diff options
| author | Daniel Borkmann <daniel@iogearbox.net> | 2021-03-24 12:38:26 +0300 | 
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2021-04-17 00:52:01 +0300 | 
| commit | 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 (patch) | |
| tree | 4bcdfe16eb98bdef7b7b65356906b39efe462a54 /lib/mpi/mpi-div.c | |
| parent | f528819334881fd622fdadeddb3f7edaed8b7c9b (diff) | |
| download | linux-7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0.tar.xz | |
bpf: Tighten speculative pointer arithmetic mask
This work tightens the offset mask we use for unprivileged pointer arithmetic
in order to mitigate a corner case reported by Piotr and Benedict where in
the speculative domain it is possible to advance, for example, the map value
pointer by up to value_size-1 out-of-bounds in order to leak kernel memory
via side-channel to user space.
Before this change, the computed ptr_limit for retrieve_ptr_limit() helper
represents largest valid distance when moving pointer to the right or left
which is then fed as aux->alu_limit to generate masking instructions against
the offset register. After the change, the derived aux->alu_limit represents
the largest potential value of the offset register which we mask against which
is just a narrower subset of the former limit.
For minimal complexity, we call sanitize_ptr_alu() from 2 observation points
in adjust_ptr_min_max_vals(), that is, before and after the simulated alu
operation. In the first step, we retieve the alu_state and alu_limit before
the operation as well as we branch-off a verifier path and push it to the
verification stack as we did before which checks the dst_reg under truncation,
in other words, when the speculative domain would attempt to move the pointer
out-of-bounds.
In the second step, we retrieve the new alu_limit and calculate the absolute
distance between both. Moreover, we commit the alu_state and final alu_limit
via update_alu_sanitation_state() to the env's instruction aux data, and bail
out from there if there is a mismatch due to coming from different verification
paths with different states.
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Reported-by: Benedict Schlueter <benedict.schlueter@rub.de>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Tested-by: Benedict Schlueter <benedict.schlueter@rub.de>
Diffstat (limited to 'lib/mpi/mpi-div.c')
0 files changed, 0 insertions, 0 deletions
