On 6/17/26 12:57 AM, Nuoqi Gui wrote:
check_stack_write_fixed_off() computes the byte slot for a fixed-offset
stack write as -off - 1, and records each written byte in slot_type[] with
(slot - i) % BPF_REG_SIZE.
The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
bytes 7..4. That can leave the second half-slot write without nospec_result
even though the bytes being overwritten still require sanitization.
Use the same slot index in the sanitization pre-check that the write path uses
when updating slot_type[].
Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store
bypass mitigation")
Signed-off-by: Nuoqi Gui <[email protected]>
I think the Fixes tag should beĀ 2039f26f3aca ("bpf: Fix leakage due to
insufficient speculative store bypass mitigation") ?
Otherwise, looks good to me.
Reviewed-by: Jiayuan Chen <[email protected]>
