- 12 Jan, 2018 40 commits
-
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Set IBPB (Indirect Branch Prediction Barrier) when the current CPU is going to run a VCPU different from what was previously run. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit bb6edde44a0529ec52618c97a281719d968aaeab) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Set/restore the guests IBRS value on VM entry. On VM exit back to the kernel save the guest IBRS value and then set IBRS to 1. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit ae47b6df435ae255747a9aa1a5520bd9ef01005f) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Allow guest access to the speculative control MSRs without being intercepted. Signed-off-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 68c2587c0680813d57af0a4073fa22a95a15e980) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Add an IBPB feature check to the speculative control update check after a microcode reload. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 073bee2caa42ddde1134cb87c955b4cad7b7d38b) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tom Lendacky authored
CVE-2017-5753 CVE-2017-5715 Add speculative control support for AMD processors. For AMD, speculative control is indicated as follows: CPUID EAX=0x00000007, ECX=0x00 return EDX[26] indicates support for both IBRS and IBPB. CPUID EAX=0x80000008, ECX=0x00 return EBX[12] indicates support for just IBPB. On AMD family 0x10, 0x12 and 0x16 processors where either of the above features are not supported, IBPB can be achieved by disabling indirect branch predictor support in MSR 0xc0011021[14] at boot. Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 38994a3e1a9288622cb170bc89d037ca8f2b0fb6) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Borislav Petkov authored
CVE-2017-5753 CVE-2017-5715 The kernel accesses IC_CFG MSR (0xc0011021) on AMD because it checks whether the way access filter is enabled on some F15h models, and, if so, disables it. kvm doesn't handle that MSR access and complains about it, which can get really noisy in dmesg when one starts kvm guests all the time for testing. And it is useless anyway - guest kernel shouldn't be doing such changes anyway so tell it that that filter is disabled. Signed-off-by: Borislav Petkov <bp@suse.de> Reviewed-by: Paolo Bonzini <pbonzini@redhat.com> Cc: Andy Lutomirski <luto@amacapital.net> Cc: Borislav Petkov <bp@alien8.de> Cc: Brian Gerst <brgerst@gmail.com> Cc: Denys Vlasenko <dvlasenk@redhat.com> Cc: H. Peter Anvin <hpa@zytor.com> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Link: http://lkml.kernel.org/r/1448273546-2567-4-git-send-email-bp@alien8.deSigned-off-by: Ingo Molnar <mingo@kernel.org> (cherry picked from commit ae8b7875) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 48ec0cfa6dac428470e30855e2d9751e00e2ba6c) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 To prevent the unused registers %r8-%r15, from being used speculatively, we clear them upon syscall entrance for code hygiene in 32 bit compatible mode. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 85910f3f9cd728acce9ef34a6df4f8bf8714d006) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 To prevent the unused registers %r12-%r15, %rbp and %rbx from being used speculatively, we clear them upon syscall entrance for code hygiene. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 20018a1207a68ee311e9e080f8589e23a0e14852) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 33e16ee8bd43aa4f065e17abbe9ed66457327b84) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 There are 2 ways to control IBPB and IBRS 1. At boot time noibrs kernel boot parameter will disable IBRS usage noibpb kernel boot parameter will disable IBPB usage Otherwise if the above parameters are not specified, the system will enable ibrs and ibpb usage if the cpu supports it. 2. At run time echo 0 > /proc/sys/kernel/ibrs_enabled will turn off IBRS echo 1 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in kernel echo 2 > /proc/sys/kernel/ibrs_enabled will turn on IBRS in both userspace and kernel Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 50169d8fada2532084c9f8ccde51c6c9211603d5) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Add code to pad the local CPU's RSB entries to protect from previous less privilege mode. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 65ced0bf5b4bb86d1fa08200b57a5f55617ad7ad) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Restore guest IBRS on VM entry and set it to 1 on VM exit back to kernel. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 08aeb17b6385ac5b82d73753ac43cc8c7cff5d5c) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Set IBPB (Indirect branch prediction barrier) when switching VM. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 472524f41206beb0a29c08f10689648a3dcd7707) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Wei Wang authored
CVE-2017-5753 CVE-2017-5715 Add field to access guest MSR_IA332_SPEC_CTRL and MSR_IA32_PRED_CMD state. Signed-off-by: Wei Wang <wei.w.wang@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit f93ba2a9b5ab2c275e9adc10876cc0425a33eec0) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Stuff RSB to prevent RSB underflow on non-SMEP platform. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 183ab2f8dfb26ad2c83602af3ee9a5f11d65128b) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 To reduce overhead of setting IBPB, we only do that when the new thread cannot ptrace the current one. If the new thread has ptrace capability on current thread, it is safe. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 294ed6288a44f78781cf33cc9de32c50630c1646) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Set IBPB on context switch with changing of page table. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 172351a2ae2c03d501e1d5933b8f50f6cd459186) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Clear IBRS when cpu is offlined and set it when brining it back online. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit ca09185cd600fc8e43a9bb5ddec61103039930b3) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Clear IBRS on idle entry and set it on idle exit into kernel on mwait. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit c2a2a232b0553e32a7bfe198a40f377bd1ba016d) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Set IBRS upon kernel entrance via syscall and interrupts. Clear it upon exit. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit bb6c1a01e82fb0eb14d1229fd71a99ed285d330d) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Setup macros to control IBRS and IBPB Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 582c3ac1ea2fd287fca743f4e498e844a0e2b606) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 Report presence of IBPB and IBRS. Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit e6941d30960ab43adfa0bbb446e73036bfb52842) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Tim Chen authored
CVE-2017-5753 CVE-2017-5715 cpuid ax=0x7, return rdx bit 26 to indicate presence of this feature IA32_SPEC_CTRL (0x48) and IA32_PRED_CMD (0x49) IA32_SPEC_CTRL, bit0 – Indirect Branch Restricted Speculation (IBRS) IA32_PRED_CMD, bit0 – Indirect Branch Prediction Barrier (IBPB) Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (backported from commit 40b5e1635733891442f6dab9181ffeb3dd26a8d7) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit b1ff40b60f2b6c5e731b338d429fb06ef7087ace) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit f84272a4586cddd342fa5570d4aafc223345a844) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 8a0f2aeaa333f5c4e41b5d366745015fa855232f) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 2b6906d0cf28910144b1e1816861097b2ae3d4a1) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit bf5352bb462ac0acf4ebca109e964666f845bd54) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 7ef8b5b36b47e74d35506760175eaf1f4235068b) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit a2ef3475fff03ae6fcdf07163d3a762e9811e3be) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 Real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 19299d3cee99e47bec3ace5d654eeb8fa6365bfd) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 real commit text tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 5d9ab7231ea9f5a1b0c3cb612e20b0b486a5bdca) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 When constant blinding is enabled (bpf_jit_harden = 1), this adds a generic memory barrier (lfence for intel, mfence for AMD) before emitting x86 jitted code for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X (for BPF_REG_AX register) eBPF instructions. This is needed in order to prevent speculative execution on out of bounds BPF_MAP array indexes when JIT is enabled. This way an arbitary kernel memory is not exposed through side-channel attacks. For more details, please see this Google Project Zero report: tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 33f5e63378ad75331315216b459362b0a5350662) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 This adds a generic memory barrier before LD_IMM_DW and LDX_MEM_B/H/W/DW eBPF instructions during eBPF program execution in order to prevent speculative execution on out of bound BFP_MAP array indexes. This way an arbitary kernel memory is not exposed through side channel attacks. For more details, please see this Google Project Zero report: tbd Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 69cfcc33d4ec282f14e47f1705bf45117e557b69) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Elena Reshetova authored
CVE-2017-5753 CVE-2017-5715 In constrast to existing mb() and rmb() barriers, gmb() barrier is arch-independent and can be used to implement any type of memory barrier. In x86 case, it is either lfence or mfence, based on processor type. ARM and others can define it according to their needs. Suggested-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Signed-off-by: Andy Whitcroft <apw@canonical.com> (cherry picked from commit 15cdd6b1b8bdf69f6318b64650b342c38cc58451) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Daniel Borkmann authored
CVE-2017-5753 CVE-2017-5715 This work adds a generic facility for use from eBPF JIT compilers that allows for further hardening of JIT generated images through blinding constants. In response to the original work on BPF JIT spraying published by Keegan McAllister [1], most BPF JITs were changed to make images read-only and start at a randomized offset in the page, where the rest was filled with trap instructions. We have this nowadays in x86, arm, arm64 and s390 JIT compilers. Additionally, later work also made eBPF interpreter images read only for kernels supporting DEBUG_SET_MODULE_RONX, that is, x86, arm, arm64 and s390 archs as well currently. This is done by default for mentioned JITs when JITing is enabled. Furthermore, we had a generic and configurable constant blinding facility on our todo for quite some time now to further make spraying harder, and first implementation since around netconf 2016. We found that for systems where untrusted users can load cBPF/eBPF code where JIT is enabled, start offset randomization helps a bit to make jumps into crafted payload harder, but in case where larger programs that cross page boundary are injected, we again have some part of the program opcodes at a page start offset. With improved guessing and more reliable payload injection, chances can increase to jump into such payload. Elena Reshetova recently wrote a test case for it [2, 3]. Moreover, eBPF comes with 64 bit constants, which can leave some more room for payloads. Note that for all this, additional bugs in the kernel are still required to make the jump (and of course to guess right, to not jump into a trap) and naturally the JIT must be enabled, which is disabled by default. For helping mitigation, the general idea is to provide an option bpf_jit_harden that admins can tweak along with bpf_jit_enable, so that for cases where JIT should be enabled for performance reasons, the generated image can be further hardened with blinding constants for unpriviledged users (bpf_jit_harden == 1), with trading off performance for these, but not for privileged ones. We also added the option of blinding for all users (bpf_jit_harden == 2), which is quite helpful for testing f.e. with test_bpf.ko. There are no further e.g. hardening levels of bpf_jit_harden switch intended, rationale is to have it dead simple to use as on/off. Since this functionality would need to be duplicated over and over for JIT compilers to use, which are already complex enough, we provide a generic eBPF byte-code level based blinding implementation, which is then just transparently JITed. JIT compilers need to make only a few changes to integrate this facility and can be migrated one by one. This option is for eBPF JITs and will be used in x86, arm64, s390 without too much effort, and soon ppc64 JITs, thus that native eBPF can be blinded as well as cBPF to eBPF migrations, so that both can be covered with a single implementation. The rule for JITs is that bpf_jit_blind_constants() must be called from bpf_int_jit_compile(), and in case blinding is disabled, we follow normally with JITing the passed program. In case blinding is enabled and we fail during the process of blinding itself, we must return with the interpreter. Similarly, in case the JITing process after the blinding failed, we return normally to the interpreter with the non-blinded code. Meaning, interpreter doesn't change in any way and operates on eBPF code as usual. For doing this pre-JIT blinding step, we need to make use of a helper/auxiliary register, here BPF_REG_AX. This is strictly internal to the JIT and not in any way part of the eBPF architecture. Just like in the same way as JITs internally make use of some helper registers when emitting code, only that here the helper register is one abstraction level higher in eBPF bytecode, but nevertheless in JIT phase. That helper register is needed since f.e. manually written program can issue loads to all registers of eBPF architecture. The core concept with the additional register is: blind out all 32 and 64 bit constants by converting BPF_K based instructions into a small sequence from K_VAL into ((RND ^ K_VAL) ^ RND). Therefore, this is transformed into: BPF_REG_AX := (RND ^ K_VAL), BPF_REG_AX ^= RND, and REG <OP> BPF_REG_AX, so actual operation on the target register is translated from BPF_K into BPF_X one that is operating on BPF_REG_AX's content. During rewriting phase when blinding, RND is newly generated via prandom_u32() for each processed instruction. 64 bit loads are split into two 32 bit loads to make translation and patching not too complex. Only basic thing required by JITs is to call the helper bpf_jit_blind_constants()/bpf_jit_prog_release_other() pair, and to map BPF_REG_AX into an unused register. Small bpf_jit_disasm extract from [2] when applied to x86 JIT: echo 0 > /proc/sys/net/core/bpf_jit_harden ffffffffa034f5e9 + <x>: [...] 39: mov $0xa8909090,%eax 3e: mov $0xa8909090,%eax 43: mov $0xa8ff3148,%eax 48: mov $0xa89081b4,%eax 4d: mov $0xa8900bb0,%eax 52: mov $0xa810e0c1,%eax 57: mov $0xa8908eb4,%eax 5c: mov $0xa89020b0,%eax [...] echo 1 > /proc/sys/net/core/bpf_jit_harden ffffffffa034f1e5 + <x>: [...] 39: mov $0xe1192563,%r10d 3f: xor $0x4989b5f3,%r10d 46: mov %r10d,%eax 49: mov $0xb8296d93,%r10d 4f: xor $0x10b9fd03,%r10d 56: mov %r10d,%eax 59: mov $0x8c381146,%r10d 5f: xor $0x24c7200e,%r10d 66: mov %r10d,%eax 69: mov $0xeb2a830e,%r10d 6f: xor $0x43ba02ba,%r10d 76: mov %r10d,%eax 79: mov $0xd9730af,%r10d 7f: xor $0xa5073b1f,%r10d 86: mov %r10d,%eax 89: mov $0x9a45662b,%r10d 8f: xor $0x325586ea,%r10d 96: mov %r10d,%eax [...] As can be seen, original constants that carry payload are hidden when enabled, actual operations are transformed from constant-based to register-based ones, making jumps into constants ineffective. Above extract/example uses single BPF load instruction over and over, but of course all instructions with constants are blinded. Performance wise, JIT with blinding performs a bit slower than just JIT and faster than interpreter case. This is expected, since we still get all the performance benefits from JITing and in normal use-cases not every single instruction needs to be blinded. Summing up all 296 test cases averaged over multiple runs from test_bpf.ko suite, interpreter was 55% slower than JIT only and JIT with blinding was 8% slower than JIT only. Since there are also some extremes in the test suite, I expect for ordinary workloads that the performance for the JIT with blinding case is even closer to JIT only case, f.e. nmap test case from suite has averaged timings in ns 29 (JIT), 35 (+ blinding), and 151 (interpreter). BPF test suite, seccomp test suite, eBPF sample code and various bigger networking eBPF programs have been tested with this and were running fine. For testing purposes, I also adapted interpreter and redirected blinded eBPF image to interpreter and also here all tests pass. [1] http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html [2] https://github.com/01org/jit-spray-poc-for-ksp/ [3] http://www.openwall.com/lists/kernel-hardening/2016/05/03/5Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Elena Reshetova <elena.reshetova@intel.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (backported from commit 4f3446bb) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Daniel Borkmann authored
CVE-2017-5753 CVE-2017-5715 Since the blinding is strictly only called from inside eBPF JITs, we need to change signatures for bpf_int_jit_compile() and bpf_prog_select_runtime() first in order to prepare that the eBPF program we're dealing with can change underneath. Hence, for call sites, we need to return the latest prog. No functional change in this patch. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit d1c55ab5) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Daniel Borkmann authored
CVE-2017-5753 CVE-2017-5715 Move the functionality to patch instructions out of the verifier code and into the core as the new bpf_patch_insn_single() helper will be needed later on for blinding as well. No changes in functionality. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit c237ee5e) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-
Borislav Petkov authored
CVE-2017-5754 This needs to happen early in kaiser_pagetable_walk(), before the hierarchy is established so that _PAGE_USER permission can be really set. A proper fix would be to teach kaiser_pagetable_walk() to update those permissions but the vsyscall page is the only exception here so ... Signed-off-by: Borislav Petkov <bp@suse.de> Acked-by: Hugh Dickins <hughd@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> (cherry picked from commit 6dcf5491) Signed-off-by: Andy Whitcroft <apw@canonical.com>
-