Skip to content

Commit 2819888

Browse files
aspskaspsk
committed
bpf: support instructions arrays with constants blinding
When bpf_jit_harden is enabled, all constants in the BPF code are blinded to prevent JIT spraying attacks. This happens during JIT phase. Adjust all the related instruction arrays accordingly. Signed-off-by: Anton Protopopov <[email protected]>
1 parent 8552a7f commit 2819888

File tree

2 files changed

+29
-1
lines changed

2 files changed

+29
-1
lines changed

kernel/bpf/core.c

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1468,6 +1468,21 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
14681468
bpf_prog_clone_free(fp_other);
14691469
}
14701470

1471+
static void adjust_insn_arrays(struct bpf_prog *prog, u32 off, u32 len)
1472+
{
1473+
struct bpf_map *map;
1474+
int i;
1475+
1476+
if (len <= 1)
1477+
return;
1478+
1479+
for (i = 0; i < prog->aux->used_map_cnt; i++) {
1480+
map = prog->aux->used_maps[i];
1481+
if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY)
1482+
bpf_insn_array_adjust(map, off, len);
1483+
}
1484+
}
1485+
14711486
struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
14721487
{
14731488
struct bpf_insn insn_buff[16], aux[2];
@@ -1523,13 +1538,17 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
15231538
clone = tmp;
15241539
insn_delta = rewritten - 1;
15251540

1541+
/* Instructions arrays must be updated using absolute xlated offsets */
1542+
adjust_insn_arrays(clone, prog->aux->subprog_start + i, rewritten);
1543+
15261544
/* Walk new program and skip insns we just inserted. */
15271545
insn = clone->insnsi + i + insn_delta;
15281546
insn_cnt += insn_delta;
15291547
i += insn_delta;
15301548
}
15311549

15321550
clone->blinded = 1;
1551+
clone->len = insn_cnt;
15331552
return clone;
15341553
}
15351554
#endif /* CONFIG_BPF_JIT */

kernel/bpf/verifier.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21460,6 +21460,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2146021460
struct bpf_insn *insn;
2146121461
void *old_bpf_func;
2146221462
int err, num_exentries;
21463+
int instructions_added = 0;
2146321464

2146421465
if (env->subprog_cnt <= 1)
2146521466
return 0;
@@ -21534,7 +21535,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2153421535
func[i]->aux->func_idx = i;
2153521536
/* Below members will be freed only at prog->aux */
2153621537
func[i]->aux->btf = prog->aux->btf;
21537-
func[i]->aux->subprog_start = subprog_start;
21538+
func[i]->aux->subprog_start = subprog_start + instructions_added;
2153821539
func[i]->aux->func_info = prog->aux->func_info;
2153921540
func[i]->aux->func_info_cnt = prog->aux->func_info_cnt;
2154021541
func[i]->aux->poke_tab = prog->aux->poke_tab;
@@ -21586,7 +21587,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2158621587
func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;
2158721588
if (!i)
2158821589
func[i]->aux->exception_boundary = env->seen_exception;
21590+
21591+
/*
21592+
* To properly pass the absolute subprog start to jit
21593+
* all instruction adjustments should be accumulated
21594+
*/
21595+
instructions_added -= func[i]->len;
2158921596
func[i] = bpf_int_jit_compile(func[i]);
21597+
instructions_added += func[i]->len;
21598+
2159021599
if (!func[i]->jited) {
2159121600
err = -ENOTSUPP;
2159221601
goto out_free;

0 commit comments

Comments
 (0)