Skip to content

Commit 85cad9e

Browse files
aspskKernel Patches Daemon
aspsk
authored and
Kernel Patches Daemon
committed
bpf: support instructions arrays with constants blinding
When bpf_jit_harden is enabled, all constants in the BPF code are blinded to prevent JIT spraying attacks. This happens during JIT phase. Adjust all the related instruction arrays accordingly. Signed-off-by: Anton Protopopov <[email protected]> Reviewed-by: Eduard Zingerman <[email protected]>
1 parent 1ac897f commit 85cad9e

File tree

2 files changed

+30
-1
lines changed

2 files changed

+30
-1
lines changed

kernel/bpf/core.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1450,6 +1450,23 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
14501450
bpf_prog_clone_free(fp_other);
14511451
}
14521452

1453+
static void adjust_insn_arrays(struct bpf_prog *prog, u32 off, u32 len)
1454+
{
1455+
#ifdef CONFIG_BPF_SYSCALL
1456+
struct bpf_map *map;
1457+
int i;
1458+
1459+
if (len <= 1)
1460+
return;
1461+
1462+
for (i = 0; i < prog->aux->used_map_cnt; i++) {
1463+
map = prog->aux->used_maps[i];
1464+
if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY)
1465+
bpf_insn_array_adjust(map, off, len);
1466+
}
1467+
#endif
1468+
}
1469+
14531470
struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
14541471
{
14551472
struct bpf_insn insn_buff[16], aux[2];
@@ -1505,6 +1522,9 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
15051522
clone = tmp;
15061523
insn_delta = rewritten - 1;
15071524

1525+
/* Instructions arrays must be updated using absolute xlated offsets */
1526+
adjust_insn_arrays(clone, prog->aux->subprog_start + i, rewritten);
1527+
15081528
/* Walk new program and skip insns we just inserted. */
15091529
insn = clone->insnsi + i + insn_delta;
15101530
insn_cnt += insn_delta;

kernel/bpf/verifier.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21601,6 +21601,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2160121601
struct bpf_insn *insn;
2160221602
void *old_bpf_func;
2160321603
int err, num_exentries;
21604+
int old_len, subprog_start_adjustment = 0;
2160421605

2160521606
if (env->subprog_cnt <= 1)
2160621607
return 0;
@@ -21675,7 +21676,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2167521676
func[i]->aux->func_idx = i;
2167621677
/* Below members will be freed only at prog->aux */
2167721678
func[i]->aux->btf = prog->aux->btf;
21678-
func[i]->aux->subprog_start = subprog_start;
21679+
func[i]->aux->subprog_start = subprog_start + subprog_start_adjustment;
2167921680
func[i]->aux->func_info = prog->aux->func_info;
2168021681
func[i]->aux->func_info_cnt = prog->aux->func_info_cnt;
2168121682
func[i]->aux->poke_tab = prog->aux->poke_tab;
@@ -21729,7 +21730,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2172921730
func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;
2173021731
if (!i)
2173121732
func[i]->aux->exception_boundary = env->seen_exception;
21733+
21734+
/*
21735+
* To properly pass the absolute subprog start to jit
21736+
* all instruction adjustments should be accumulated
21737+
*/
21738+
old_len = func[i]->len;
2173221739
func[i] = bpf_int_jit_compile(func[i]);
21740+
subprog_start_adjustment += func[i]->len - old_len;
21741+
2173321742
if (!func[i]->jited) {
2173421743
err = -ENOTSUPP;
2173521744
goto out_free;

0 commit comments

Comments
 (0)