--- /dev/null
+From 1b1597e64e1a610c7a96710fc4717158e98a08b3 Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Tue, 16 Mar 2021 09:47:02 +0100
+Subject: bpf: Add sanity check for upper ptr_limit
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit 1b1597e64e1a610c7a96710fc4717158e98a08b3 upstream.
+
+Given we know the max possible value of ptr_limit at the time of retrieving
+the latter, add basic assertions, so that the verifier can bail out if
+anything looks odd and reject the program. Nothing triggered this so far,
+but it also does not hurt to have these.
+
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5389,10 +5389,14 @@ static int retrieve_ptr_limit(const stru
+ {
+ bool mask_to_left = (opcode == BPF_ADD && off_is_neg) ||
+ (opcode == BPF_SUB && !off_is_neg);
+- u32 off;
++ u32 off, max;
+
+ switch (ptr_reg->type) {
+ case PTR_TO_STACK:
++ /* Offset 0 is out-of-bounds, but acceptable start for the
++ * left direction, see BPF_REG_FP.
++ */
++ max = MAX_BPF_STACK + mask_to_left;
+ /* Indirect variable offset stack access is prohibited in
+ * unprivileged mode so it's not handled here.
+ */
+@@ -5401,15 +5405,16 @@ static int retrieve_ptr_limit(const stru
+ *ptr_limit = MAX_BPF_STACK + off;
+ else
+ *ptr_limit = -off - 1;
+- return 0;
++ return *ptr_limit >= max ? -ERANGE : 0;
+ case PTR_TO_MAP_VALUE:
++ max = ptr_reg->map_ptr->value_size;
+ if (mask_to_left) {
+ *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
+ } else {
+ off = ptr_reg->smin_value + ptr_reg->off;
+ *ptr_limit = ptr_reg->map_ptr->value_size - off - 1;
+ }
+- return 0;
++ return *ptr_limit >= max ? -ERANGE : 0;
+ default:
+ return -EINVAL;
+ }
--- /dev/null
+From 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Tue, 16 Mar 2021 08:20:16 +0100
+Subject: bpf: Fix off-by-one for area size in creating mask to left
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 upstream.
+
+retrieve_ptr_limit() computes the ptr_limit for registers with stack and
+map_value type. ptr_limit is the size of the memory area that is still
+valid / in-bounds from the point of the current position and direction
+of the operation (add / sub). This size will later be used for masking
+the operation such that attempting out-of-bounds access in the speculative
+domain is redirected to remain within the bounds of the current map value.
+
+When masking to the right the size is correct, however, when masking to
+the left, the size is off-by-one which would lead to an incorrect mask
+and thus incorrect arithmetic operation in the non-speculative domain.
+Piotr found that if the resulting alu_limit value is zero, then the
+BPF_MOV32_IMM() from the fixup_bpf_calls() rewrite will end up loading
+0xffffffff into AX instead of sign-extending to the full 64 bit range,
+and as a result, this allows abuse for executing speculatively out-of-
+bounds loads against 4GB window of address space and thus extracting the
+contents of kernel memory via side-channel.
+
+Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic")
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5398,13 +5398,13 @@ static int retrieve_ptr_limit(const stru
+ */
+ off = ptr_reg->off + ptr_reg->var_off.value;
+ if (mask_to_left)
+- *ptr_limit = MAX_BPF_STACK + off;
++ *ptr_limit = MAX_BPF_STACK + off + 1;
+ else
+ *ptr_limit = -off;
+ return 0;
+ case PTR_TO_MAP_VALUE:
+ if (mask_to_left) {
+- *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
++ *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1;
+ } else {
+ off = ptr_reg->smin_value + ptr_reg->off;
+ *ptr_limit = ptr_reg->map_ptr->value_size - off;
--- /dev/null
+From f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Tue, 16 Mar 2021 09:47:02 +0100
+Subject: bpf: Prohibit alu ops for pointer types not defining ptr_limit
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 upstream.
+
+The purpose of this patch is to streamline error propagation and in particular
+to propagate retrieve_ptr_limit() errors for pointer types that are not defining
+a ptr_limit such that register-based alu ops against these types can be rejected.
+
+The main rationale is that a gap has been identified by Piotr in the existing
+protection against speculatively out-of-bounds loads, for example, in case of
+ctx pointers, unprivileged programs can still perform pointer arithmetic. This
+can be abused to execute speculatively out-of-bounds loads without restrictions
+and thus extract contents of kernel memory.
+
+Fix this by rejecting unprivileged programs that attempt any pointer arithmetic
+on unprotected pointer types. The two affected ones are pointer to ctx as well
+as pointer to map. Field access to a modified ctx' pointer is rejected at a
+later point in time in the verifier, and 7c6967326267 ("bpf: Permit map_ptr
+arithmetic with opcode add and offset 0") only relevant for root-only use cases.
+Risk of unprivileged program breakage is considered very low.
+
+Fixes: 7c6967326267 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0")
+Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 16 ++++++++++------
+ 1 file changed, 10 insertions(+), 6 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5462,6 +5462,7 @@ static int sanitize_ptr_alu(struct bpf_v
+ u32 alu_state, alu_limit;
+ struct bpf_reg_state tmp;
+ bool ret;
++ int err;
+
+ if (can_skip_alu_sanitation(env, insn))
+ return 0;
+@@ -5477,10 +5478,13 @@ static int sanitize_ptr_alu(struct bpf_v
+ alu_state |= ptr_is_dst_reg ?
+ BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST;
+
+- if (retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg))
+- return 0;
+- if (update_alu_sanitation_state(aux, alu_state, alu_limit))
+- return -EACCES;
++ err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg);
++ if (err < 0)
++ return err;
++
++ err = update_alu_sanitation_state(aux, alu_state, alu_limit);
++ if (err < 0)
++ return err;
+ do_sim:
+ /* Simulate and find potential out-of-bounds access under
+ * speculative execution from truncation as a result of
+@@ -5596,7 +5600,7 @@ static int adjust_ptr_min_max_vals(struc
+ case BPF_ADD:
+ ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
+ if (ret < 0) {
+- verbose(env, "R%d tried to add from different maps or paths\n", dst);
++ verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst);
+ return ret;
+ }
+ /* We can take a fixed offset as long as it doesn't overflow
+@@ -5651,7 +5655,7 @@ static int adjust_ptr_min_max_vals(struc
+ case BPF_SUB:
+ ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0);
+ if (ret < 0) {
+- verbose(env, "R%d tried to sub from different maps or paths\n", dst);
++ verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst);
+ return ret;
+ }
+ if (dst_reg == off_reg) {
--- /dev/null
+From 0a13e3537ea67452d549a6a80da3776d6b7dedb3 Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Tue, 16 Mar 2021 11:44:42 +0100
+Subject: bpf, selftests: Fix up some test_verifier cases for unprivileged
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit 0a13e3537ea67452d549a6a80da3776d6b7dedb3 upstream.
+
+Fix up test_verifier error messages for the case where the original error
+message changed, or for the case where pointer alu errors differ between
+privileged and unprivileged tests. Also, add alternative tests for keeping
+coverage of the original verifier rejection error message (fp alu), and
+newly reject map_ptr += rX where rX == 0 given we now forbid alu on these
+types for unprivileged. All test_verifier cases pass after the change. The
+test case fixups were kept separate to ease backporting of core changes.
+
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/verifier/bounds_deduction.c | 27 +++++++++++-----
+ tools/testing/selftests/bpf/verifier/map_ptr.c | 4 ++
+ tools/testing/selftests/bpf/verifier/unpriv.c | 15 ++++++++
+ tools/testing/selftests/bpf/verifier/value_ptr_arith.c | 23 +++++++++++++
+ 4 files changed, 59 insertions(+), 10 deletions(-)
+
+--- a/tools/testing/selftests/bpf/verifier/bounds_deduction.c
++++ b/tools/testing/selftests/bpf/verifier/bounds_deduction.c
+@@ -6,8 +6,9 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
+ .errstr = "R0 tried to subtract pointer from scalar",
++ .result = REJECT,
+ },
+ {
+ "check deducing bounds from const, 2",
+@@ -20,6 +21,8 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ .retval = 1,
+ },
+@@ -31,8 +34,9 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
+ .errstr = "R0 tried to subtract pointer from scalar",
++ .result = REJECT,
+ },
+ {
+ "check deducing bounds from const, 4",
+@@ -45,6 +49,8 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
++ .result_unpriv = REJECT,
+ .result = ACCEPT,
+ },
+ {
+@@ -55,8 +61,9 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
+ .errstr = "R0 tried to subtract pointer from scalar",
++ .result = REJECT,
+ },
+ {
+ "check deducing bounds from const, 6",
+@@ -67,8 +74,9 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
+ .errstr = "R0 tried to subtract pointer from scalar",
++ .result = REJECT,
+ },
+ {
+ "check deducing bounds from const, 7",
+@@ -80,8 +88,9 @@
+ offsetof(struct __sk_buff, mark)),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types",
+ .errstr = "dereference of modified ctx ptr",
++ .result = REJECT,
+ .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+ },
+ {
+@@ -94,8 +103,9 @@
+ offsetof(struct __sk_buff, mark)),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
+ .errstr = "dereference of modified ctx ptr",
++ .result = REJECT,
+ .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS,
+ },
+ {
+@@ -106,8 +116,9 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
++ .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types",
+ .errstr = "R0 tried to subtract pointer from scalar",
++ .result = REJECT,
+ },
+ {
+ "check deducing bounds from const, 10",
+@@ -119,6 +130,6 @@
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
+ BPF_EXIT_INSN(),
+ },
+- .result = REJECT,
+ .errstr = "math between ctx pointer and register with unbounded min value is not allowed",
++ .result = REJECT,
+ },
+--- a/tools/testing/selftests/bpf/verifier/map_ptr.c
++++ b/tools/testing/selftests/bpf/verifier/map_ptr.c
+@@ -75,6 +75,8 @@
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_hash_16b = { 4 },
++ .result_unpriv = REJECT,
++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
+ .result = ACCEPT,
+ },
+ {
+@@ -91,5 +93,7 @@
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_hash_16b = { 4 },
++ .result_unpriv = REJECT,
++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
+ .result = ACCEPT,
+ },
+--- a/tools/testing/selftests/bpf/verifier/unpriv.c
++++ b/tools/testing/selftests/bpf/verifier/unpriv.c
+@@ -496,7 +496,7 @@
+ .result = ACCEPT,
+ },
+ {
+- "unpriv: adding of fp",
++ "unpriv: adding of fp, reg",
+ .insns = {
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_MOV64_IMM(BPF_REG_1, 0),
+@@ -504,6 +504,19 @@
+ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
+ BPF_EXIT_INSN(),
+ },
++ .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types",
++ .result_unpriv = REJECT,
++ .result = ACCEPT,
++},
++{
++ "unpriv: adding of fp, imm",
++ .insns = {
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0),
++ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8),
++ BPF_EXIT_INSN(),
++ },
+ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range",
+ .result_unpriv = REJECT,
+ .result = ACCEPT,
+--- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
++++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c
+@@ -169,7 +169,7 @@
+ .fixup_map_array_48b = { 1 },
+ .result = ACCEPT,
+ .result_unpriv = REJECT,
+- .errstr_unpriv = "R2 tried to add from different maps or paths",
++ .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types",
+ .retval = 0,
+ },
+ {
+@@ -517,6 +517,27 @@
+ .retval = 0xabcdef12,
+ },
+ {
++ "map access: value_ptr += N, value_ptr -= N known scalar",
++ .insns = {
++ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
++ BPF_MOV64_REG(BPF_REG_2, BPF_REG_10),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_2, -8),
++ BPF_LD_MAP_FD(BPF_REG_1, 0),
++ BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 0, 0, BPF_FUNC_map_lookup_elem),
++ BPF_JMP_IMM(BPF_JEQ, BPF_REG_0, 0, 6),
++ BPF_MOV32_IMM(BPF_REG_1, 0x12345678),
++ BPF_STX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, 0),
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_0, 2),
++ BPF_MOV64_IMM(BPF_REG_1, 2),
++ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1),
++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ },
++ .fixup_map_array_48b = { 3 },
++ .result = ACCEPT,
++ .retval = 0x12345678,
++},
++{
+ "map access: unknown scalar += value_ptr, 1",
+ .insns = {
+ BPF_ST_MEM(BPF_DW, BPF_REG_10, -8, 0),
--- /dev/null
+From b5871dca250cd391885218b99cc015aca1a51aea Mon Sep 17 00:00:00 2001
+From: Piotr Krysiuk <piotras@gmail.com>
+Date: Tue, 16 Mar 2021 08:26:25 +0100
+Subject: bpf: Simplify alu_limit masking for pointer arithmetic
+
+From: Piotr Krysiuk <piotras@gmail.com>
+
+commit b5871dca250cd391885218b99cc015aca1a51aea upstream.
+
+Instead of having the mov32 with aux->alu_limit - 1 immediate, move this
+operation to retrieve_ptr_limit() instead to simplify the logic and to
+allow for subsequent sanity boundary checks inside retrieve_ptr_limit().
+This avoids in future that at the time of the verifier masking rewrite
+we'd run into an underflow which would not sign extend due to the nature
+of mov32 instruction.
+
+Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
+Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5398,16 +5398,16 @@ static int retrieve_ptr_limit(const stru
+ */
+ off = ptr_reg->off + ptr_reg->var_off.value;
+ if (mask_to_left)
+- *ptr_limit = MAX_BPF_STACK + off + 1;
++ *ptr_limit = MAX_BPF_STACK + off;
+ else
+- *ptr_limit = -off;
++ *ptr_limit = -off - 1;
+ return 0;
+ case PTR_TO_MAP_VALUE:
+ if (mask_to_left) {
+- *ptr_limit = ptr_reg->umax_value + ptr_reg->off + 1;
++ *ptr_limit = ptr_reg->umax_value + ptr_reg->off;
+ } else {
+ off = ptr_reg->smin_value + ptr_reg->off;
+- *ptr_limit = ptr_reg->map_ptr->value_size - off;
++ *ptr_limit = ptr_reg->map_ptr->value_size - off - 1;
+ }
+ return 0;
+ default:
+@@ -11083,7 +11083,7 @@ static int fixup_bpf_calls(struct bpf_ve
+ off_reg = issrc ? insn->src_reg : insn->dst_reg;
+ if (isneg)
+ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1);
+- *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit - 1);
++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit);
+ *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg);
+ *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg);
+ *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0);
gfs2-add-common-helper-for-holding-and-releasing-the.patch
gfs2-move-freeze-glock-outside-the-make_fs_rw-and-_r.patch
gfs2-bypass-signal_our_withdraw-if-no-journal.patch
+bpf-prohibit-alu-ops-for-pointer-types-not-defining-ptr_limit.patch
+bpf-fix-off-by-one-for-area-size-in-creating-mask-to-left.patch
+bpf-simplify-alu_limit-masking-for-pointer-arithmetic.patch
+bpf-add-sanity-check-for-upper-ptr_limit.patch
+bpf-selftests-fix-up-some-test_verifier-cases-for-unprivileged.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
