Land additional kernel patches for Spectre |
||
Issue descriptionThis bug tracks work to land additional kernel patches for Spectre to our kernel trees. The patches add lfence, or equivalent for other architectures, at sites where gadgets useful for Spectre may exist.
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/217b5f5e8605f0d50d28a0420f0603289f521c28 commit 217b5f5e8605f0d50d28a0420f0603289f521c28 Author: Greg Kerr <kerrnel@chromium.org> Date: Thu Feb 08 20:58:06 2018 FROMGIT: bpf: add barrier to prevent bounds check bypass in eBPF interpreter This adds a generic memory barrier before LD_IMM_DW and LDX_MEM_B/H/W/DW eBPF instructions during eBPF program execution in order to add barrier to prevent bounds check bypass on out of bound BFP_MAP array indexes. This way an arbitary kernel memory is not exposed through side channel attacks. BUG= chromium:809607 TEST=Built amd64-generic and ran trybots. CQ-DEPEND=CL:903262 ---- UPSTREAM: From dd7f63c9dfeb99d6922b2992e1d0db9a161cdadb Mon Sep 17 00:00:00 2001 From: Elena Reshetova <elena.reshetova@intel.com> Date: Mon, 4 Sep 2017 13:11:44 +0300 Subject: [PATCH 14/27] bpf: add barrier to prevent bounds check bypass in eBPF interpreter For more details, please see this Google Project Zero report: tbd Change-Id: I4fbb29aed04922a53d487d9ee58468a3490febb9 Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Reviewed-on: https://chromium-review.googlesource.com/903247 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/217b5f5e8605f0d50d28a0420f0603289f521c28/kernel/bpf/core.c
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/510fd35e03bcbb70921ca878e21170dac913fa07 commit 510fd35e03bcbb70921ca878e21170dac913fa07 Author: Greg Kerr <kerrnel@chromium.org> Date: Thu Feb 08 20:58:03 2018 CHROMIUM: locking/barriers: introduce new memory barrier gmb() In constrast to existing mb() and rmb() barriers, gmb() barrier is arch-independent and can be used to implement any type of memory barrier. In x86 case, it is either lfence or mfence, based on processor type. ARM and others can define it according to their needs. BUG= chromium:809607 TEST=Built amd64-generic and ran trybots. ---- UPSTREAM: From 4c0b03647db71e5e9881eb216eef6f20665dd151 Mon Sep 17 00:00:00 2001 From: Elena Reshetova <elena.reshetova@intel.com> Date: Mon, 4 Sep 2017 13:11:43 +0300 Subject: [PATCH 13/27] locking/barriers: introduce new memory barrier gmb() Change-Id: Ib673f6e8787804aeaa23d0670c98ee90f6ad3566 Suggested-by: Arjan van de Ven <arjan@linux.intel.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Reviewed-on: https://chromium-review.googlesource.com/903262 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/arch/arm/include/asm/barrier.h [modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/include/asm-generic/barrier.h [modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/arch/x86/include/asm/barrier.h [modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/arch/arm64/include/asm/barrier.h
,
Feb 8 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ba8e989ba823ddf371a4123597cfc4e62442a71d commit ba8e989ba823ddf371a4123597cfc4e62442a71d Author: Greg Kerr <kerrnel@chromium.org> Date: Thu Feb 08 20:58:08 2018 FROMGIT: x86, bpf, jit: add barrier to prevent bounds check bypass when JIT is enabled When constant blinding is enabled (bpf_jit_harden = 1), this adds a generic memory barrier (lfence for intel, mfence for AMD) before emitting x86 jitted code for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X (for BPF_REG_AX register) eBPF instructions. This is needed in order to add barrier to prevent bounds check bypass on out of bounds BPF_MAP array indexes when JIT is enabled. This way an arbitary kernel memory is not exposed through side-channel attacks. BUG= chromium:809607 TEST=Built amd64-generic and ran trybots. CQ-DEPEND=CL:903247 ---- UPSTREAM: From 7482cb47916ae1ceefa5c270763ee7ada4c94c66 Mon Sep 17 00:00:00 2001 From: Elena Reshetova <elena.reshetova@intel.com> Date: Mon, 4 Sep 2017 13:11:45 +0300 Subject: [PATCH 15/27] x86, bpf, jit: add barrier to prevent bounds check bypass when JIT is enabled For more details, please see this Google Project Zero report: tbd Change-Id: I15f8a20c140853e78a53d82df25ba7ad1b833705 Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com> Reviewed-on: https://chromium-review.googlesource.com/903322 Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com> Tested-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org> [modify] https://crrev.com/ba8e989ba823ddf371a4123597cfc4e62442a71d/arch/x86/net/bpf_jit_comp.c
,
Feb 9 2018
FWIW, "FROMGIT:" is all but useless if there is no record of the originating git repository. The embedded "UPSTREAM:" tag is misleading. The patches are _not_ upstream, nor in -next. On top of that, descriptions such as "For more details, please see this Google Project Zero report: tbd" are quite completely useless.
,
Feb 14 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fadbcf53ec10906cc53076ce773ea1a926c7d785 commit fadbcf53ec10906cc53076ce773ea1a926c7d785 Author: Greg Kerr <kerrnel@chromium.org> Date: Wed Feb 14 05:17:11 2018 Revert "CHROMIUM: locking/barriers: introduce new memory barrier gmb()" This reverts the following commits: bae7a53cef9844107ca5f725947e5d9fc32d27dc ba8e989ba823ddf371a4123597cfc4e62442a71d 217b5f5e8605f0d50d28a0420f0603289f521c28 510fd35e03bcbb70921ca878e21170dac913fa07 Reason for revert: These patches break the test kernel builds on various architectures ( crbug.com/810789 ). The patches titles are: "FROMGIT: userns: add barrier to prevent bounds check bypass" "FROMGIT: x86, bpf, jit: add barrier to prevent bounds check bypass when JIT is enabled" "FROMGIT: bpf: add barrier to prevent bounds check bypass in eBPF interpreter" "CHROMIUM: locking/barriers: introduce new memory barrier gmb()" Bug: chromium:809607 , chromium:810789 Change-Id: I29511ea856cb2da12aab4fa985a9dff4d2c96e70 Reviewed-on: https://chromium-review.googlesource.com/912154 Commit-Ready: Greg Kerr <kerrnel@chromium.org> Tested-by: Greg Kerr <kerrnel@chromium.org> Reviewed-by: Guenter Roeck <groeck@chromium.org> [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/kernel/bpf/core.c [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/kernel/user_namespace.c [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/arm64/include/asm/barrier.h [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/x86/net/bpf_jit_comp.c [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/arm/include/asm/barrier.h [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/include/asm-generic/barrier.h [modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/x86/include/asm/barrier.h
,
Apr 4 2018
|
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, Feb 8 2018