angler-fishThe Vulnerability History Project

bpf: prevent out of bounds speculation on pointer arithmetic

      Jann reported that the original commit back in b2157399cc98
("bpf: prevent out-of-bounds speculation") was not sufficient
to stop CPU from speculating out of bounds memory access:
While b2157399cc98 only focussed on masking array map access
for unprivileged users for tail calls and data access such
that the user provided index gets sanitized from BPF program
and syscall side, there is still a more generic form affected
from BPF programs that applies to most maps that hold user
data in relation to dynamic map access when dealing with
unknown scalars or "slow" known scalars as access offset, for
example:

  - Load a map value pointer into R6
  - Load an index into R7
  - Do a slow computation (e.g. with a memory dependency) that
    loads a limit into R8 (e.g. load the limit from a map for
    high latency, then mask it to make the verifier happy)
  - Exit if R7 >= R8 (mispredicted branch)
  - Load R0 = R6[R7]
  - Load R0 = R6[
by Opal the Polar Bear 2019-01-02 23:58:34 UTC
commit 979d63d50c0c0f7bc537bf821e056cc9fe5abd38
Linux Kernel Fix CVE-2019-7308 VCC CVE-2019-7308 VCC Bad-Pointer-Function CVE-2020-27170 VCC CVE-2020-27171 VCC Speculative BPF Stack Loading CVE-2021-31829 VCC I Spy a Discrepancy CVE-2021-33624 VCC CVE-2021-34556 VCC CVE-2021-35477
include/linux/bpf_verifier.h
+10
kernel/bpf/verifier.c
+179 -6
expand_less