Re: [PATCH 4.19 00/13] bpf: backport fixes for CVE-2021-34556/CVE-2021-35477

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, Sep 13, 2021 at 06:35:24PM +0300, Ovidiu Panait wrote:
> Backport summary
> ----------------
> 679c782de14b ("bpf/verifier: per-register parent pointers")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* Context adjustments because of the code added by post-4.19 commit:
> 	  f92a819b4cbef ("bpf: prevent out of bounds speculation on pointer
> 	  arithmetic").
> 
> 0bae2d4d62d5 ("bpf: correct slot_type marking logic to allow more stack slot sharing")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* Minor context adjustement in selftest.
> 
> 2011fccfb61b ("bpf: Support variable offset stack access from helpers")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* 4.19 does not have the reg_state(env, regno) helper defined, so
> 	  replace the call with "cur_regs(env) + regno".
> 
> f2bcd05ec7b8 ("bpf: Reject indirect var_off stack access in raw mode")
> 	* Follow-up fix for 2011fccfb61bb ("bpf: Support variable offset stack
> 	  access from helpers").
> 	* Clean cherry-pick.
> 
> 088ec26d9c2d ("bpf: Reject indirect var_off stack access in unpriv")
> 	* Follow-up fix for 2011fccfb61bb ("bpf: Support variable offset stack
> 	  access from helpers").
> 	* Drop comment in retrieve_ptr_limit(), as it was made obsolete by
> 	  post-4.19 commit 45bfdd767e235 ("bpf: Tighten speculative pointer
> 	  arithmetic mask").
> 
> 107c26a70ca8 ("bpf: Sanity check max value for var_off stack access")
> 	* Follow-up fix for 2011fccfb61bb ("bpf: Support variable offset stack
> 	  access from helpers").
> 	* Clean cherry-pick.
> 
> 8ff80e96e3cc ("selftests/bpf: Test variable offset stack access")
> 	* Selftest follow-up for 2011fccfb61bb ("bpf: Support variable offset
> 	  stack access from helpers").
> 	* Post-4.19, the verifier tests were split into different
> 	  files, in 4.19 they are still all in test_verifier.c, so apply the
> 	  changes manually.
> 
> f7cf25b2026d ("bpf: track spill/fill of constants")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* Drop verbose_linfo() calls, as the function is not implemented in 4.19.
> 	* Adjust mark_reg_read() calls to match the prototype in 4.19.
> 	  (mark_reg_read() was changed to take 4 parameters in post-4.19 commit
> 	  5327ed3d44b75("bpf: verifier: mark verified-insn with sub-register
> 	  zext flag"), but backporting it is out of scope for this patchseries).
> 
> fc559a70d57c ("selftests/bpf: fix tests due to const spill/fill")
> 	* Selftest follow-up for f7cf25b2026d ("bpf: track spill/fill of constants").
> 	* Post-4.19, the verifier tests were split into different
> 	  files, in 4.19 they are still all in test_verifier.c, so apply the
> 	  changes manually.
> 
> f5e81d111750 ("bpf: Introduce BPF nospec instruction for mitigating Spectre v4")
> 	* Contextual adjustments.
> 	* Drop arch/powerpc/net/bpf_jit_comp32.c changes, as the file is not
> 	  present in 4.19
> 	* Drop riscv changes, as arch/riscv/net/bpf_jit_comp.c file is not
> 	  present in 4.19
> 
> 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
> 	* Contextual adjustments.
> 	* Apply check_stack_write_fixed_off() changes in check_stack_write().
> 	* Replace env->bypass_spec_v4 -> env->allow_ptr_leaks.
> 
> c9e73e3d2b1e ("bpf: verifier: Allocate idmap scratch in verifier env")
> e042aa532c84 ("bpf: Fix pointer arithmetic mask tightening under state")
> 	* Contextual adjustments.
> 
> With this patchseries all bpf verifier selftests pass (tested in qemu for x86_64):
> root@intel-x86-64:~# ./test_verifier
> ...
> #663/p pass modified ctx pointer to helper, 3 OK
> #664/p mov64 src == dst OK
> #665/p mov64 src != dst OK
> #666/u calls: ctx read at start of subprog OK
> #666/p calls: ctx read at start of subprog OK
> Summary: 932 PASSED, 0 SKIPPED, 0 FAILED
> 

All now queued up, thanks for the backports!

greg k-h



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux