From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Josh Poimboeuf <jpoimboe@redhat.com>,
Borislav Petkov <bp@suse.de>,
Thomas Gleixner <tglx@linutronix.de>,
Frank van der Linden <fllinden@amazon.com>
Subject: [PATCH 4.14 06/31] x86/speculation: Include unprivileged eBPF status in Spectre v2 mitigation reporting
Date: Thu, 10 Mar 2022 15:18:19 +0100 [thread overview]
Message-ID: <20220310140807.717540592@linuxfoundation.org> (raw)
In-Reply-To: <20220310140807.524313448@linuxfoundation.org>
From: Josh Poimboeuf <jpoimboe@redhat.com>
commit 44a3918c8245ab10c6c9719dd12e7a8d291980d8 upstream.
With unprivileged eBPF enabled, eIBRS (without retpoline) is vulnerable
to Spectre v2 BHB-based attacks.
When both are enabled, print a warning message and report it in the
'spectre_v2' sysfs vulnerabilities file.
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Borislav Petkov <bp@suse.de>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
[fllinden@amazon.com: backported to 4.14]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/bugs.c | 35 +++++++++++++++++++++++++++++------
include/linux/bpf.h | 11 +++++++++++
kernel/sysctl.c | 8 ++++++++
3 files changed, 48 insertions(+), 6 deletions(-)
--- a/arch/x86/kernel/cpu/bugs.c
+++ b/arch/x86/kernel/cpu/bugs.c
@@ -31,6 +31,7 @@
#include <asm/set_memory.h>
#include <asm/intel-family.h>
#include <asm/e820/api.h>
+#include <linux/bpf.h>
#include "cpu.h"
@@ -607,6 +608,16 @@ static inline const char *spectre_v2_mod
static inline const char *spectre_v2_module_string(void) { return ""; }
#endif
+#define SPECTRE_V2_EIBRS_EBPF_MSG "WARNING: Unprivileged eBPF is enabled with eIBRS on, data leaks possible via Spectre v2 BHB attacks!\n"
+
+#ifdef CONFIG_BPF_SYSCALL
+void unpriv_ebpf_notify(int new_state)
+{
+ if (spectre_v2_enabled == SPECTRE_V2_EIBRS && !new_state)
+ pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
+}
+#endif
+
static inline bool match_option(const char *arg, int arglen, const char *opt)
{
int len = strlen(opt);
@@ -950,6 +961,9 @@ static void __init spectre_v2_select_mit
break;
}
+ if (mode == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
+ pr_err(SPECTRE_V2_EIBRS_EBPF_MSG);
+
if (spectre_v2_in_eibrs_mode(mode)) {
/* Force it so VMEXIT will restore correctly */
x86_spec_ctrl_base |= SPEC_CTRL_IBRS;
@@ -1685,6 +1699,20 @@ static char *ibpb_state(void)
return "";
}
+static ssize_t spectre_v2_show_state(char *buf)
+{
+ if (spectre_v2_enabled == SPECTRE_V2_EIBRS && unprivileged_ebpf_enabled())
+ return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");
+
+ return sprintf(buf, "%s%s%s%s%s%s\n",
+ spectre_v2_strings[spectre_v2_enabled],
+ ibpb_state(),
+ boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
+ stibp_state(),
+ boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
+ spectre_v2_module_string());
+}
+
static ssize_t srbds_show_state(char *buf)
{
return sprintf(buf, "%s\n", srbds_strings[srbds_mitigation]);
@@ -1707,12 +1735,7 @@ static ssize_t cpu_show_common(struct de
return sprintf(buf, "%s\n", spectre_v1_strings[spectre_v1_mitigation]);
case X86_BUG_SPECTRE_V2:
- return sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled],
- ibpb_state(),
- boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "",
- stibp_state(),
- boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "",
- spectre_v2_module_string());
+ return spectre_v2_show_state(buf);
case X86_BUG_SPEC_STORE_BYPASS:
return sprintf(buf, "%s\n", ssb_strings[ssb_mode]);
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -337,6 +337,11 @@ static inline int bpf_map_attr_numa_node
attr->numa_node : NUMA_NO_NODE;
}
+static inline bool unprivileged_ebpf_enabled(void)
+{
+ return !sysctl_unprivileged_bpf_disabled;
+}
+
#else
static inline struct bpf_prog *bpf_prog_get(u32 ufd)
{
@@ -400,6 +405,12 @@ static inline void __dev_map_insert_ctx(
static inline void __dev_map_flush(struct bpf_map *map)
{
}
+
+static inline bool unprivileged_ebpf_enabled(void)
+{
+ return false;
+}
+
#endif /* CONFIG_BPF_SYSCALL */
#if defined(CONFIG_STREAM_PARSER) && defined(CONFIG_BPF_SYSCALL)
--- a/kernel/sysctl.c
+++ b/kernel/sysctl.c
@@ -243,6 +243,11 @@ static int sysrq_sysctl_handler(struct c
#endif
#ifdef CONFIG_BPF_SYSCALL
+
+void __weak unpriv_ebpf_notify(int new_state)
+{
+}
+
static int bpf_unpriv_handler(struct ctl_table *table, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
@@ -260,6 +265,9 @@ static int bpf_unpriv_handler(struct ctl
return -EPERM;
*(int *)table->data = unpriv_enable;
}
+
+ unpriv_ebpf_notify(unpriv_enable);
+
return ret;
}
#endif
next prev parent reply other threads:[~2022-03-10 14:30 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-03-10 14:18 [PATCH 4.14 00/31] 4.14.271-rc2 review Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 01/31] x86/speculation: Merge one test in spectre_v2_user_select_mitigation() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 02/31] x86,bugs: Unconditionally allow spectre_v2=retpoline,amd Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 03/31] x86/speculation: Rename RETPOLINE_AMD to RETPOLINE_LFENCE Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 04/31] x86/speculation: Add eIBRS + Retpoline options Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 05/31] Documentation/hw-vuln: Update spectre doc Greg Kroah-Hartman
2022-03-10 14:18 ` Greg Kroah-Hartman [this message]
2022-03-10 14:18 ` [PATCH 4.14 07/31] x86/speculation: Use generic retpoline by default on AMD Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 08/31] x86/speculation: Update link to AMD speculation whitepaper Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 09/31] x86/speculation: Warn about Spectre v2 LFENCE mitigation Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 10/31] x86/speculation: Warn about eIBRS + LFENCE + Unprivileged eBPF + SMT Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 11/31] arm/arm64: Provide a wrapper for SMCCC 1.1 calls Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 12/31] arm/arm64: smccc/psci: add arm_smccc_1_1_get_conduit() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 13/31] ARM: report Spectre v2 status through sysfs Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 14/31] ARM: early traps initialisation Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 15/31] ARM: use LOADADDR() to get load address of sections Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 16/31] ARM: Spectre-BHB workaround Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 17/31] ARM: include unprivileged BPF status in Spectre V2 reporting Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 18/31] ARM: fix build error when BPF_SYSCALL is disabled Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 19/31] ARM: fix co-processor register typo Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 20/31] ARM: Do not use NOCROSSREFS directive with ld.lld Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 21/31] ARM: fix build warning in proc-v7-bugs.c Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 22/31] xen/xenbus: dont let xenbus_grant_ring() remove grants in error case Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 23/31] xen/grant-table: add gnttab_try_end_foreign_access() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 24/31] xen/blkfront: dont use gnttab_query_foreign_access() for mapped status Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 25/31] xen/netfront: " Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 26/31] xen/scsifront: " Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 27/31] xen/gntalloc: dont use gnttab_query_foreign_access() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 28/31] xen: remove gnttab_query_foreign_access() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 29/31] xen/9p: use alloc/free_pages_exact() Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 30/31] xen/gnttab: fix gnttab_end_foreign_access() without page specified Greg Kroah-Hartman
2022-03-10 14:18 ` [PATCH 4.14 31/31] xen/netfront: react properly to failing gnttab_end_foreign_access_ref() Greg Kroah-Hartman
2022-03-10 18:48 ` [PATCH 4.14 00/31] 4.14.271-rc2 review Jon Hunter
2022-03-11 1:01 ` Guenter Roeck
2022-03-11 13:18 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220310140807.717540592@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bp@suse.de \
--cc=fllinden@amazon.com \
--cc=jpoimboe@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.