From nobody Tue Feb 10 16:18:32 2026 Received: from mx-rz-1.rrze.uni-erlangen.de (mx-rz-1.rrze.uni-erlangen.de [131.188.11.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 14D851FDA; Mon, 21 Apr 2025 09:54:15 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=131.188.11.20 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745229258; cv=none; b=NT+mpnsJF+mjaiGnDvuj85ClLdyXdgXO2L+0uhmca8ddDcMUVM/pLU3Ec7tieFOvpoC39a86XW8/UXKNOAhNm7Q+0i/M21Vlvx5iwIldeYJf1RlOdpdQBBeBGxxUM+JxjYpJPKsOwiaWhpDHD+gJgzgwy1vvGGh/33v1nCew9CA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1745229258; c=relaxed/simple; bh=Bsxy83sV+aLpgZa2K6XIId2owpYugeTpuEhUEX6nBdU=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pehsHAhFZ8DvkcjXrM/j+oVUKwaZgRopSaxWbCACAhkW763yICJkG7BLcc+UeL2B29e5xkvyLaLRCCfhyS/DAuXuZZYYhW+pwTi9vZf3+bicGpaAzfKQ3WSlJ4GjaxiIh9C1rR4YQvxJlbJMaT7IQd9rvTJRD0OTqu1vxcr+mR0= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fau.de; spf=pass smtp.mailfrom=fau.de; dkim=pass (2048-bit key) header.d=fau.de header.i=@fau.de header.b=FmoeyPFH; arc=none smtp.client-ip=131.188.11.20 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=fau.de Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=fau.de Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=fau.de header.i=@fau.de header.b="FmoeyPFH" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=fau.de; s=fau-2021; t=1745229253; bh=M6SlcB7avZDd+J/3syrPS0F9RsnPBXVsCWz4nLp28do=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:To:CC: Subject; b=FmoeyPFHIVK2HT7So63JnWXVoEOlP5X4jWvvMPaFcZYCbcFcPC6reRfSbUJIZWmaX EX0JEjg7HSEOqbyAmzztmbQn8+AsLyXQCPaXYm8ppn3xFx1LnelD6L6dLR1MQtQ8yE qlS6lsUhJJa8acyMRODP5/5gxauu95XGq41Kf2CvN9T+PfWdWts/3xxcNszw7uSzHs rGW8xids7ZQUcv9rIjkSwlFQfMecK+U2t/Gg79yYRWHNh0RtBHMMsznd/1lYFCMD0u wHRuq4nn717GjLihA8legNWnpN47OQnIuBrlk9U1rjBY1ayRgDva3f2FWGO4mKcc92 NeC50vSdYJK5Q== Received: from mx-rz-smart.rrze.uni-erlangen.de (mx-rz-smart.rrze.uni-erlangen.de [IPv6:2001:638:a000:1025::1e]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-rz-1.rrze.uni-erlangen.de (Postfix) with ESMTPS id 4Zh1113gNyz8syk; Mon, 21 Apr 2025 11:54:13 +0200 (CEST) X-Virus-Scanned: amavisd-new at boeck5.rrze.uni-erlangen.de (RRZE) X-RRZE-Flag: Not-Spam X-RRZE-Submit-IP: 2001:9e8:3600:7e00:5b67:6b9c:caeb:75c Received: from luis-tp.fritz.box (unknown [IPv6:2001:9e8:3600:7e00:5b67:6b9c:caeb:75c]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: U2FsdGVkX1+ek67R2sSwJhlHDH3iNjZTWMHvdQkVmBs=) by smtp-auth.uni-erlangen.de (Postfix) with ESMTPSA id 4Zh10x2lSXz8sv4; Mon, 21 Apr 2025 11:54:09 +0200 (CEST) From: Luis Gerhorst To: Alexei Starovoitov , Daniel Borkmann , Andrii Nakryiko , Martin KaFai Lau , Eduard Zingerman , Song Liu , Yonghong Song , John Fastabend , KP Singh , Stanislav Fomichev , Hao Luo , Jiri Olsa , Puranjay Mohan , Xu Kuohai , Catalin Marinas , Will Deacon , Hari Bathini , Christophe Leroy , Naveen N Rao , Madhavan Srinivasan , Michael Ellerman , Nicholas Piggin , Mykola Lysenko , Shuah Khan , Luis Gerhorst , Henriette Herzog , Saket Kumar Bhaskar , Cupertino Miranda , Jiayuan Chen , Matan Shachnai , Dimitar Kanaliev , Shung-Hsi Yu , Daniel Xu , bpf@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-kernel@vger.kernel.org, linuxppc-dev@lists.ozlabs.org, linux-kselftest@vger.kernel.org Cc: Maximilian Ott , Milan Stephan Subject: [PATCH bpf-next v2 10/11] bpf: Allow nospec-protected var-offset stack access Date: Mon, 21 Apr 2025 11:18:01 +0200 Message-ID: <20250421091802.3234859-11-luis.gerhorst@fau.de> X-Mailer: git-send-email 2.49.0 In-Reply-To: <20250421091802.3234859-1-luis.gerhorst@fau.de> References: <20250421091802.3234859-1-luis.gerhorst@fau.de> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Insert a nospec before the access to prevent it from ever using an index that is subject to speculative scalar-confusion. The access itself can either happen directly in the BPF program (reads only, check_stack_read_var_off()) or in a helper (read/write, check_helper_mem_access()). This relies on the fact that the speculative scalar confusion that leads to the variable-stack access going OOBs must stem from a prior speculative store or branch bypass. Adding a nospec before the variable-stack access will force all previously bypassed stores/branches to complete and cause the stack access to only ever go to the stack slot that is accessed architecturally. Alternatively, the variable-offset stack access might be a write that can itself be subject to speculative store bypass (this can happen in theory even if this code adds a nospec /before/ the variable-offset write). Only indirect writes by helpers might be affected here (e.g., those taking ARG_PTR_TO_MAP_VALUE). (Because check_stack_write_var_off() does not use check_stack_range_initialized(), in-program variable-offset writes are not affected.) If the in-helper write can be subject to Spectre v4 and the helper writes/overwrites pointers on the BPF stack, they are already a problem for fixed-offset stack accesses and should be subject to Spectre v4 sanitization. Signed-off-by: Luis Gerhorst Acked-by: Henriette Herzog Cc: Maximilian Ott Cc: Milan Stephan --- kernel/bpf/verifier.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 92490964eb3b..2cd925b915e0 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7894,6 +7894,11 @@ static int check_atomic(struct bpf_verifier_env *env= , struct bpf_insn *insn) } } =20 +static struct bpf_insn_aux_data *cur_aux(const struct bpf_verifier_env *en= v) +{ + return &env->insn_aux_data[env->insn_idx]; +} + /* When register 'regno' is used to read the stack (either directly or thr= ough * a helper function) make sure that it's within stack boundary and, depen= ding * on the access type and privileges, that all elements of the stack are @@ -7933,18 +7938,18 @@ static int check_stack_range_initialized( if (tnum_is_const(reg->var_off)) { min_off =3D max_off =3D reg->var_off.value + off; } else { - /* Variable offset is prohibited for unprivileged mode for + /* Variable offset requires a nospec for unprivileged mode for * simplicity since it requires corresponding support in * Spectre masking for stack ALU. * See also retrieve_ptr_limit(). */ if (!env->bypass_spec_v1) { - char tn_buf[48]; - - tnum_strn(tn_buf, sizeof(tn_buf), reg->var_off); - verbose(env, "R%d variable offset stack access prohibited for !root, va= r_off=3D%s\n", - regno, tn_buf); - return -EACCES; + /* Allow the access, but prevent it from using a + * speculative offset using a nospec before the + * dereference op. + */ + cur_aux(env)->nospec =3D true; + WARN_ON_ONCE(cur_aux(env)->alu_state); } /* Only initialized buffer on stack is allowed to be accessed * with variable offset. With uninitialized buffer it's hard to @@ -11172,11 +11177,6 @@ static int check_get_func_ip(struct bpf_verifier_e= nv *env) return -ENOTSUPP; } =20 -static struct bpf_insn_aux_data *cur_aux(const struct bpf_verifier_env *en= v) -{ - return &env->insn_aux_data[env->insn_idx]; -} - static bool loop_flag_is_zero(struct bpf_verifier_env *env) { struct bpf_reg_state *regs =3D cur_regs(env); --=20 2.49.0