bpf: Prevent memory disambiguation attack (af86ca4e) · Commits · e / devices / android_kernel_oneplus_sm7250

include/linux/bpf_verifier.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -146,6 +146,7 @@ struct bpf_insn_aux_data {
		s32 call_imm; /* saved imm field of call insn */
		};
		int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
		int sanitize_stack_off; /* stack slot to be cleared */
		bool seen; /* this insn was processed by the verifier */
		};

kernel/bpf/verifier.c

+56 −3

Original line number	Diff line number	Diff line
		@@ -978,7 +978,7 @@ static bool register_is_null(struct bpf_reg_state *reg)
		*/
		static int check_stack_write(struct bpf_verifier_env *env,
		struct bpf_func_state state, / func where register points to */
		int off, int size, int value_regno)
		int off, int size, int value_regno, int insn_idx)
		{
		struct bpf_func_state cur; / state of the current function */
		int i, slot = -off - 1, spi = slot / BPF_REG_SIZE, err;
		@@ -1017,8 +1017,33 @@ static int check_stack_write(struct bpf_verifier_env *env,
		state->stack[spi].spilled_ptr = cur->regs[value_regno];
		state->stack[spi].spilled_ptr.live \|= REG_LIVE_WRITTEN;

		for (i = 0; i < BPF_REG_SIZE; i++)
		for (i = 0; i < BPF_REG_SIZE; i++) {
		if (state->stack[spi].slot_type[i] == STACK_MISC &&
		!env->allow_ptr_leaks) {
		int *poff = &env->insn_aux_data[insn_idx].sanitize_stack_off;
		int soff = (-spi - 1) * BPF_REG_SIZE;

		/* detected reuse of integer stack slot with a pointer
		* which means either llvm is reusing stack slot or
		* an attacker is trying to exploit CVE-2018-3639
		* (speculative store bypass)
		* Have to sanitize that slot with preemptive
		* store of zero.
		*/
		if (poff && poff != soff) {
		/* disallow programs where single insn stores
		* into two different stack slots, since verifier
		* cannot sanitize them
		*/
		verbose(env,
		"insn %d cannot access two stack slots fp%d and fp%d",
		insn_idx, *poff, soff);
		return -EINVAL;
		}
		*poff = soff;
		}
		state->stack[spi].slot_type[i] = STACK_SPILL;
		}
		} else {
		u8 type = STACK_MISC;

		@@ -1694,7 +1719,7 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn

		if (t == BPF_WRITE)
		err = check_stack_write(env, state, off, size,
		value_regno);
		value_regno, insn_idx);
		else
		err = check_stack_read(env, state, off, size,
		value_regno);
		@@ -5169,6 +5194,34 @@ static int convert_ctx_accesses(struct bpf_verifier_env *env)
		else
		continue;

		if (type == BPF_WRITE &&
		env->insn_aux_data[i + delta].sanitize_stack_off) {
		struct bpf_insn patch[] = {
		/* Sanitize suspicious stack slot with zero.
		* There are no memory dependencies for this store,
		* since it's only using frame pointer and immediate
		* constant of zero
		*/
		BPF_ST_MEM(BPF_DW, BPF_REG_FP,
		env->insn_aux_data[i + delta].sanitize_stack_off,
		0),
		/* the original STX instruction will immediately
		* overwrite the same stack slot with appropriate value
		*/
		*insn,
		};

		cnt = ARRAY_SIZE(patch);
		new_prog = bpf_patch_insn_data(env, i + delta, patch, cnt);
		if (!new_prog)
		return -ENOMEM;

		delta += cnt - 1;
		env->prog = new_prog;
		insn = new_prog->insnsi + i + delta;
		continue;
		}

		if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
		continue;