size / sizeof(u64)]; \
1569-
u64 regs[MAX_BPF_REG]; \
1589+
u64 regs[MAX_BPF_EXT_REG]; \
15701590
\
15711591
FP = (u64) (unsigned long) &stack[ARRAY_SIZE(stack)]; \
15721592
BPF_R1 = r1; \

0 commit comments

Comments
 (0)