* [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks
@ 2026-06-17 17:50 Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 1/2] bpf: Fix stack slot index in " Nuoqi Gui
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Nuoqi Gui @ 2026-06-17 17:50 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi
Cc: John Fastabend, Martin KaFai Lau, Luis Gerhorst, Shuah Khan, bpf,
linux-kselftest, linux-kernel, Nuoqi Gui, Jiayuan Chen,
Emil Tsalapatis
check_stack_write_fixed_off() uses one byte-indexing scheme when checking
whether a fixed-offset stack write needs Spectre v4 sanitization, and another
scheme when recording the write into slot_type[].
For sub-8-byte writes this can make the sanitization check look at bytes that
are not overwritten by the write. A zeroed lower half-slot followed by a write
to the upper half-slot can therefore miss the nospec barrier for the second
write.
Use the same stack-byte index for the sanitization check and the slot update,
and add a focused verifier selftest that expects both half-slot writes to emit
nospec through the unprivileged loader lane.
Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a
fixed-offset stack-write corner case. No architectural verifier memory-safety
bypass, exploit chain, CVE, embargo, or security escalation is claimed.
Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Changes in v3:
- selftests/bpf: drop the stray space in the __xlated_unpriv stack-store
expectations ("(r10 - 4)"/"(r10 - 8)" -> "(r10 -4)"/"(r10 -8)")
- Link to v2: https://lore.kernel.org/bpf/20260618-f01-11-stack-nospec-slot-index-v2-0-ede9495359b6@mails.tsinghua.edu.cn/
Changes in v2:
- drop __caps_unpriv(CAP_BPF) from the selftest
- fix selftest style
- use Fixes: 2039f26f3aca per review
- Link to v1: https://lore.kernel.org/bpf/20260617-f01-11-stack-nospec-slot-index-v1-0-e3a080b0cd7e@mails.tsinghua.edu.cn/
---
Nuoqi Gui (2):
bpf: Fix stack slot index in nospec checks
selftests/bpf: Cover stack nospec slot indexing
kernel/bpf/verifier.c | 3 ++-
.../testing/selftests/bpf/progs/verifier_unpriv.c | 22 ++++++++++++++++++++++
2 files changed, 24 insertions(+), 1 deletion(-)
---
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
change-id: 20260615-f01-11-stack-nospec-slot-index-e155b2acd587
Best regards,
--
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH bpf v3 1/2] bpf: Fix stack slot index in nospec checks
2026-06-17 17:50 [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks Nuoqi Gui
@ 2026-06-17 17:50 ` Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 2/2] selftests/bpf: Cover stack nospec slot indexing Nuoqi Gui
2026-06-22 1:07 ` [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Nuoqi Gui @ 2026-06-17 17:50 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi
Cc: John Fastabend, Martin KaFai Lau, Luis Gerhorst, Shuah Khan, bpf,
linux-kselftest, linux-kernel, Nuoqi Gui, Jiayuan Chen,
Emil Tsalapatis
check_stack_write_fixed_off() computes the byte slot for a fixed-offset
stack write as -off - 1, and records each written byte in slot_type[] with
(slot - i) % BPF_REG_SIZE.
The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
bytes 7..4. That can leave the second half-slot write without nospec_result
even though the bytes being overwritten still require sanitization.
Use the same slot index in the sanitization pre-check that the write path uses
when updating slot_type[].
Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
kernel/bpf/verifier.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2abc79dbf281c..50e80dbbc1784 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3479,7 +3479,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
bool sanitize = reg && is_spillable_regtype(reg->type);
for (i = 0; i < size; i++) {
- u8 type = state->stack[spi].slot_type[i];
+ u8 type = state->stack[spi].slot_type[(slot - i) %
+ BPF_REG_SIZE];
if (type != STACK_MISC && type != STACK_ZERO) {
sanitize = true;
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH bpf v3 2/2] selftests/bpf: Cover stack nospec slot indexing
2026-06-17 17:50 [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 1/2] bpf: Fix stack slot index in " Nuoqi Gui
@ 2026-06-17 17:50 ` Nuoqi Gui
2026-06-22 1:07 ` [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Nuoqi Gui @ 2026-06-17 17:50 UTC (permalink / raw)
To: Alexei Starovoitov, Daniel Borkmann, Andrii Nakryiko,
Eduard Zingerman, Kumar Kartikeya Dwivedi
Cc: John Fastabend, Martin KaFai Lau, Luis Gerhorst, Shuah Khan, bpf,
linux-kselftest, linux-kernel, Nuoqi Gui
Add a verifier test for the fixed-offset stack write case where two 4-byte
stores initialize opposite halves of the same stack slot.
The test runs through the unprivileged loader lane and expects both
half-slot writes to emit nospec in the translated program.
Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
.../testing/selftests/bpf/progs/verifier_unpriv.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
index c16f8382cf17d..49f7bd05edad2 100644
--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
@@ -976,4 +976,26 @@ l0_%=: exit; \
: __clobber_all);
}
+SEC("socket")
+__description("unpriv: Spectre v4 stack write slot index")
+__success __success_unpriv
+__retval(0)
+#ifdef SPEC_V4
+__xlated_unpriv("r0 = 0")
+__xlated_unpriv("*(u32 *)(r10 -4) = r0")
+__xlated_unpriv("nospec")
+__xlated_unpriv("*(u32 *)(r10 -8) = r0")
+__xlated_unpriv("nospec")
+__xlated_unpriv("exit")
+#endif
+__naked void stack_write_nospec_slot_index(void)
+{
+ asm volatile (" \
+ r0 = 0; \
+ *(u32 *)(r10 - 4) = r0; \
+ *(u32 *)(r10 - 8) = r0; \
+ exit; \
+" ::: __clobber_all);
+}
+
char _license[] SEC("license") = "GPL";
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks
2026-06-17 17:50 [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 1/2] bpf: Fix stack slot index in " Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 2/2] selftests/bpf: Cover stack nospec slot indexing Nuoqi Gui
@ 2026-06-22 1:07 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-22 1:07 UTC (permalink / raw)
To: Nuoqi Gui
Cc: ast, daniel, andrii, eddyz87, memxor, john.fastabend, martin.lau,
luis.gerhorst, shuah, bpf, linux-kselftest, linux-kernel,
jiayuan.chen, emil
Hello:
This series was applied to bpf/bpf.git (master)
by Alexei Starovoitov <ast@kernel.org>:
On Thu, 18 Jun 2026 01:50:25 +0800 you wrote:
> check_stack_write_fixed_off() uses one byte-indexing scheme when checking
> whether a fixed-offset stack write needs Spectre v4 sanitization, and another
> scheme when recording the write into slot_type[].
>
> For sub-8-byte writes this can make the sanitization check look at bytes that
> are not overwritten by the write. A zeroed lower half-slot followed by a write
> to the upper half-slot can therefore miss the nospec barrier for the second
> write.
>
> [...]
Here is the summary with links:
- [bpf,v3,1/2] bpf: Fix stack slot index in nospec checks
https://git.kernel.org/bpf/bpf/c/d1d53aa30ab3
- [bpf,v3,2/2] selftests/bpf: Cover stack nospec slot indexing
https://git.kernel.org/bpf/bpf/c/a93ae7ed5972
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-06-22 1:07 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-17 17:50 [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 1/2] bpf: Fix stack slot index in " Nuoqi Gui
2026-06-17 17:50 ` [PATCH bpf v3 2/2] selftests/bpf: Cover stack nospec slot indexing Nuoqi Gui
2026-06-22 1:07 ` [PATCH bpf v3 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks patchwork-bot+netdevbpf
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.