lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a0b112301f51e4ea2ff31c0e9c6e28b2b6535db2.camel@gmail.com>
Date: Sun, 06 Jul 2025 19:14:22 -0700
From: Eduard Zingerman <eddyz87@...il.com>
To: Luis Gerhorst <luis.gerhorst@....de>, Alexei Starovoitov
 <ast@...nel.org>,  Daniel Borkmann <daniel@...earbox.net>, Andrii Nakryiko
 <andrii@...nel.org>, Martin KaFai Lau <martin.lau@...ux.dev>,  Song Liu
 <song@...nel.org>, Yonghong Song <yonghong.song@...ux.dev>, John Fastabend	
 <john.fastabend@...il.com>, KP Singh <kpsingh@...nel.org>, Stanislav
 Fomichev	 <sdf@...ichev.me>, Hao Luo <haoluo@...gle.com>, Jiri Olsa
 <jolsa@...nel.org>,  Mykola Lysenko	 <mykolal@...com>, Shuah Khan
 <shuah@...nel.org>, Kumar Kartikeya Dwivedi	 <memxor@...il.com>, Peilin Ye
 <yepeilin@...gle.com>, Saket Kumar Bhaskar	 <skb99@...ux.ibm.com>, Viktor
 Malik <vmalik@...hat.com>, Ihor Solodrai	 <isolodrai@...a.com>, Daniel Xu
 <dxu@...uu.xyz>, bpf@...r.kernel.org, 	linux-kselftest@...r.kernel.org,
 linux-kernel@...r.kernel.org, Paul Chaignon	 <paul.chaignon@...il.com>
Cc: syzbot+dc27c5fb8388e38d2d37@...kaller.appspotmail.com
Subject: Re: [PATCH bpf-next v3 1/2] bpf: Fix aux usage after do_check_insn()

On Sat, 2025-07-05 at 21:09 +0200, Luis Gerhorst wrote:
> We must terminate the speculative analysis if the just-analyzed insn had
> nospec_result set. Using cur_aux() here is wrong because insn_idx might
> have been incremented by do_check_insn(). Therefore, introduce and use
> insn_aux variable.
> 
> Also change cur_aux(env)->nospec in case do_check_insn() ever manages to
> increment insn_idx but still fail.
> 
> Change the warning to check the insn class (which prevents it from
> triggering for ldimm64, for which nospec_result would not be
> problematic) and use verifier_bug_if().
> 
> In line with Eduard's suggestion, do not introduce prev_aux() because
> that requires one to understand that after do_check_insn() call what was
> current became previous. This would at-least require a comment.
> 
> Fixes: d6f1c85f2253 ("bpf: Fall back to nospec for Spectre v1")
> Reported-by: Paul Chaignon <paul.chaignon@...il.com>
> Reported-by: Eduard Zingerman <eddyz87@...il.com>
> Reported-by: syzbot+dc27c5fb8388e38d2d37@...kaller.appspotmail.com
> Link: https://lore.kernel.org/bpf/685b3c1b.050a0220.2303ee.0010.GAE@google.com/
> Link: https://lore.kernel.org/bpf/4266fd5de04092aa4971cbef14f1b4b96961f432.camel@gmail.com/
> Suggested-by: Eduard Zingerman <eddyz87@...il.com>
> Signed-off-by: Luis Gerhorst <luis.gerhorst@....de>
> ---

Acked-by: Eduard Zingerman <eddyz87@...il.com>

[...]

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ