[SRU Focal, Groovy, Hirsute, Focal/linux-oem-5.10 3/3] bpf: No need to simulate speculative domain for immediates
Thadeu Lima de Souza Cascardo
cascardo at canonical.com
Thu May 27 21:36:45 UTC 2021
From: Daniel Borkmann <daniel at iogearbox.net>
In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under
speculation") we replaced masking logic with direct loads of immediates
if the register is a known constant. Given in this case we do not apply
any masking, there is also no reason for the operation to be truncated
under the speculative domain.
Therefore, there is also zero reason for the verifier to branch-off and
simulate this case, it only needs to do it for unknown but bounded scalars.
As a side-effect, this also enables few test cases that were previously
rejected due to simulation under zero truncation.
Signed-off-by: Daniel Borkmann <daniel at iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras at gmail.com>
Acked-by: Alexei Starovoitov <ast at kernel.org>
(cherry picked from commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5)
CVE-2021-33200
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo at canonical.com>
---
kernel/bpf/verifier.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index fe0aca9d1cf4..aefd94794796 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4408,8 +4408,12 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
/* If we're in commit phase, we're done here given we already
* pushed the truncated dst_reg into the speculative verification
* stack.
+ *
+ * Also, when register is a known constant, we rewrite register-based
+ * operation to immediate-based, and thus do not need masking (and as
+ * a consequence, do not need to simulate the zero-truncation either).
*/
- if (commit_window)
+ if (commit_window || off_is_imm)
return 0;
/* Simulate and find potential out-of-bounds access under
--
2.30.2
More information about the kernel-team
mailing list