[PATCH bpf 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks

Next message: Jernej &#x160;krabec: " Re: [PATCH v3] dmaengine: sun6i-dma: Fix use-after-free in error handling paths"
Previous message: Nuoqi Gui: "[PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks"
Next in thread: Nuoqi Gui: "[PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Nuoqi Gui

Date: Tue Jun 16 2026 - 13:05:18 EST

check_stack_write_fixed_off() uses one byte-indexing scheme when checking
whether a fixed-offset stack write needs Spectre v4 sanitization, and another
scheme when recording the write into slot_type[].

For sub-8-byte writes this can make the sanitization check look at bytes that
are not overwritten by the write. A zeroed lower half-slot followed by a write
to the upper half-slot can therefore miss the nospec barrier for the second
write.

Use the same stack-byte index for the sanitization check and the slot update,
and add a focused verifier selftest that expects both half-slot writes to emit
nospec when the loader has CAP_BPF but not CAP_PERFMON.

Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a
fixed-offset stack-write corner case. No architectural verifier memory-safety
bypass, exploit chain, CVE, embargo, or security escalation is claimed.

Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")

Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
---
Nuoqi Gui (2):
bpf: Fix stack slot index in nospec checks
selftests/bpf: Cover stack nospec slot indexing

kernel/bpf/verifier.c | 3 ++-
.../testing/selftests/bpf/progs/verifier_unpriv.c | 23 ++++++++++++++++++++++
2 files changed, 25 insertions(+), 1 deletion(-)
---
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
change-id: 20260615-f01-11-stack-nospec-slot-index-e155b2acd587

Best regards,
--
Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>