[PATCH bpf v2 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks

[PATCH bpf v2 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks

[Nuoqi Gui]

check_stack_write_fixed_off() uses one byte-indexing scheme when checking
whether a fixed-offset stack write needs Spectre v4 sanitization, and another
scheme when recording the write into slot_type[].

For sub-8-byte writes this can make the sanitization check look at bytes that
are not overwritten by the write. A zeroed lower half-slot followed by a write
to the upper half-slot can therefore miss the nospec barrier for the second
write.

Use the same stack-byte index for the sanitization check and the slot update,
and add a focused verifier selftest that expects both half-slot writes to emit
nospec through the unprivileged loader lane.

Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a
fixed-offset stack-write corner case. No architectural verifier memory-safety
bypass, exploit chain, CVE, embargo, or security escalation is claimed.

Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")

v1->v2:
  - drop __caps_unpriv(CAP_BPF) from the selftest
  - fix selftest style
  - use Fixes: 2039f26f3aca per review

v1: https://lore.kernel.org/bpf/20260617-f01-11-stack-nospec-slot-index-v1-0-e3a080b0cd7e@mails.tsinghua.edu.cn/

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Nuoqi Gui (2):
      bpf: Fix stack slot index in nospec checks
      selftests/bpf: Cover stack nospec slot indexing

 kernel/bpf/verifier.c                              |  3 ++-
 .../testing/selftests/bpf/progs/verifier_unpriv.c  | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+), 1 deletion(-)
---
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
change-id: 20260615-f01-11-stack-nospec-slot-index-e155b2acd587

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

[PATCH bpf v2 1/2] bpf: Fix stack slot index in nospec checks

[Nuoqi Gui]

check_stack_write_fixed_off() computes the byte slot for a fixed-offset
stack write as -off - 1, and records each written byte in slot_type[] with
(slot - i) % BPF_REG_SIZE.

The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
bytes 7..4. That can leave the second half-slot write without nospec_result
even though the bytes being overwritten still require sanitization.

Use the same slot index in the sanitization pre-check that the write path uses
when updating slot_type[].

Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2abc79dbf281c..50e80dbbc1784 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3479,7 +3479,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
 		bool sanitize = reg && is_spillable_regtype(reg->type);
 
 		for (i = 0; i < size; i++) {
-			u8 type = state->stack[spi].slot_type[i];
+			u8 type = state->stack[spi].slot_type[(slot - i) %
+							      BPF_REG_SIZE];
 
 			if (type != STACK_MISC && type != STACK_ZERO) {
 				sanitize = true;

-- 
2.34.1

[PATCH bpf v2 2/2] selftests/bpf: Cover stack nospec slot indexing

[Nuoqi Gui]

Add a verifier test for the fixed-offset stack write case where two 4-byte
stores initialize opposite halves of the same stack slot.

The test runs through the unprivileged loader lane and expects both
half-slot writes to emit nospec in the translated program.

Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 .../testing/selftests/bpf/progs/verifier_unpriv.c  | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
index c16f8382cf17d..d54e5b59e62e5 100644
--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
@@ -976,4 +976,26 @@ l0_%=:	exit;						\
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("unpriv: Spectre v4 stack write slot index")
+__success __success_unpriv
+__retval(0)
+#ifdef SPEC_V4
+__xlated_unpriv("r0 = 0")
+__xlated_unpriv("*(u32 *)(r10 - 4) = r0")
+__xlated_unpriv("nospec")
+__xlated_unpriv("*(u32 *)(r10 - 8) = r0")
+__xlated_unpriv("nospec")
+__xlated_unpriv("exit")
+#endif
+__naked void stack_write_nospec_slot_index(void)
+{
+	asm volatile ("					\
+	r0 = 0;					\
+	*(u32 *)(r10 - 4) = r0;			\
+	*(u32 *)(r10 - 8) = r0;			\
+	exit;					\
+"	::: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";

-- 
2.34.1

Re: [PATCH bpf v2 2/2] selftests/bpf: Cover stack nospec slot indexing

[bot+bpf-ci]

[-- Attachment #1: Type: text/plain, Size: 2557 bytes --]

> diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> index c16f8382cf17..d54e5b59e62e 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> @@ -976,4 +976,26 @@ l0_%=:	exit;						\
>  	: __clobber_all);
>  }
>
> +SEC("socket")
> +__description("unpriv: Spectre v4 stack write slot index")
> +__success __success_unpriv
> +__retval(0)
> +#ifdef SPEC_V4
> +__xlated_unpriv("r0 = 0")
> +__xlated_unpriv("*(u32 *)(r10 - 4) = r0")
> +__xlated_unpriv("nospec")
> +__xlated_unpriv("*(u32 *)(r10 - 8) = r0")

The expectation strings here write the stack offset with a space after the
minus sign: "*(u32 *)(r10 - 4) = r0" and "*(u32 *)(r10 - 8) = r0".

The kernel disassembler in print_bpf_insn() (kernel/bpf/disasm.c) formats
stores with:

	verbose(cbs->private_data, "(%s *)(r%d %+d) = ...",
		...);

The %+d conversion attaches the sign directly to the digits with no
following space, so the produced text is "*(u32 *)(r10 -4) = r0" and
"*(u32 *)(r10 -8) = r0".

The selftest matcher match_msg() in tools/testing/selftests/bpf/test_loader.c
does a byte-exact strstr() substring match with no whitespace normalization,
and these patterns contain no {{...}} so they are matched literally rather
than as a regex.

Would the "(r10 - 4)" and "(r10 - 8)" expectations ever match the actual
disassembly, given the disassembler emits "(r10 -4)" and "(r10 -8)" with no
space?

Every other __xlated/__xlated_unpriv expectation in the selftests uses the
no-space form, for example elsewhere in verifier_unpriv.c:

	__xlated_unpriv("*(u64 *)(r10 -8) = r1")

When built with SPEC_V4 enabled, would this test fail the xlated check
rather than validate the companion verifier change in commit 3fcd23a554da,
so that it does not actually exercise the nospec slot-index handling it is
meant to cover?

Should the offsets be written as "(r10 -4)" and "(r10 -8)" instead?

> +__xlated_unpriv("nospec")
> +__xlated_unpriv("exit")
> +#endif
> +__naked void stack_write_nospec_slot_index(void)
> +{
> +	asm volatile ("					\
> +	r0 = 0;					\
> +	*(u32 *)(r10 - 4) = r0;			\
> +	*(u32 *)(r10 - 8) = r0;			\
> +	exit;					\
> +"	::: __clobber_all);
> +}
> +
>  char _license[] SEC("license") = "GPL";


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27705665008

Re: [PATCH bpf v2 2/2] selftests/bpf: Cover stack nospec slot indexing

[sashiko-bot]

Thank you for your contribution! Sashiko AI review found 1 potential issue(s) to consider:
- [Medium] The `__xlated_unpriv` expectation strings contain an extra space in the frame pointer offsets (`r10 - 4` and `r10 - 8`), which will cause the strict substring match against the verifier disassembly to fail.
--

commit 14e5b2945bb48da1c1729feb483806b25ccac3aa
Author: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

selftests/bpf: Cover stack nospec slot indexing

This commit adds a verifier test for fixed-offset stack writes where two
4-byte stores initialize opposite halves of the same stack slot. The test
runs through the unprivileged loader and expects both writes to emit
nospec instructions.

> diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> index c16f8382cf17d..d54e5b59e62e5 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
[ ... ]
> @@ -976,4 +976,26 @@ l0_%=:	exit;						\
>  	: __clobber_all);
>  }
>  
> +SEC("socket")
> +__description("unpriv: Spectre v4 stack write slot index")
> +__success __success_unpriv
> +__retval(0)
> +#ifdef SPEC_V4
> +__xlated_unpriv("r0 = 0")
> +__xlated_unpriv("*(u32 *)(r10 - 4) = r0")

[Severity: Medium]
Will this test fail due to the extra space in the offset? The BPF
disassembler typically formats negative offsets without a space after the
minus sign, like *(u32 *)(r10 -4) = r0. Since the selftest framework uses
exact substring matching for the __xlated_unpriv assertions, expecting
(r10 - 4) and (r10 - 8) might cause a spurious test failure.

> +__xlated_unpriv("nospec")
> +__xlated_unpriv("*(u32 *)(r10 - 8) = r0")
> +__xlated_unpriv("nospec")
> +__xlated_unpriv("exit")
> +#endif
> +__naked void stack_write_nospec_slot_index(void)
> +{
[ ... ]

-- 
Sashiko AI review · https://sashiko.dev/#/patchset/20260618-f01-11-stack-nospec-slot-index-v2-0-ede9495359b6@mails.tsinghua.edu.cn?part=2