On 01/08/2018 02:33 AM, Alexei Starovoitov wrote:
> Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
> memory accesses under a bounds check may be speculated even if the
> bounds check fails, providing a primitive for building a side channel.
>
> To avoid leaking kernel data round up array-based maps and mask the index
> after bounds check, so speculated load with out of bounds index will load
> either valid value from the array or zero from the padded area.
>
> Unconditionally mask index for all array types even when max_entries
> are not rounded to power of 2 for root user.
> When map is created by unpriv user generate a sequence of bpf insns
> that includes AND operation to make sure that JITed code includes
> the same 'index & index_mask' operation.
>
> If prog_array map is created by unpriv user replace
> bpf_tail_call(ctx, map, index);
> with
> if (index >= max_entries) {
> index &= map->index_mask;
> bpf_tail_call(ctx, map, index);
> }
> (along with roundup to power 2) to prevent out-of-bounds speculation.
> There is secondary redundant 'if (index >= max_entries)' in the interpreter
> and in all JITs, but they can be optimized later if necessary.
>
> Other array-like maps (cpumap, devmap, sockmap, perf_event_array,
> cgroup_array)
> cannot be used by unpriv, so no changes there.
>
> That fixes bpf side of "Variant 1: bounds check bypass (CVE-2017-5753)" on
> all architectures with and without JIT.
>
> v2->v3:
> Daniel noticed that attack potentially can be crafted via syscall commands
> without loading the program, so add masking to those paths as well.
>
> Signed-off-by: Alexei Starovoitov <a...@kernel.org>
> Acked-by: John Fastabend <john.fastab...@gmail.com>
Applied to bpf tree, thanks Alexei!
