lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <08c1309e-121c-96ff-a54c-ab836ec826b3@iogearbox.net>
Date:   Tue, 9 Jan 2018 00:59:32 +0100
From:   Daniel Borkmann <daniel@...earbox.net>
To:     Alexei Starovoitov <ast@...nel.org>, davem@...emloft.net
Cc:     torvalds@...ux-foundation.org, alan@...ux.intel.com,
        netdev@...r.kernel.org, kernel-team@...com
Subject: Re: [PATCH v3 bpf] bpf: prevent out-of-bounds speculation

On 01/08/2018 02:33 AM, Alexei Starovoitov wrote:
> Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
> memory accesses under a bounds check may be speculated even if the
> bounds check fails, providing a primitive for building a side channel.
> 
> To avoid leaking kernel data round up array-based maps and mask the index
> after bounds check, so speculated load with out of bounds index will load
> either valid value from the array or zero from the padded area.
> 
> Unconditionally mask index for all array types even when max_entries
> are not rounded to power of 2 for root user.
> When map is created by unpriv user generate a sequence of bpf insns
> that includes AND operation to make sure that JITed code includes
> the same 'index & index_mask' operation.
> 
> If prog_array map is created by unpriv user replace
>   bpf_tail_call(ctx, map, index);
> with
>   if (index >= max_entries) {
>     index &= map->index_mask;
>     bpf_tail_call(ctx, map, index);
>   }
> (along with roundup to power 2) to prevent out-of-bounds speculation.
> There is secondary redundant 'if (index >= max_entries)' in the interpreter
> and in all JITs, but they can be optimized later if necessary.
> 
> Other array-like maps (cpumap, devmap, sockmap, perf_event_array, cgroup_array)
> cannot be used by unpriv, so no changes there.
> 
> That fixes bpf side of "Variant 1: bounds check bypass (CVE-2017-5753)" on
> all architectures with and without JIT.
> 
> v2->v3:
> Daniel noticed that attack potentially can be crafted via syscall commands
> without loading the program, so add masking to those paths as well.
> 
> Signed-off-by: Alexei Starovoitov <ast@...nel.org>
> Acked-by: John Fastabend <john.fastabend@...il.com>

Applied to bpf tree, thanks Alexei!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ