Re: [PATCH 4.19 00/13] bpf: backport fixes for CVE-2021-34556/CVE-2021-35477

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <greg@kroah.com>
To: Ovidiu Panait <ovidiu.panait@windriver.com>
Cc: stable@vger.kernel.org, bpf@vger.kernel.org, daniel@iogearbox.net
Subject: Re: [PATCH 4.19 00/13] bpf: backport fixes for CVE-2021-34556/CVE-2021-35477
Date: Wed, 15 Sep 2021 14:39:39 +0200	[thread overview]
Message-ID: <YUHpi57yv6DX/AtN@kroah.com> (raw)
In-Reply-To: <20210913153537.2162465-1-ovidiu.panait@windriver.com>

On Mon, Sep 13, 2021 at 06:35:24PM +0300, Ovidiu Panait wrote:
> Backport summary
> ----------------
> 679c782de14b ("bpf/verifier: per-register parent pointers")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* Context adjustments because of the code added by post-4.19 commit:
> 	  f92a819b4cbef ("bpf: prevent out of bounds speculation on pointer
> 	  arithmetic").
> 
> 0bae2d4d62d5 ("bpf: correct slot_type marking logic to allow more stack slot sharing")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* Minor context adjustement in selftest.
> 
> 2011fccfb61b ("bpf: Support variable offset stack access from helpers")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* 4.19 does not have the reg_state(env, regno) helper defined, so
> 	  replace the call with "cur_regs(env) + regno".
> 
> f2bcd05ec7b8 ("bpf: Reject indirect var_off stack access in raw mode")
> 	* Follow-up fix for 2011fccfb61bb ("bpf: Support variable offset stack
> 	  access from helpers").
> 	* Clean cherry-pick.
> 
> 088ec26d9c2d ("bpf: Reject indirect var_off stack access in unpriv")
> 	* Follow-up fix for 2011fccfb61bb ("bpf: Support variable offset stack
> 	  access from helpers").
> 	* Drop comment in retrieve_ptr_limit(), as it was made obsolete by
> 	  post-4.19 commit 45bfdd767e235 ("bpf: Tighten speculative pointer
> 	  arithmetic mask").
> 
> 107c26a70ca8 ("bpf: Sanity check max value for var_off stack access")
> 	* Follow-up fix for 2011fccfb61bb ("bpf: Support variable offset stack
> 	  access from helpers").
> 	* Clean cherry-pick.
> 
> 8ff80e96e3cc ("selftests/bpf: Test variable offset stack access")
> 	* Selftest follow-up for 2011fccfb61bb ("bpf: Support variable offset
> 	  stack access from helpers").
> 	* Post-4.19, the verifier tests were split into different
> 	  files, in 4.19 they are still all in test_verifier.c, so apply the
> 	  changes manually.
> 
> f7cf25b2026d ("bpf: track spill/fill of constants")
> 	* Context patch for 2039f26f3aca5 ("bpf: Fix leakage due to
> 	  insufficient speculative store bypass mitigation").
> 	* Drop verbose_linfo() calls, as the function is not implemented in 4.19.
> 	* Adjust mark_reg_read() calls to match the prototype in 4.19.
> 	  (mark_reg_read() was changed to take 4 parameters in post-4.19 commit
> 	  5327ed3d44b75("bpf: verifier: mark verified-insn with sub-register
> 	  zext flag"), but backporting it is out of scope for this patchseries).
> 
> fc559a70d57c ("selftests/bpf: fix tests due to const spill/fill")
> 	* Selftest follow-up for f7cf25b2026d ("bpf: track spill/fill of constants").
> 	* Post-4.19, the verifier tests were split into different
> 	  files, in 4.19 they are still all in test_verifier.c, so apply the
> 	  changes manually.
> 
> f5e81d111750 ("bpf: Introduce BPF nospec instruction for mitigating Spectre v4")
> 	* Contextual adjustments.
> 	* Drop arch/powerpc/net/bpf_jit_comp32.c changes, as the file is not
> 	  present in 4.19
> 	* Drop riscv changes, as arch/riscv/net/bpf_jit_comp.c file is not
> 	  present in 4.19
> 
> 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation")
> 	* Contextual adjustments.
> 	* Apply check_stack_write_fixed_off() changes in check_stack_write().
> 	* Replace env->bypass_spec_v4 -> env->allow_ptr_leaks.
> 
> c9e73e3d2b1e ("bpf: verifier: Allocate idmap scratch in verifier env")
> e042aa532c84 ("bpf: Fix pointer arithmetic mask tightening under state")
> 	* Contextual adjustments.
> 
> With this patchseries all bpf verifier selftests pass (tested in qemu for x86_64):
> root@intel-x86-64:~# ./test_verifier
> ...
> #663/p pass modified ctx pointer to helper, 3 OK
> #664/p mov64 src == dst OK
> #665/p mov64 src != dst OK
> #666/u calls: ctx read at start of subprog OK
> #666/p calls: ctx read at start of subprog OK
> Summary: 932 PASSED, 0 SKIPPED, 0 FAILED
> 

All now queued up, thanks for the backports!

greg k-h

     prev parent reply	other threads:[~2021-09-15 12:39 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-09-13 15:35 [PATCH 4.19 00/13] bpf: backport fixes for CVE-2021-34556/CVE-2021-35477 Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 01/13] bpf/verifier: per-register parent pointers Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 02/13] bpf: correct slot_type marking logic to allow more stack slot sharing Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 03/13] bpf: Support variable offset stack access from helpers Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 04/13] bpf: Reject indirect var_off stack access in raw mode Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 05/13] bpf: Reject indirect var_off stack access in unpriv mode Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 06/13] bpf: Sanity check max value for var_off stack access Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 07/13] selftests/bpf: Test variable offset " Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 08/13] bpf: track spill/fill of constants Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 09/13] selftests/bpf: fix tests due to const spill/fill Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 10/13] bpf: Introduce BPF nospec instruction for mitigating Spectre v4 Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 11/13] bpf: Fix leakage due to insufficient speculative store bypass mitigation Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 12/13] bpf: verifier: Allocate idmap scratch in verifier env Ovidiu Panait
2021-09-13 15:35 ` [PATCH 4.19 13/13] bpf: Fix pointer arithmetic mask tightening under state pruning Ovidiu Panait
2021-09-15 12:39 ` Greg KH [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YUHpi57yv6DX/AtN@kroah.com \
    --to=greg@kroah.com \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=ovidiu.panait@windriver.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox