From: Elena Reshetova <elena.reshetova@intel.com>
Date: Thu, 4 Jan 2018 08:05:42 +0000 (-0800)
Subject: bpf: prevent speculative execution in eBPF interpreter
X-Git-Tag: v4.1.12-124.31.3~1382
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=7b348358b7b8dc968e309300a2218f8a39432454;p=users%2Fjedix%2Flinux-maple.git

bpf: prevent speculative execution in eBPF interpreter

This adds an observable speculation barrier before LD_IMM_DW and
LDX_MEM_B/H/W/DW eBPF instructions during eBPF program
execution in order to prevent speculative execution on out
of bound BFP_MAP array indexes. This way an arbitary kernel
memory is not exposed through side channel attacks.

Signed-off-by: Elena Reshetova <elena.reshetova@intel.com>

Orabug: 27340445
CVE: CVE-2017-5753

Signed-off-by: Chuck Anderson <chuck.anderson@oracle.com>
Conflicts:
	kernel/bpf/core.c code base differences

Reviewed-by: John Haxby <john.haxby@oracle.com>
Signed-off-by: Kirtikar Kashyap <kirtikar.kashyap@oracle.com>
---

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 54f0e7fcd0e2..058a76b3c7af 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -28,6 +28,7 @@
 #include <linux/moduleloader.h>
 #include <asm/unaligned.h>
 #include <linux/bpf.h>
+#include <asm/barrier.h>
 
 /* Registers */
 #define BPF_R0	regs[BPF_REG_0]
@@ -345,6 +346,7 @@ select_insn:
 		DST = IMM;
 		CONT;
 	LD_IMM_DW:
+		osb();
 		DST = (u64) (u32) insn[0].imm | ((u64) (u32) insn[1].imm) << 32;
 		insn++;
 		CONT;
@@ -531,6 +533,7 @@ select_insn:
 		*(SIZE *)(unsigned long) (DST + insn->off) = IMM;	\
 		CONT;							\
 	LDX_MEM_##SIZEOP:						\
+		osb();							\
 		DST = *(SIZE *)(unsigned long) (SRC + insn->off);	\
 		CONT;