git.openwrt.org Git - openwrt/staging/blogic.git/commit

author	Alexei Starovoitov <ast@kernel.org>
	Tue, 15 May 2018 16:27:05 +0000 (09:27 -0700)
committer	Thomas Gleixner <tglx@linutronix.de>
	Sat, 19 May 2018 18:44:24 +0000 (20:44 +0200)
commit	af86ca4e3088fe5eacf2f7e58c01fa68ca067672
tree	d01711e5fe7b1674c2929c473ead8047001ba886	tree \| snapshot
parent	240da953fcc6a9008c92fae5b1f727ee5ed167ab	commit \| diff

bpf: Prevent memory disambiguation attack

Detect code patterns where malicious 'speculative store bypass' can be used
and sanitize such patterns.

39: (bf) r3 = r10
40: (07) r3 += -216
41: (79) r8 = *(u64 *)(r7 +0)   // slow read
42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                 // is now sanitized

Above code after x86 JIT becomes:
e5: mov    %rbp,%rdx
e8: add    $0xffffffffffffff28,%rdx
ef: mov    0x0(%r13),%r14
f3: movq   $0x0,-0x48(%rbp)
fb: mov    %rdx,0x0(%r14)
ff: mov    0x0(%rbx),%rdi
103: movzbq 0x0(%rdi),%rsi

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>

include/linux/bpf_verifier.h		diff \| blob \| history
kernel/bpf/verifier.c		diff \| blob \| history