On 01/08/2018 02:33 AM, Alexei Starovoitov wrote: > Under speculation, CPUs may mis-predict branches in bounds checks. Thus, > memory accesses under a bounds check may be speculated even if the > bounds check fails, providing a primitive for building a side channel. > > To avoid leaking kernel data round up array-based maps and mask the index > after bounds check, so speculated load with out of bounds index will load > either valid value from the array or zero from the padded area. > > Unconditionally mask index for all array types even when max_entries > are not rounded to power of 2 for root user. > When map is created by unpriv user generate a sequence of bpf insns > that includes AND operation to make sure that JITed code includes > the same 'index & index_mask' operation. > > If prog_array map is created by unpriv user replace > bpf_tail_call(ctx, map, index); > with > if (index >= max_entries) { > index &= map->index_mask; > bpf_tail_call(ctx, map, index); > } > (along with roundup to power 2) to prevent out-of-bounds speculation. > There is secondary redundant 'if (index >= max_entries)' in the interpreter > and in all JITs, but they can be optimized later if necessary. > > Other array-like maps (cpumap, devmap, sockmap, perf_event_array, > cgroup_array) > cannot be used by unpriv, so no changes there. > > That fixes bpf side of "Variant 1: bounds check bypass (CVE-2017-5753)" on > all architectures with and without JIT. > > v2->v3: > Daniel noticed that attack potentially can be crafted via syscall commands > without loading the program, so add masking to those paths as well. > > Signed-off-by: Alexei Starovoitov <a...@kernel.org> > Acked-by: John Fastabend <john.fastab...@gmail.com>
Applied to bpf tree, thanks Alexei!