bpf: Prevent memory disambiguation attack
authorAlexei Starovoitov <ast@kernel.org>
Tue, 15 May 2018 16:27:05 +0000 (09:27 -0700)
committerThomas Gleixner <tglx@linutronix.de>
Sat, 19 May 2018 18:44:24 +0000 (20:44 +0200)
commitaf86ca4e3088fe5eacf2f7e58c01fa68ca067672
treed01711e5fe7b1674c2929c473ead8047001ba886
parent240da953fcc6a9008c92fae5b1f727ee5ed167ab
bpf: Prevent memory disambiguation attack

Detect code patterns where malicious 'speculative store bypass' can be used
and sanitize such patterns.

 39: (bf) r3 = r10
 40: (07) r3 += -216
 41: (79) r8 = *(u64 *)(r7 +0)   // slow read
 42: (7a) *(u64 *)(r10 -72) = 0  // verifier inserts this instruction
 43: (7b) *(u64 *)(r8 +0) = r3   // this store becomes slow due to r8
 44: (79) r1 = *(u64 *)(r6 +0)   // cpu speculatively executes this load
 45: (71) r2 = *(u8 *)(r1 +0)    // speculatively arbitrary 'load byte'
                                 // is now sanitized

Above code after x86 JIT becomes:
 e5: mov    %rbp,%rdx
 e8: add    $0xffffffffffffff28,%rdx
 ef: mov    0x0(%r13),%r14
 f3: movq   $0x0,-0x48(%rbp)
 fb: mov    %rdx,0x0(%r14)
 ff: mov    0x0(%rbx),%rdi
103: movzbq 0x0(%rdi),%rsi

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
include/linux/bpf_verifier.h
kernel/bpf/verifier.c