check_stack_write_fixed_off() uses one byte-indexing scheme when checking
whether a fixed-offset stack write needs Spectre v4 sanitization, and another
scheme when recording the write into slot_type[].
For sub-8-byte writes this can make the sanitization check look at bytes that
are not overwritten by the write. A zeroed lower half-slot followed by a write
to the upper half-slot can therefore miss the nospec barrier for the second
write.
Use the same stack-byte index for the sanitization check and the slot update,
and add a focused verifier selftest that expects both half-slot writes to emit
nospec when the loader has CAP_BPF but not CAP_PERFMON.
Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a
fixed-offset stack-write corner case. No architectural verifier memory-safety
bypass, exploit chain, CVE, embargo, or security escalation is claimed.
Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative
store bypass mitigation")
Signed-off-by: Nuoqi Gui <[email protected]>
---
Nuoqi Gui (2):
bpf: Fix stack slot index in nospec checks
selftests/bpf: Cover stack nospec slot indexing
kernel/bpf/verifier.c | 3 ++-
.../testing/selftests/bpf/progs/verifier_unpriv.c | 23 ++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
---
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
change-id: 20260615-f01-11-stack-nospec-slot-index-e155b2acd587
Best regards,
--
Nuoqi Gui <[email protected]>
