Commit 082ba1be authored by James Morse's avatar James Morse Committed by Zheng Zengkai
Browse files

arm64: proton-pack: Include unprivileged eBPF status in Spectre v2 mitigation reporting 

stable inclusion
from stable-v5.10.105
commit b65b87e718c33caa46d5246d8fbeda895aa9cf5b
category: bugfix
bugzilla: 186460 https://gitee.com/src-openeuler/kernel/issues/I53MHA
CVE: CVE-2022-23960

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=b65b87e718c3



--------------------------------

commit 58c9a506 upstream.

The mitigations for Spectre-BHB are only applied when an exception is
taken from user-space. The mitigation status is reported via the spectre_v2
sysfs vulnerabilities file.

When unprivileged eBPF is enabled the mitigation in the exception vectors
can be avoided by an eBPF program.

When unprivileged eBPF is enabled, print a warning and report vulnerable
via the sysfs vulnerabilities file.

Acked-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
Signed-off-by: default avatarJames Morse <james.morse@arm.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: default avatarChen Jiahao <chenjiahao16@huawei.com>
Reviewed-by: default avatarLiao Chang <liaochang1@huawei.com>
Signed-off-by: default avatarZheng Zengkai <zhengzengkai@huawei.com>
parent 310712f9

arch/arm64/kernel/proton-pack.c

+26 −0
Original line number Diff line number Diff line
@@ -18,6 +18,7 @@ 
 */



#include <linux/arm-smccc.h>

#include <linux/bpf.h>

#include <linux/cpu.h>

#include <linux/device.h>

#include <linux/nospec.h>
@@ -110,6 +111,15 @@ static const char *get_bhb_affected_string(enum mitigation_state bhb_state) 
	}

}



static bool _unprivileged_ebpf_enabled(void)

{

#ifdef CONFIG_BPF_SYSCALL

	return !sysctl_unprivileged_bpf_disabled;

#else

	return false;

#endif

}



ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr,

			    char *buf)

{
@@ -129,6 +139,9 @@ ssize_t cpu_show_spectre_v2(struct device *dev, struct device_attribute *attr, 
		v2_str = "CSV2";

		fallthrough;

	case SPECTRE_MITIGATED:

		if (bhb_state == SPECTRE_MITIGATED && _unprivileged_ebpf_enabled())

			return sprintf(buf, "Vulnerable: Unprivileged eBPF enabled\n");



		return sprintf(buf, "Mitigation: %s%s\n", v2_str, bhb_str);

	case SPECTRE_VULNERABLE:

		fallthrough;
@@ -1105,3 +1118,16 @@ void noinstr spectre_bhb_patch_loop_iter(struct alt_instr *alt, 
					 AARCH64_INSN_MOVEWIDE_ZERO);

	*updptr++ = cpu_to_le32(insn);

}



#ifdef CONFIG_BPF_SYSCALL

#define EBPF_WARN "Unprivileged eBPF is enabled, data leaks possible via Spectre v2 BHB attacks!\n"

void unpriv_ebpf_notify(int new_state)

{

	if (spectre_v2_state == SPECTRE_VULNERABLE ||

	    spectre_bhb_state != SPECTRE_MITIGATED)

		return;



	if (!new_state)

		pr_err("WARNING: %s", EBPF_WARN);

}

#endif