* Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic [not found] <5d71646c-f897-2178-9d4a-fababe999f36@huawei.com> @ 2019-03-11 9:41 ` Daniel Borkmann 2019-03-11 11:13 ` Jason Yan 0 siblings, 1 reply; 4+ messages in thread From: Daniel Borkmann @ 2019-03-11 9:41 UTC (permalink / raw) To: Jason Yan Cc: Jann Horn, ast, gregkh, zhangyi (F), Zhaohongjiang, netdev, stable, bpf Hi Jason, On 03/11/2019 10:18 AM, Jason Yan wrote: > Hi, Daniel & Greg > > This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score: > > CVSS v3.0 Severity and Metrics: > Base Score: 9.8 CRITICAL > > And this patch is not in stable-4.4, would you please backport this patch to 4.4? We don't handle kernels as old as 4.4, so someone else would need to do the backporting e.g. from your side. The series has been backported to the last two most-recent stable kernels at that time (we usually follow netdev practice here), and there have been asks about 4.14 as well; I've been looking into backporting for the latter last two weeks on and off, but there are conflicts all over the place in fragile core areas where I didn't have enough free cycles to complete it yet. For old kernels, you're probably better off doing something like this in your tree instead of the huge complexity with a backport: diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c index bc34cf9..2cea2de 100644 --- a/kernel/bpf/syscall.c +++ b/kernel/bpf/syscall.c @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); static DEFINE_IDR(map_idr); static DEFINE_SPINLOCK(map_idr_lock); -int sysctl_unprivileged_bpf_disabled __read_mostly; +int sysctl_unprivileged_bpf_disabled __read_mostly = 1; static const struct bpf_map_ops * const bpf_map_types[] = { #define BPF_PROG_TYPE(_id, _ops) Thanks, Daniel ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic 2019-03-11 9:41 ` 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic Daniel Borkmann @ 2019-03-11 11:13 ` Jason Yan 2019-03-11 18:54 ` Greg KH 0 siblings, 1 reply; 4+ messages in thread From: Jason Yan @ 2019-03-11 11:13 UTC (permalink / raw) To: Daniel Borkmann Cc: Jann Horn, ast, gregkh, zhangyi (F), Zhaohongjiang, netdev, stable, bpf On 2019/3/11 17:41, Daniel Borkmann wrote: > Hi Jason, > > On 03/11/2019 10:18 AM, Jason Yan wrote: >> Hi, Daniel & Greg >> >> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score: >> >> CVSS v3.0 Severity and Metrics: >> Base Score: 9.8 CRITICAL >> >> And this patch is not in stable-4.4, would you please backport this patch to 4.4? > > We don't handle kernels as old as 4.4, so someone else would need to > do the backporting e.g. from your side. The series has been backported > to the last two most-recent stable kernels at that time (we usually > follow netdev practice here), and there have been asks about 4.14 as > well; I've been looking into backporting for the latter last two weeks > on and off, but there are conflicts all over the place in fragile core > areas where I didn't have enough free cycles to complete it yet. For > old kernels, you're probably better off doing something like this in > your tree instead of the huge complexity with a backport: > Thanks for you kindly reply. > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index bc34cf9..2cea2de 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); > static DEFINE_IDR(map_idr); > static DEFINE_SPINLOCK(map_idr_lock); > > -int sysctl_unprivileged_bpf_disabled __read_mostly; > +int sysctl_unprivileged_bpf_disabled __read_mostly = 1; > Greg, is it possible to get this kind of mitigation into 4.4? Thanks, Jason > static const struct bpf_map_ops * const bpf_map_types[] = { > #define BPF_PROG_TYPE(_id, _ops) > > Thanks, > Daniel > > . > ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic 2019-03-11 11:13 ` Jason Yan @ 2019-03-11 18:54 ` Greg KH 2019-03-12 2:01 ` Jason Yan 0 siblings, 1 reply; 4+ messages in thread From: Greg KH @ 2019-03-11 18:54 UTC (permalink / raw) To: Jason Yan Cc: Daniel Borkmann, Jann Horn, ast, zhangyi (F), Zhaohongjiang, netdev, stable, bpf On Mon, Mar 11, 2019 at 07:13:14PM +0800, Jason Yan wrote: > > > On 2019/3/11 17:41, Daniel Borkmann wrote: > > Hi Jason, > > > > On 03/11/2019 10:18 AM, Jason Yan wrote: > > > Hi, Daniel & Greg > > > > > > This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score: > > > > > > CVSS v3.0 Severity and Metrics: > > > Base Score: 9.8 CRITICAL > > > > > > And this patch is not in stable-4.4, would you please backport this patch to 4.4? > > > > We don't handle kernels as old as 4.4, so someone else would need to > > do the backporting e.g. from your side. The series has been backported > > to the last two most-recent stable kernels at that time (we usually > > follow netdev practice here), and there have been asks about 4.14 as > > well; I've been looking into backporting for the latter last two weeks > > on and off, but there are conflicts all over the place in fragile core > > areas where I didn't have enough free cycles to complete it yet. For > > old kernels, you're probably better off doing something like this in > > your tree instead of the huge complexity with a backport: > > > > Thanks for you kindly reply. > > > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > > index bc34cf9..2cea2de 100644 > > --- a/kernel/bpf/syscall.c > > +++ b/kernel/bpf/syscall.c > > @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); > > static DEFINE_IDR(map_idr); > > static DEFINE_SPINLOCK(map_idr_lock); > > > > -int sysctl_unprivileged_bpf_disabled __read_mostly; > > +int sysctl_unprivileged_bpf_disabled __read_mostly = 1; > > > > Greg, is it possible to get this kind of mitigation into 4.4? Why are you using a 4.4 kernel with untrusted userspace? The only reason to use 4.4.y at this point in time is if you have a huge SoC tree patchset that is not upstream. If you are using x86, you should be using 4.14.y or newer right now. That being said, no, I am not going to change the default here, that could break people's working setups. I would recommend you just setting this value in your initrd/setup scripts if you want it, that's why it is a sysctl :) thanks, greg k-h ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic 2019-03-11 18:54 ` Greg KH @ 2019-03-12 2:01 ` Jason Yan 0 siblings, 0 replies; 4+ messages in thread From: Jason Yan @ 2019-03-12 2:01 UTC (permalink / raw) To: Greg KH Cc: Daniel Borkmann, Jann Horn, ast, zhangyi (F), Zhaohongjiang, netdev, stable, bpf On 2019/3/12 2:54, Greg KH wrote: > On Mon, Mar 11, 2019 at 07:13:14PM +0800, Jason Yan wrote: >> >> >> On 2019/3/11 17:41, Daniel Borkmann wrote: >>> Hi Jason, >>> >>> On 03/11/2019 10:18 AM, Jason Yan wrote: >>>> Hi, Daniel & Greg >>>> >>>> This patch (979d63d50c0c bpf: prevent out of bounds speculation on pointer arithmetic) was assigned a CVE (CVE-2019-7308) with a high score: >>>> >>>> CVSS v3.0 Severity and Metrics: >>>> Base Score: 9.8 CRITICAL >>>> >>>> And this patch is not in stable-4.4, would you please backport this patch to 4.4? >>> >>> We don't handle kernels as old as 4.4, so someone else would need to >>> do the backporting e.g. from your side. The series has been backported >>> to the last two most-recent stable kernels at that time (we usually >>> follow netdev practice here), and there have been asks about 4.14 as >>> well; I've been looking into backporting for the latter last two weeks >>> on and off, but there are conflicts all over the place in fragile core >>> areas where I didn't have enough free cycles to complete it yet. For >>> old kernels, you're probably better off doing something like this in >>> your tree instead of the huge complexity with a backport: >>> >> >> Thanks for you kindly reply. >> >>> diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c >>> index bc34cf9..2cea2de 100644 >>> --- a/kernel/bpf/syscall.c >>> +++ b/kernel/bpf/syscall.c >>> @@ -47,7 +47,7 @@ static DEFINE_SPINLOCK(prog_idr_lock); >>> static DEFINE_IDR(map_idr); >>> static DEFINE_SPINLOCK(map_idr_lock); >>> >>> -int sysctl_unprivileged_bpf_disabled __read_mostly; >>> +int sysctl_unprivileged_bpf_disabled __read_mostly = 1; >>> >> >> Greg, is it possible to get this kind of mitigation into 4.4? > > Why are you using a 4.4 kernel with untrusted userspace? The only > reason to use 4.4.y at this point in time is if you have a huge SoC tree > patchset that is not upstream. If you are using x86, you should be > using 4.14.y or newer right now. > > That being said, no, I am not going to change the default here, that > could break people's working setups. I would recommend you just setting > this value in your initrd/setup scripts if you want it, that's why it is > a sysctl :) > Got it, thanks. Jason > thanks, > > greg k-h > > . > ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-03-12 2:01 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <5d71646c-f897-2178-9d4a-fababe999f36@huawei.com>
2019-03-11 9:41 ` 979d63d50c0c0f7bc537bf821e056cc9fe5abd38 bpf: prevent out of bounds speculation on pointer arithmetic Daniel Borkmann
2019-03-11 11:13 ` Jason Yan
2019-03-11 18:54 ` Greg KH
2019-03-12 2:01 ` Jason Yan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox