[4.19,0/4] bpf: backport fixes for CVE-2021-33624

Message ID	20210812170037.2370387-1-ovidiu.panait@windriver.com
Headers	show Return-Path: <stable-owner@kernel.org> From: Ovidiu Panait <ovidiu.panait@windriver.com> To: stable@vger.kernel.org Cc: bpf@vger.kernel.org Subject: [PATCH 4.19 0/4] bpf: backport fixes for CVE-2021-33624 Date: Thu, 12 Aug 2021 20:00:33 +0300 Message-Id: <20210812170037.2370387-1-ovidiu.panait@windriver.com> Content-Transfer-Encoding: 8bit Content-Type: text/plain MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Precedence: bulk
Series	bpf: backport fixes for CVE-2021-33624 \| expand [4.19,0/4] bpf: backport fixes for CVE-2021-33624 [4.19,1/4] bpf: Inherit expanded/patched seen count from old aux data [4.19,2/4] bpf: Do not mark insn as seen under speculative path verification [4.19,3/4] bpf: Fix leakage under speculation on mispredicted branches [4.19,4/4] bpf, selftests: Adjust few selftest outcomes wrt unreachable code

Message ID

20210812170037.2370387-1-ovidiu.panait@windriver.com

Headers

From: Ovidiu Panait <ovidiu.panait@windriver.com>
To: stable@vger.kernel.org
Cc: bpf@vger.kernel.org
Subject: [PATCH 4.19 0/4] bpf: backport fixes for CVE-2021-33624
Date: Thu, 12 Aug 2021 20:00:33 +0300
Message-Id: <20210812170037.2370387-1-ovidiu.panait@windriver.com>
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-MessageSentRepresentingType: 1
Received: from otp-linux03.wrs.com (46.97.150.20) by
	VI1PR07CA0251.eurprd07.prod.outlook.com
	(2603:10a6:803:b4::18) with Microsoft SMTP Server (version=TLS1_2,
	cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4436.9
	via Frontend Transport; Thu, 12 Aug 2021 17:00:54 +0000
X-MS-PublicTrafficType: Email
X-MS-Office365-Filtering-Correlation-Id: 431de9fc-4c4b-43a3-f98c-08d95db2bfb2
X-MS-TrafficTypeDiagnostic: DM4PR11MB5549:
X-Microsoft-Antispam-PRVS: <DM4PR11MB554974DDD540D70144891180FEF99@DM4PR11MB5549.namprd11.prod.outlook.com>
X-MS-Oob-TLC-OOBClassifiers: OLM:6790;
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info: mZrMqjkF1/T+zulvi7ea04TLm6vfE5cp89PT5UwTrFHpAs0bVZGlVyQ8sxgQj/d3uDmrTBUr0tqwXMdfTjJAmYtR49wDV9CRXwZNFPsMq2da3J98tXYO2sz3EvR3dvmrNhDwV8ePxPOMmJuBc5avLSytjOUE1S5ob42OyXlnADFLcbQ872UAiDi9Esc6G9a770EO1akLh7sbGxmpD0DBXqyM4z+Deut6R68hkkLI/QwpBBuVi2dXADh4j8Qgwe9FxYkn6qRrKLe5EA6M9v+b/WDlnINeOCpNZk6nLLNobmCJGomUGBPNcQQ8GOFmwfD2g45Vpo7ke2Y62DAgT9vM/ggvZJ9zu0kCiNM5eMv17VfSZ5uyyoU+9wGzhWiaDcsLB/gUhhvyQ3Ws/Nsq7AgAqe4bHLA+yse/m4Q4KUmXM+V5LVHTfD7sKCWuUHdcLFMZWtRwoqZsyf4JAgb3WqhXgKrJnek+NL+RQJl8hsvyl78JHrC5ZtITzx9c89S/+/69IGk3Gm0KMuFqyy9g0Cyz+SUPuuRxX9AlkWJxYeBW0C8HvynAITJCaXXlhlwWB6PuqIB+izHXKx0RHjigA1sprK6nr35Hqn1uUYU+vSJ/EbASa3asPMrf94ebGejRW3pUqqLg+tIArBSRklYWSvl1VFKcten7pY+2JmnhukCzcA0zuHU2xK09/0Hi+vW7ZAdQd5zYLkL3yCWqc55OjIjemw==
X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:;
	IPV:NLI; SFV:NSPM; H:DM4PR11MB5327.namprd11.prod.outlook.com;
	PTR:; CAT:NONE;
	SFS:(4636009)(376002)(39850400004)(396003)(346002)(366004)(136003)(6666004)(478600001)(66476007)(186003)(52116002)(66556008)(26005)(5660300002)(2906002)(2616005)(44832011)(956004)(4744005)(6486002)(66946007)(6512007)(36756003)(450100002)(8936002)(6916009)(4326008)(38100700002)(38350700002)(86362001)(1076003)(6506007)(8676002)(83380400001)(316002);
	DIR:OUT; SFP:1101; 
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: n8EPKd66eLrCDepfDbZo041M6+8Jj2233dypyVktqWCONSkt/F68vCd/EXrwv/xFGlh7nN1u1pr8ZuM2I8J7884q53RR77d9qemQ1UulLtRZEmyD1ek+pXb5NkfpJAib0muiBv+NolAq0DuUHK/lnqA86cl+/3GUsuOZrO9jKxKaeqWFdbhlW+jmLOCdM/B1kkbdu815swx1vRcRXU3rih7lVvLAMPnyL2CwlSSZ/+yTS+ruCWEv5ZBJGqqaxbNNp3if21l2FVz0hi1AlYBVoW2BX3B5IAFTub32ib8BI30lr+8oMulQqC2kXivMoqgTmT+h+3x/SCEzjhIM3mxfmEJ3Kx057XtcViEBrCY3JhNtCsne4iH+v8x2ZYXK1KnEK8j1JMPLVrbcAb+9P+08bLXgQv6+ZpnhFn9ZQjhsZoMgFokWCDvnGhzZfYuHKv7bqqsrdhe0bixTACIuqszbwB1N35XAs4B46Onz2mjJiPBDMx1s0A2Ch1lKHLVCyIPwF9hj5R/1Bs4r+0ftw8stPxzBQn3xYivHRT0B6k+B4OYL48zQ5XwyyEGs0Be7uSvETqUmPLM7Vj36v92582qA7klUG8RaD+q9kDnnb/K89WLiBVtWotWpeGNglpLaZKrkjSAv2TcbgMB4Mo+iwazPHnrWdTAAVSHNu2HbzQTHUf/Cfc+UBUZb/lDqSnvVf/NGiTXGeg88QjwvgZkmPayAUvTWGlvcIRFsVqzDPoYdJ5If62eSt7i5ReIDHYBHO5UkDkKE2WoqJGHPkAJV4SgqJiiWTaoZGOrqTMWtj2TKpKilhuYs6S49dH5Xjy/Ed+RtXSjq6wPyv5YYHxbfXvX4aGO8Ug62rV360oAPbRHd2Hx5ku9XPl8LoH9ZrqzPqz91lGtlLVpYZTlPC+KD6VPj2tsIM2Gf3zro+ENhzJNKnZCRRnfexXjz98ZHVlTjh9oeLoSx+6H1LdAaEEbjGcwIyYRYn5Waq1xUSNKZ6tphjI0X5cD7O5LNEZwkOfHl4uXUf0N2Bww6YLjPfC9Jt6il+/3NjpUplYS8+kjVJ0TZKFmsKv80XX9H3ZT73ItiPY3tFuMRRYtuC4kMuD5B4lDWaoXiYI2Y9TLsbf5MjmHHNNO+nxzIFhWWY6J8osWAvRrBf1eyIiafh85nPYw13Se4/xwWz5m14146OckfG1X6/ftMQy3dW8jEyXRruKe+MVLr2KiZrrausQFtCFUYa/p4CxZJLD8QDy396oA1w3gXFTm8MK03EoZPZjjJ5XBOBBt3dorO/S8n2hQ3q4QzFnnS+O68h6p5h/PM1t5lufwNgqgqwqkq1Gnl95m+I39nRlip
X-OriginatorOrg: windriver.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 431de9fc-4c4b-43a3-f98c-08d95db2bfb2
X-MS-Exchange-CrossTenant-AuthSource: DM4PR11MB5327.namprd11.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 12 Aug 2021 17:00:55.5497
	(UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 8ddb2873-a1ad-4a18-ae4e-4644631433be
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: poPVtkra1E7NJdqtbxuquONlrbsqvDpJXJwOniRpVq7NZg97/BRTPLsC3V9ihSMWwjBqdypCHvvN6/Bvxm1qzgovtQuQabAPadzlxR47VLg=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM4PR11MB5549
X-Proofpoint-ORIG-GUID: gJnprrb3vgBT9bHU1ftKfX0_dW5L6Wj8
X-Proofpoint-GUID: gJnprrb3vgBT9bHU1ftKfX0_dW5L6Wj8
X-Proofpoint-Virus-Version: vendor=baseguard
	engine=ICAP:2.0.182.1, Aquarius:18.0.790, Hydra:6.0.391,
	FMLib:17.0.607.475
	definitions=2021-08-12_05,2021-08-12_01,2020-04-07_01
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
	clxscore=1015 impostorscore=0
	priorityscore=1501 spamscore=0 bulkscore=0 phishscore=0 adultscore=0
	mlxlogscore=734 suspectscore=0 malwarescore=0 mlxscore=0
	lowpriorityscore=0 classifier=spam adjust=0 reason=mlx scancount=1
	engine=8.12.0-2107140000 definitions=main-2108120111
Precedence: bulk
List-ID: <stable.vger.kernel.org>
X-Mailing-List: stable@vger.kernel.org

Series

bpf: backport fixes for CVE-2021-33624 | expand

Message

Ovidiu Panait Aug. 12, 2021, 5 p.m. UTC

NOTE: the fixes were manually adjusted to apply to 4.19, so copying bpf@ to see
if there are any concerns.

With this patchseries all bpf verifier selftests pass:
root@intel-x86-64:~# ./test_verifier
...
#657/u pass modified ctx pointer to helper, 2 OK
#657/p pass modified ctx pointer to helper, 2 OK
#658/p pass modified ctx pointer to helper, 3 OK
#659/p mov64 src == dst OK
#660/p mov64 src != dst OK
#661/u calls: ctx read at start of subprog OK
#661/p calls: ctx read at start of subprog OK
Summary: 925 PASSED, 0 SKIPPED, 0 FAILED

Daniel Borkmann (4):
  bpf: Inherit expanded/patched seen count from old aux data
  bpf: Do not mark insn as seen under speculative path verification
  bpf: Fix leakage under speculation on mispredicted branches
  bpf, selftests: Adjust few selftest outcomes wrt unreachable code

 kernel/bpf/verifier.c                       | 68 ++++++++++++++++++---
 tools/testing/selftests/bpf/test_verifier.c |  2 +
 2 files changed, 62 insertions(+), 8 deletions(-)