git.baikalelectronics.ru Git - kernel.git/commit

author	Piotr Krysiuk <piotras@gmail.com>
	Tue, 16 Mar 2021 08:47:02 +0000 (09:47 +0100)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Wed, 17 Mar 2021 18:12:02 +0000 (19:12 +0100)
commit	7e6295643e04b5ccb10b4eb0fda0e0413caabf82
tree	cf28c33ec59a1ddc8b3b640f54b9f10f728e2c4b	tree \| snapshot
parent	c0a36a51a82bb9db5dfa6c2111c37326ab2dfc27	commit \| diff

bpf: Prohibit alu ops for pointer types not defining ptr_limit

The purpose of this patch is to streamline error propagation and in particular
to propagate retrieve_ptr_limit() errors for pointer types that are not defining
a ptr_limit such that register-based alu ops against these types can be rejected.

The main rationale is that a gap has been identified by Piotr in the existing
protection against speculatively out-of-bounds loads, for example, in case of
ctx pointers, unprivileged programs can still perform pointer arithmetic. This
can be abused to execute speculatively out-of-bounds loads without restrictions
and thus extract contents of kernel memory.

Fix this by rejecting unprivileged programs that attempt any pointer arithmetic
on unprotected pointer types. The two affected ones are pointer to ctx as well
as pointer to map. Field access to a modified ctx' pointer is rejected at a
later point in time in the verifier, and bf379367a6f9 ("bpf: Permit map_ptr
arithmetic with opcode add and offset 0") only relevant for root-only use cases.
Risk of unprivileged program breakage is considered very low.

Fixes: bf379367a6f9 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0")
Fixes: 6b913f15182a ("bpf: prevent out-of-bounds speculation")
Signed-off-by: Piotr Krysiuk <piotras@gmail.com>
Co-developed-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>