git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From foo@baz Tue Mar  8 07:47:24 PM CET 2022
   2 From: Josh Poimboeuf <jpoimboe@redhat.com>
   3 Date: Fri, 18 Feb 2022 11:49:08 -0800
   4 Subject: x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting
   5
   6 From: Josh Poimboeuf <jpoimboe@redhat.com>
   7
   8 commit 44a3918c8245ab10c6c9719dd12e7a8d291980d8 upstream.
   9
  10 With unprivileged eBPF enabled, eIBRS (without retpoline) is vulnerable
  11 to Spectre v2 BHB-based attacks.
  12
  13 When both are enabled, print a warning message and report it in the
  14 'spectre_v2' sysfs vulnerabilities file.
  15
  16 Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
  17 Signed-off-by: Borislav Petkov <bp@suse.de>
  18 Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
  19 [fllinden@amazon.com: backported to 4.19]
  20 Signed-off-by: Frank van der Linden <fllinden@amazon.com>
  21 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  22 ---
  23  arch/x86/kernel/cpu/bugs.c |   35 +++++++++++++++++++++++++++++------
  24  include/linux/bpf.h        |   11 +++++++++++
  25  kernel/sysctl.c            |    8 ++++++++
  26  3 files changed, 48 insertions(+), 6 deletions(-)
  27
  28 --- a/arch/x86/kernel/cpu/bugs.c
  29 +++ b/arch/x86/kernel/cpu/bugs.c
  30 @@ -31,6 +31,7 @@
  31  #include <asm/intel-family.h>
  32  #include <asm/e820/api.h>
  33  #include <asm/hypervisor.h>
  34 +#include <linux/bpf.h>
  35
  36  #include "cpu.h"
  37
  38 @@ -607,6 +608,16 @@ static inline const char *spectre_v2_mod
  39  static inline const char *spectre_v2_module_string(void) { return ""; }
  40  #endif
  41
  42 +#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
  43 +
  44 +#ifdef CONFIG_BPF_SYSCALL
  45 +void unpriv_ebpf_notify(int new_state)
  46 +{
  47 +       if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state)
  48 +               pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
  49 +}
  50 +#endif
  51 +
  52  static inline bool match_option(const char *arg, int arglen, const char *opt)
  53  {
  54         int len = strlen(opt);
  55 @@ -950,6 +961,9 @@ static void __init spectre_v2_select_mit
  56                 break;
  57         }
  58
  59 +       if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
  60 +               pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
  61 +
  62         if (spectre_v2_in_eibrs_mode(mode)) {
  63                 /* Force it so VMEXIT will restore correctly */
  64                 x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
  65 @@ -1685,6 +1699,20 @@ static char *ibpb_state(void)
  66         return "";
  67  }
  68
  69 +static ssize_t spectre_v2_show_state(char *buf)
  70 +{
  71 +       if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
  72 +               return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
  73 +
  74 +       return sprintf(buf, "%s%s%s%s%s%s\n",
  75 +                      spectre_v2_strings[spectre_v2_enabled],
  76 +                      ibpb_state(),
  77 +                      boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
  78 +                      stibp_state(),
  79 +                      boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
  80 +                      spectre_v2_module_string());
  81 +}
  82 +
  83  static ssize_t srbds_show_state(char *buf)
  84  {
  85         return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
  86 @@ -1710,12 +1738,7 @@ static ssize_t cpu_show_common(struct de
  87                 return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
  88
  89         case X86_BUG_SPECTRE_V2:
  90 -               return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
  91 -                              ibpb_state(),
  92 -                              boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
  93 -                              stibp_state(),
  94 -                              boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
  95 -                              spectre_v2_module_string());
  96 +               return spectre_v2_show_state(buf);
  97
  98         case X86_BUG_SPEC_STORE_BYPASS:
  99                 return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
 100 --- a/include/linux/bpf.h
 101 +++ b/include/linux/bpf.h
 102 @@ -533,6 +533,11 @@ static inline int bpf_map_attr_numa_node
 103  struct bpf_prog *bpf_prog_get_type_path(const char *name, enum bpf_prog_type type);
 104  int array_map_alloc_check(union bpf_attr *attr);
 105
 106 +static inline bool unprivileged_ebpf_enabled(void)
 107 +{
 108 +       return !sysctl_unprivileged_bpf_disabled;
 109 +}
 110 +
 111  #else /* !CONFIG_BPF_SYSCALL */
 112  static inline struct bpf_prog *bpf_prog_get(u32 ufd)
 113  {
 114 @@ -801,6 +806,12 @@ static inline int bpf_fd_reuseport_array
 115  {
 116         return -EOPNOTSUPP;
 117  }
 118 +
 119 +static inline bool unprivileged_ebpf_enabled(void)
 120 +{
 121 +       return false;
 122 +}
 123 +
 124  #endif /* CONFIG_BPF_SYSCALL */
 125  #endif /* defined(CONFIG_INET) && defined(CONFIG_BPF_SYSCALL) */
 126
 127 --- a/kernel/sysctl.c
 128 +++ b/kernel/sysctl.c
 129 @@ -251,6 +251,11 @@ static int sysrq_sysctl_handler(struct c
 130  #endif
 131
 132  #ifdef CONFIG_BPF_SYSCALL
 133 +
 134 +void __weak unpriv_ebpf_notify(int new_state)
 135 +{
 136 +}
 137 +
 138  static int bpf_unpriv_handler(struct ctl_table *table, int write,
 139                               void *buffer, size_t *lenp, loff_t *ppos)
 140  {
 141 @@ -268,6 +273,9 @@ static int bpf_unpriv_handler(struct ctl
 142                         return -EPERM;
 143                 *(int *)table->data = unpriv_enable;
 144         }
 145 +
 146 +       unpriv_ebpf_notify(unpriv_enable);
 147 +
 148         return ret;
 149  }
 150  #endif