lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <7a5382e0-7eff-6f47-4383-d749fd84f518@iogearbox.net>
Date:   Fri, 1 Feb 2019 21:12:05 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Jann Horn <jannh@...gle.com>, Alexei Starovoitov <ast@...nel.org>
Cc:     kernel list <linux-kernel@...r.kernel.org>, stable@...r.kernel.org,
        Sasha Levin <sashal@...nel.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: Re: [PATCH 4.19 095/103] bpf: prevent out of bounds speculation on
 pointer arithmetic

On 02/01/2019 06:38 PM, Jann Horn wrote:
> On Fri, Feb 1, 2019 at 3:45 PM Greg Kroah-Hartman
> <gregkh@...uxfoundation.org> wrote:
>> On Fri, Feb 01, 2019 at 03:08:52PM +0100, Greg Kroah-Hartman wrote:
>>> On Fri, Feb 01, 2019 at 03:00:18PM +0100, Jann Horn wrote:
>>>> On Tue, Jan 29, 2019 at 12:47 PM Greg Kroah-Hartman
>>>> <gregkh@...uxfoundation.org> wrote:
>>>>> 4.19-stable review patch.  If anyone has any objections, please let me know.
>>>>>
>>>>> ------------------
>>>>>
>>>>> [ commit 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 upstream ]
>>>>>
>>>>> Jann reported that the original commit back in b2157399cc98
>>>>> ("bpf: prevent out-of-bounds speculation") was not sufficient
>>>>> to stop CPU from speculating out of bounds memory access:
>>>>> While b2157399cc98 only focussed on masking array map access
>>>>> for unprivileged users for tail calls and data access such
>>>>> that the user provided index gets sanitized from BPF program
>>>>> and syscall side, there is still a more generic form affected
>>>>> from BPF programs that applies to most maps that hold user
>>>>> data in relation to dynamic map access when dealing with
>>>>> unknown scalars or "slow" known scalars as access offset, for
>>>>> example:
>>>>
>>>> Is this also going into 4.14 and 4.9? I don't see anything related in
>>>> the stable queue or in stable-rc.
>>>
>>> Ah, the original submitter did not send backported patches, but you are
>>> right, it should go further back.  I'll see how hard it would be to do
>>> the backport, thanks for letting me know.
>>
>> Ok, no, there's no way I can do this backport.  It didn't apply cleanly,
>> and trying to take the patches prior to this resulted in a huge mess.
>>
>> So, it would be wonderful if someone who knows the bpf code stack could
>> do this and send it in.
> 
> Daniel, Alexei: Can one of you do the backports to older stable kernels?

Ok, I'll try to find some cycles for 4.9 / 4.14 backports and see how
complex it gets, might be around next week though.

Thanks,
Daniel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ