On Thu, 1 May 2025 at 04:17, Luis Gerhorst <luis.gerho...@fau.de> wrote: > > Insert a nospec before the access to prevent it from ever using an index > that is subject to speculative scalar-confusion. > > The access itself can either happen directly in the BPF program (reads > only, check_stack_read_var_off()) or in a helper (read/write, > check_helper_mem_access()). > > This relies on the fact that the speculative scalar confusion that leads > to the variable-stack access going OOBs must stem from a prior > speculative store or branch bypass. Adding a nospec before the > variable-stack access will force all previously bypassed stores/branches > to complete and cause the stack access to only ever go to the stack slot > that is accessed architecturally. > > Alternatively, the variable-offset stack access might be a write that > can itself be subject to speculative store bypass (this can happen in > theory even if this code adds a nospec /before/ the variable-offset > write). Only indirect writes by helpers might be affected here (e.g., > those taking ARG_PTR_TO_MAP_VALUE). (Because check_stack_write_var_off() > does not use check_stack_range_initialized(), in-program variable-offset > writes are not affected.) If the in-helper write can be subject to > Spectre v4 and the helper writes/overwrites pointers on the BPF stack, > they are already a problem for fixed-offset stack accesses and should be > subject to Spectre v4 sanitization. > > Signed-off-by: Luis Gerhorst <luis.gerho...@fau.de> > Acked-by: Henriette Herzog <henriette.her...@rub.de> > Cc: Maximilian Ott <o...@cs.fau.de> > Cc: Milan Stephan <milan.step...@fau.de> > ---
Please also address sanitize_check_bounds, it's probably prevented by retrieve_ptr_limit rejecting other types but it'd be better to add a default statement for clarity. Acked-by: Kumar Kartikeya Dwivedi <mem...@gmail.com>
