From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from mga04.intel.com ([192.55.52.120]) by Galois.linutronix.de with esmtps (TLS1.2:DHE_RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from ) id 1fJS5Z-0003O6-R8 for speck@linutronix.de; Fri, 18 May 2018 01:13:38 +0200 Subject: [MODERATED] Re: Generic eBPF hardening References: <20180517222233.xk3favfebt4wiiid@ast-mbp> From: Dave Hansen Message-ID: <96c4efff-c9ef-ee4d-e2cc-f813ef21449b@linux.intel.com> Date: Thu, 17 May 2018 16:13:32 -0700 MIME-Version: 1.0 In-Reply-To: <20180517222233.xk3favfebt4wiiid@ast-mbp> Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit To: speck@linutronix.de List-ID: On 05/17/2018 03:22 PM, speck for Alexei Starovoitov wrote: > On Thu, May 17, 2018 at 01:55:38PM -0700, speck for Dave Hansen wrote: >> I'm hoping Alexei is on the list now. >> >> Andi Kleen and I were talking about ways to generally harden eBPF. We >> were a bit concerned that eBPF could leave around attacker-controlled >> values on the stack that might allow later, speculatively-executed >> kernel code to be exploited. >> >> One thing I wanted to clarify: The eBPF stack (BPF_REG_FP) *is* the >> kernel stack, correct? > yes. bpf program stack is kernel stack, > but I don't see how this is useful. > There are plenty of ways to populate kernel stack with user controlled > bytes. Ex: set_task_comm. In most places in the kernel, it's hard to both get data on the stack that you control *and* execute code that you (mostly) control. For the vast majority of the kernel, you are entirely at the mercy of the compiler to give you the code and the stack layout. BPF currently gives you pretty good control of both, though. Zeroing the stack would at least take away one source of gadgets: kernel code that speculatively consumes uninitialized data from the stack.