[PATCH 00/13][SRU][B] Multiple BPF security issues

[Tyler Hicks]

The original intent of this set of backports was to addess CVE-2019-7308 which
represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:

 kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
 undesirable out-of-bounds speculation on pointer arithmetic in various
 cases, including cases of different branches with different state or limits
 to sanitize, leading to side-channel attacks.

 - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html

However, as I started to backport patches I noticed other necessary fixes to
the Spectre Variant 1 BPF verifier mitigation and included them, as well.
They're marked with the original Spectre Variant 1 CVE ID which is
CVE-2017-5753.

Additionally, a potential security issue that I believe is unrelated to Spectre
Variant 1 is fixed by patch #2. The need for that patch was discovered while I
was inspecting BPF selftest results.

I've backported *minimal* related BPF selftest changes and included them in
this patch set. I did that partly because I wanted to be able to use the new
tests to verify my backports and partly because the backports were needed to
continue to have successful runs of the test_verifier selftest which is part of
our SRU testing. There are less selftests changes included in this Bionic
backport than my Cosmic backport because the BPF selftests in Bionic don't
support all the functionality needed for some tests and I had to draw the line
somewhere while backported.

I've tested these backports with the updated selftests and they pass. I've also
tested the backports with the current upstream BPF selftests and ensured that
no tests show regressions.

Tyler

Alexei Starovoitov (1):
  bpf/verifier: disallow pointer subtraction

Daniel Borkmann (12):
  bpf: properly enforce index mask to prevent out-of-bounds speculation
  bpf: move {prev_,}insn_idx into verifier env
  bpf: move tmp variable into ax register in interpreter
  bpf: enable access to ax register also from verifier rewrite
  bpf: restrict map value pointer arithmetic for unprivileged
  bpf: restrict stack pointer arithmetic for unprivileged
  bpf: restrict unknown scalars of mixed signed bounds for unprivileged
  bpf: fix check_map_access smin_value test when pointer contains offset
  bpf: prevent out of bounds speculation on pointer arithmetic
  bpf: fix sanitation of alu op with pointer / scalar type from
    different paths
  bpf: fix inner map masking to prevent oob under speculation
  bpf: add various test cases to selftests

 include/linux/bpf_verifier.h                |  15 +-
 include/linux/filter.h                      |  10 +-
 kernel/bpf/core.c                           |  52 ++-
 kernel/bpf/map_in_map.c                     |  17 +-
 kernel/bpf/verifier.c                       | 449 ++++++++++++++++----
 tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++
 6 files changed, 1048 insertions(+), 105 deletions(-)

-- 
2.7.4