APPLIED: [PATCH 00/13][SRU][B] Multiple BPF security issues

[Khaled Elmously]

On 2019-02-11 05:24:57 , Tyler Hicks wrote:
> The original intent of this set of backports was to addess CVE-2019-7308 which
> represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:
> 
>  kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
>  undesirable out-of-bounds speculation on pointer arithmetic in various
>  cases, including cases of different branches with different state or limits
>  to sanitize, leading to side-channel attacks.
> 
>  - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html
> 
> However, as I started to backport patches I noticed other necessary fixes to
> the Spectre Variant 1 BPF verifier mitigation and included them, as well.
> They're marked with the original Spectre Variant 1 CVE ID which is
> CVE-2017-5753.
> 
> Additionally, a potential security issue that I believe is unrelated to Spectre
> Variant 1 is fixed by patch #2. The need for that patch was discovered while I
> was inspecting BPF selftest results.
> 
> I've backported *minimal* related BPF selftest changes and included them in
> this patch set. I did that partly because I wanted to be able to use the new
> tests to verify my backports and partly because the backports were needed to
> continue to have successful runs of the test_verifier selftest which is part of
> our SRU testing. There are less selftests changes included in this Bionic
> backport than my Cosmic backport because the BPF selftests in Bionic don't
> support all the functionality needed for some tests and I had to draw the line
> somewhere while backported.
> 
> I've tested these backports with the updated selftests and they pass. I've also
> tested the backports with the current upstream BPF selftests and ensured that
> no tests show regressions.
> 
> Tyler
> 
> Alexei Starovoitov (1):
>   bpf/verifier: disallow pointer subtraction
> 
> Daniel Borkmann (12):
>   bpf: properly enforce index mask to prevent out-of-bounds speculation
>   bpf: move {prev_,}insn_idx into verifier env
>   bpf: move tmp variable into ax register in interpreter
>   bpf: enable access to ax register also from verifier rewrite
>   bpf: restrict map value pointer arithmetic for unprivileged
>   bpf: restrict stack pointer arithmetic for unprivileged
>   bpf: restrict unknown scalars of mixed signed bounds for unprivileged
>   bpf: fix check_map_access smin_value test when pointer contains offset
>   bpf: prevent out of bounds speculation on pointer arithmetic
>   bpf: fix sanitation of alu op with pointer / scalar type from
>     different paths
>   bpf: fix inner map masking to prevent oob under speculation
>   bpf: add various test cases to selftests
> 
>  include/linux/bpf_verifier.h                |  15 +-
>  include/linux/filter.h                      |  10 +-
>  kernel/bpf/core.c                           |  52 ++-
>  kernel/bpf/map_in_map.c                     |  17 +-
>  kernel/bpf/verifier.c                       | 449 ++++++++++++++++----
>  tools/testing/selftests/bpf/test_verifier.c | 610 ++++++++++++++++++++++++++++
>  6 files changed, 1048 insertions(+), 105 deletions(-)
> 
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team