APPLIED: [PATCH 00/12][SRU][C] Multiple BPF security issues

Khaled Elmously khalid.elmously at canonical.com
Mon Mar 4 04:51:54 UTC 2019 

On 2019-02-11 05:23:39 , Tyler Hicks wrote:
> The original intent of this set of backports was to addess CVE-2019-7308 which
> represents a bypass in the Spectre Variant 1 mitigations in the BPF verifier:
> 
>  kernel/bpf/verifier.c in the Linux kernel before 4.20.6 performs
>  undesirable out-of-bounds speculation on pointer arithmetic in various
>  cases, including cases of different branches with different state or limits
>  to sanitize, leading to side-channel attacks.
> 
>  - https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-7308.html
> 
> However, as I started to backport patches I noticed other necessary fixes to
> the Spectre Variant 1 BPF verifier mitigation and included them, as well.
> They're marked with the original Spectre Variant 1 CVE ID which is
> CVE-2017-5753.
> 
> I've backported related BPF selftest changes and included them in this patch
> set. I did that partly because I wanted to be able to use the new tests to
> verify my backports and partly because the backports were needed to continue to
> have successful runs of the test_verifier selftest which is part of our SRU
> testing.
> 
> I've tested these backports with the updated selftests and they pass. I've also
> tested the backports with the current upstream BPF selftests and ensured that
> no tests show regressions.
> 
> Tyler
> 
> Daniel Borkmann (12):
>   bpf: move {prev_,}insn_idx into verifier env
>   bpf: move tmp variable into ax register in interpreter
>   bpf: enable access to ax register also from verifier rewrite
>   bpf: restrict map value pointer arithmetic for unprivileged
>   bpf: restrict stack pointer arithmetic for unprivileged
>   bpf: restrict unknown scalars of mixed signed bounds for unprivileged
>   bpf: fix check_map_access smin_value test when pointer contains offset
>   bpf: prevent out of bounds speculation on pointer arithmetic
>   bpf: fix sanitation of alu op with pointer / scalar type from
>     different paths
>   bpf: fix inner map masking to prevent oob under speculation
>   bpf: add various test cases to test_verifier
>   bpf: add various test cases to selftests
> 
>  include/linux/bpf_verifier.h                |   13 +
>  include/linux/filter.h                      |   10 +-
>  kernel/bpf/core.c                           |   54 +-
>  kernel/bpf/map_in_map.c                     |   17 +-
>  kernel/bpf/verifier.c                       |  370 +++++--
>  tools/testing/selftests/bpf/test_verifier.c | 1388 ++++++++++++++++++++++++++-
>  6 files changed, 1748 insertions(+), 104 deletions(-)
> 
> -- 
> 2.7.4
> 
> 
> -- 
> kernel-team mailing list
> kernel-team at lists.ubuntu.com
> https://lists.ubuntu.com/mailman/listinfo/kernel-team

More information about the kernel-team mailing list