New issue
Advanced search Search tips

Issue 809607 link

Starred by 1 user

Issue metadata

Status: WontFix
Owner:
Closed: Apr 2018
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

Land additional kernel patches for Spectre

Project Member Reported by kerrnel@chromium.org, Feb 6 2018

Issue description

This bug tracks work to land additional kernel patches for Spectre to our kernel trees. The patches add lfence, or equivalent for other architectures, at sites where gadgets useful for Spectre may exist.
 
Project Member

Comment 1 by bugdroid1@chromium.org, Feb 8 2018

Labels: merge-merged-chromeos-4.4
The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/bae7a53cef9844107ca5f725947e5d9fc32d27dc

commit bae7a53cef9844107ca5f725947e5d9fc32d27dc
Author: Greg Kerr <kerrnel@chromium.org>
Date: Thu Feb 08 20:58:10 2018

FROMGIT: userns: add barrier to prevent bounds check bypass

This adds a generic memory barrier to m_start() in the user namespace
code. This prevents a speculative out of bounds read of the uid_gid_map
data structure.

BUG= chromium:809607 
TEST=Built amd64-generic and ran trybots.
CQ-DEPEND=CL:903322

----
UPSTREAM: From d20b5e467f56140e303dd2614f0432361722b93c Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Mon, 4 Sep 2017 13:11:52 +0300
Subject: [PATCH 22/27] userns: add barrier to prevent bounds check bypass

Change-Id: I84533f1c6c32a7e2ae02626e3f0f1f58b48e7905
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Reviewed-on: https://chromium-review.googlesource.com/902894
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/bae7a53cef9844107ca5f725947e5d9fc32d27dc/kernel/user_namespace.c

Project Member

Comment 2 by bugdroid1@chromium.org, Feb 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/217b5f5e8605f0d50d28a0420f0603289f521c28

commit 217b5f5e8605f0d50d28a0420f0603289f521c28
Author: Greg Kerr <kerrnel@chromium.org>
Date: Thu Feb 08 20:58:06 2018

FROMGIT: bpf: add barrier to prevent bounds check bypass in eBPF interpreter

This adds a generic memory barrier before LD_IMM_DW and
LDX_MEM_B/H/W/DW eBPF instructions during eBPF program
execution in order to add barrier to prevent bounds check bypass on out
of bound BFP_MAP array indexes. This way an arbitary kernel
memory is not exposed through side channel attacks.

BUG= chromium:809607 
TEST=Built amd64-generic and ran trybots.
CQ-DEPEND=CL:903262

----
UPSTREAM: From dd7f63c9dfeb99d6922b2992e1d0db9a161cdadb Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Mon, 4 Sep 2017 13:11:44 +0300
Subject: [PATCH 14/27] bpf: add barrier to prevent bounds check bypass in eBPF
 interpreter

For more details, please see this Google Project Zero report: tbd

Change-Id: I4fbb29aed04922a53d487d9ee58468a3490febb9
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Reviewed-on: https://chromium-review.googlesource.com/903247
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/217b5f5e8605f0d50d28a0420f0603289f521c28/kernel/bpf/core.c

Project Member

Comment 3 by bugdroid1@chromium.org, Feb 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/510fd35e03bcbb70921ca878e21170dac913fa07

commit 510fd35e03bcbb70921ca878e21170dac913fa07
Author: Greg Kerr <kerrnel@chromium.org>
Date: Thu Feb 08 20:58:03 2018

CHROMIUM: locking/barriers: introduce new memory barrier gmb()

In constrast to existing mb() and rmb() barriers,
gmb() barrier is arch-independent and can be used to
implement any type of memory barrier.
In x86 case, it is either lfence or mfence, based on
processor type. ARM and others can define it according
to their needs.

BUG= chromium:809607 
TEST=Built amd64-generic and ran trybots.
----
UPSTREAM: From 4c0b03647db71e5e9881eb216eef6f20665dd151 Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Mon, 4 Sep 2017 13:11:43 +0300
Subject: [PATCH 13/27] locking/barriers: introduce new memory barrier gmb()

Change-Id: Ib673f6e8787804aeaa23d0670c98ee90f6ad3566
Suggested-by: Arjan van de Ven <arjan@linux.intel.com>
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Reviewed-on: https://chromium-review.googlesource.com/903262
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/arch/arm/include/asm/barrier.h
[modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/include/asm-generic/barrier.h
[modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/arch/x86/include/asm/barrier.h
[modify] https://crrev.com/510fd35e03bcbb70921ca878e21170dac913fa07/arch/arm64/include/asm/barrier.h

Project Member

Comment 4 by bugdroid1@chromium.org, Feb 8 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/ba8e989ba823ddf371a4123597cfc4e62442a71d

commit ba8e989ba823ddf371a4123597cfc4e62442a71d
Author: Greg Kerr <kerrnel@chromium.org>
Date: Thu Feb 08 20:58:08 2018

FROMGIT: x86, bpf, jit: add barrier to prevent bounds check bypass when JIT is enabled

When constant blinding is enabled (bpf_jit_harden = 1), this adds
a generic memory barrier (lfence for intel, mfence for AMD) before
emitting x86 jitted code for the BPF_ALU(64)_OR_X and BPF_ALU_LHS_X
(for BPF_REG_AX register) eBPF instructions. This is needed in order
to add barrier to prevent bounds check bypass on out of bounds BPF_MAP array
indexes when JIT is enabled. This way an arbitary kernel memory is
not exposed through side-channel attacks.

BUG= chromium:809607 
TEST=Built amd64-generic and ran trybots.
CQ-DEPEND=CL:903247

----
UPSTREAM: From 7482cb47916ae1ceefa5c270763ee7ada4c94c66 Mon Sep 17 00:00:00 2001
From: Elena Reshetova <elena.reshetova@intel.com>
Date: Mon, 4 Sep 2017 13:11:45 +0300
Subject: [PATCH 15/27] x86, bpf, jit: add barrier to prevent bounds check
 bypass when JIT is enabled

For more details, please see this Google Project Zero report: tbd

Change-Id: I15f8a20c140853e78a53d82df25ba7ad1b833705
Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>
Signed-off-by: Tim Chen <tim.c.chen@linux.intel.com>
Reviewed-on: https://chromium-review.googlesource.com/903322
Commit-Ready: ChromeOS CL Exonerator Bot <chromiumos-cl-exonerator@appspot.gserviceaccount.com>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Jorge Lucangeli Obes <jorgelo@chromium.org>

[modify] https://crrev.com/ba8e989ba823ddf371a4123597cfc4e62442a71d/arch/x86/net/bpf_jit_comp.c

FWIW, "FROMGIT:" is all but useless if there is no record of the originating git repository. The embedded "UPSTREAM:" tag is misleading. The patches are _not_ upstream, nor in -next.
On top of that, descriptions such as "For more details, please see this Google Project Zero report: tbd" are quite completely useless.

Project Member

Comment 6 by bugdroid1@chromium.org, Feb 14 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/third_party/kernel/+/fadbcf53ec10906cc53076ce773ea1a926c7d785

commit fadbcf53ec10906cc53076ce773ea1a926c7d785
Author: Greg Kerr <kerrnel@chromium.org>
Date: Wed Feb 14 05:17:11 2018

Revert "CHROMIUM: locking/barriers: introduce new memory barrier gmb()"

This reverts the following commits:
bae7a53cef9844107ca5f725947e5d9fc32d27dc
ba8e989ba823ddf371a4123597cfc4e62442a71d
217b5f5e8605f0d50d28a0420f0603289f521c28
510fd35e03bcbb70921ca878e21170dac913fa07

Reason for revert: These patches break the test kernel builds on
various architectures ( crbug.com/810789 ).

The patches titles are:
"FROMGIT: userns: add barrier to prevent bounds check bypass"
"FROMGIT: x86, bpf, jit: add barrier to prevent bounds check bypass when JIT is enabled"
"FROMGIT: bpf: add barrier to prevent bounds check bypass in eBPF interpreter"
"CHROMIUM: locking/barriers: introduce new memory barrier gmb()"

Bug:  chromium:809607 , chromium:810789 
Change-Id: I29511ea856cb2da12aab4fa985a9dff4d2c96e70
Reviewed-on: https://chromium-review.googlesource.com/912154
Commit-Ready: Greg Kerr <kerrnel@chromium.org>
Tested-by: Greg Kerr <kerrnel@chromium.org>
Reviewed-by: Guenter Roeck <groeck@chromium.org>

[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/kernel/bpf/core.c
[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/kernel/user_namespace.c
[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/arm64/include/asm/barrier.h
[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/x86/net/bpf_jit_comp.c
[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/arm/include/asm/barrier.h
[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/include/asm-generic/barrier.h
[modify] https://crrev.com/fadbcf53ec10906cc53076ce773ea1a926c7d785/arch/x86/include/asm/barrier.h

Status: WontFix (was: Started)

Sign in to add a comment