bpf: Do not mark insn as seen under speculative path verification

mainline inclusion from mainline-v5.13-rc7 commit fe9a5ca7 category: bugfix bugzilla: NA CVE: CVE-2021-33624 -------------------------------- ... in such circumstances, we do not want to mark the instruction as seen given the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable from the non-speculative path verification. We do however want to verify it for safety regardless. With the patch as-is all the insns that have been marked as seen before the patch will also be marked as seen after the patch (just with a potentially different non-zero count). An upcoming patch will also verify paths that are unreachable in the non-speculative domain, hence this extension is needed. Signed-off-by: N Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: N John Fastabend <john.fastabend@gmail.com> Reviewed-by: N Benedict Schlueter <benedict.schlueter@rub.de> Reviewed-by: N Piotr Krysiuk <piotras@gmail.com> Acked-by: N Alexei Starovoitov <ast@kernel.org> Conflicts: kernel/bpf/verifier.c pass_cnt is not introduced in kernel-4.19. Signed-off-by: N He Fengqing <hefengqing@huawei.com> Reviewed-by: N Kuohai Xu <xukuohai@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

bpf: Do not mark insn as seen under speculative path verification
mainline inclusion from mainline-v5.13-rc7 commit fe9a5ca7 category: bugfix bugzilla: NA CVE: CVE-2021-33624 -------------------------------- ... in such circumstances, we do not want to mark the instruction as seen given the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable from the non-speculative path verification. We do however want to verify it for safety regardless. With the patch as-is all the insns that have been marked as seen before the patch will also be marked as seen after the patch (just with a potentially different non-zero count). An upcoming patch will also verify paths that are unreachable in the non-speculative domain, hence this extension is needed. Signed-off-by: N Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: N John Fastabend <john.fastabend@gmail.com> Reviewed-by: N Benedict Schlueter <benedict.schlueter@rub.de> Reviewed-by: N Piotr Krysiuk <piotras@gmail.com> Acked-by: N Alexei Starovoitov <ast@kernel.org> Conflicts: kernel/bpf/verifier.c pass_cnt is not introduced in kernel-4.19. Signed-off-by: N He Fengqing <hefengqing@huawei.com> Reviewed-by: N Kuohai Xu <xukuohai@huawei.com> Reviewed-by: N Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
b2fdc6d8 · Daniel Borkmann · Yang Yingliang · 9d1b583d · b2fdc6d8
显示空白变更内容
内联并排

Showing with 15 addition and 2 deletion

kernel/bpf/verifier.c kernel/bpf/verifier.c +15 -2

未找到文件。
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2932,6 +2932,19 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env,
 	return !ret ? REASON_STACK : 0;
 }
+static void sanitize_mark_insn_seen(struct bpf_verifier_env *env)
+{
+	struct bpf_verifier_state *vstate = env->cur_state;
+	/* If we simulate paths under speculation, we don't update the
+	 * insn as 'seen' such that when we verify unreachable paths in
+	 * the non-speculative domain, sanitize_dead_code() can still
+	 * rewrite/sanitize them.
+	 */
+	if (!vstate->speculative)
+		env->insn_aux_data[env->insn_idx].seen = true;
+}
 static int sanitize_err(struct bpf_verifier_env *env,
 			const struct bpf_insn *insn, int reason,
 			const struct bpf_reg_state *off_reg,
@@ -5466,7 +5479,7 @@ static int do_check(struct bpf_verifier_env *env)
 		}
 		regs = cur_regs(env);
-		env->insn_aux_data[env->insn_idx].seen = true;
+		sanitize_mark_insn_seen(env);
 		if (class == BPF_ALU || class == BPF_ALU64) {
 			err = check_alu_op(env, insn);
@@ -5687,7 +5700,7 @@ static int do_check(struct bpf_verifier_env *env)
 					return err;
 				env->insn_idx++;
-				env->insn_aux_data[env->insn_idx].seen = true;
+				sanitize_mark_insn_seen(env);
 			} else {
 				verbose(env, "invalid BPF_LD mode\n");
 				return -EINVAL;