| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAP01T75oU0zfZCiymEcH3r-GQ5A6GOc6GmYzJEnMa3=53XuUQQ@mail.gmail.com> Date: Wed, 14 May 2025 02:28:35 -0400 From: Kumar Kartikeya Dwivedi <memxor@...il.com> To: Luis Gerhorst <luis.gerhorst@....de> Cc: Alexei Starovoitov <ast@...nel.org>, Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>, Eduard Zingerman <eddyz87@...il.com>, Song Liu <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Stanislav Fomichev <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, Jiri Olsa <jolsa@...nel.org>, Puranjay Mohan <puranjay@...nel.org>, Xu Kuohai <xukuohai@...weicloud.com>, Catalin Marinas <catalin.marinas@....com>, Will Deacon <will@...nel.org>, Hari Bathini <hbathini@...ux.ibm.com>, Christophe Leroy <christophe.leroy@...roup.eu>, Naveen N Rao <naveen@...nel.org>, Madhavan Srinivasan <maddy@...ux.ibm.com>, Michael Ellerman <mpe@...erman.id.au>, Nicholas Piggin <npiggin@...il.com>, Mykola Lysenko <mykolal@...com>, Shuah Khan <shuah@...nel.org>, Henriette Herzog <henriette.herzog@....de>, Saket Kumar Bhaskar <skb99@...ux.ibm.com>, Cupertino Miranda <cupertino.miranda@...cle.com>, Jiayuan Chen <mrpre@....com>, Matan Shachnai <m.shachnai@...il.com>, Dimitar Kanaliev <dimitar.kanaliev@...eground.com>, Shung-Hsi Yu <shung-hsi.yu@...e.com>, Daniel Xu <dxu@...uu.xyz>, bpf@...r.kernel.org, linux-arm-kernel@...ts.infradead.org, linux-kernel@...r.kernel.org, linuxppc-dev@...ts.ozlabs.org, linux-kselftest@...r.kernel.org, Maximilian Ott <ott@...fau.de>, Milan Stephan <milan.stephan@....de> Subject: Re: [PATCH bpf-next v3 10/11] bpf: Allow nospec-protected var-offset stack access On Thu, 1 May 2025 at 04:17, Luis Gerhorst <luis.gerhorst@....de> wrote: > > Insert a nospec before the access to prevent it from ever using an index > that is subject to speculative scalar-confusion. > > The access itself can either happen directly in the BPF program (reads > only, check_stack_read_var_off()) or in a helper (read/write, > check_helper_mem_access()). > > This relies on the fact that the speculative scalar confusion that leads > to the variable-stack access going OOBs must stem from a prior > speculative store or branch bypass. Adding a nospec before the > variable-stack access will force all previously bypassed stores/branches > to complete and cause the stack access to only ever go to the stack slot > that is accessed architecturally. > > Alternatively, the variable-offset stack access might be a write that > can itself be subject to speculative store bypass (this can happen in > theory even if this code adds a nospec /before/ the variable-offset > write). Only indirect writes by helpers might be affected here (e.g., > those taking ARG_PTR_TO_MAP_VALUE). (Because check_stack_write_var_off() > does not use check_stack_range_initialized(), in-program variable-offset > writes are not affected.) If the in-helper write can be subject to > Spectre v4 and the helper writes/overwrites pointers on the BPF stack, > they are already a problem for fixed-offset stack accesses and should be > subject to Spectre v4 sanitization. > > Signed-off-by: Luis Gerhorst <luis.gerhorst@....de> > Acked-by: Henriette Herzog <henriette.herzog@....de> > Cc: Maximilian Ott <ott@...fau.de> > Cc: Milan Stephan <milan.stephan@....de> > --- Please also address sanitize_check_bounds, it's probably prevented by retrieve_ptr_limit rejecting other types but it'd be better to add a default statement for clarity. Acked-by: Kumar Kartikeya Dwivedi <memxor@...il.com>
Powered by blists - more mailing lists