Skip to content

Commit 30ec0ec

Browse files
aspskAlexei Starovoitov
aspsk
authored and
Alexei Starovoitov
committed
bpf: support instructions arrays with constants blinding
When bpf_jit_harden is enabled, all constants in the BPF code are blinded to prevent JIT spraying attacks. This happens during JIT phase. Adjust all the related instruction arrays accordingly. Signed-off-by: Anton Protopopov <[email protected]> Reviewed-by: Eduard Zingerman <[email protected]> Link: https://lore.kernel.org/r/[email protected] Signed-off-by: Alexei Starovoitov <[email protected]>
1 parent 218edd6 commit 30ec0ec

File tree

2 files changed

+30
-1
lines changed

2 files changed

+30
-1
lines changed

kernel/bpf/core.c

Lines changed: 20 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1450,6 +1450,23 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
14501450
bpf_prog_clone_free(fp_other);
14511451
}
14521452

1453+
static void adjust_insn_arrays(struct bpf_prog *prog, u32 off, u32 len)
1454+
{
1455+
#ifdef CONFIG_BPF_SYSCALL
1456+
struct bpf_map *map;
1457+
int i;
1458+
1459+
if (len <= 1)
1460+
return;
1461+
1462+
for (i = 0; i < prog->aux->used_map_cnt; i++) {
1463+
map = prog->aux->used_maps[i];
1464+
if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY)
1465+
bpf_insn_array_adjust(map, off, len);
1466+
}
1467+
#endif
1468+
}
1469+
14531470
struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
14541471
{
14551472
struct bpf_insn insn_buff[16], aux[2];
@@ -1505,6 +1522,9 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
15051522
clone = tmp;
15061523
insn_delta = rewritten - 1;
15071524

1525+
/* Instructions arrays must be updated using absolute xlated offsets */
1526+
adjust_insn_arrays(clone, prog->aux->subprog_start + i, rewritten);
1527+
15081528
/* Walk new program and skip insns we just inserted. */
15091529
insn = clone->insnsi + i + insn_delta;
15101530
insn_cnt += insn_delta;

kernel/bpf/verifier.c

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -21632,6 +21632,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2163221632
struct bpf_insn *insn;
2163321633
void *old_bpf_func;
2163421634
int err, num_exentries;
21635+
int old_len, subprog_start_adjustment = 0;
2163521636

2163621637
if (env->subprog_cnt <= 1)
2163721638
return 0;
@@ -21706,7 +21707,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2170621707
func[i]->aux->func_idx = i;
2170721708
/* Below members will be freed only at prog->aux */
2170821709
func[i]->aux->btf = prog->aux->btf;
21709-
func[i]->aux->subprog_start = subprog_start;
21710+
func[i]->aux->subprog_start = subprog_start + subprog_start_adjustment;
2171021711
func[i]->aux->func_info = prog->aux->func_info;
2171121712
func[i]->aux->func_info_cnt = prog->aux->func_info_cnt;
2171221713
func[i]->aux->poke_tab = prog->aux->poke_tab;
@@ -21762,7 +21763,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)
2176221763
func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;
2176321764
if (!i)
2176421765
func[i]->aux->exception_boundary = env->seen_exception;
21766+
21767+
/*
21768+
* To properly pass the absolute subprog start to jit
21769+
* all instruction adjustments should be accumulated
21770+
*/
21771+
old_len = func[i]->len;
2176521772
func[i] = bpf_int_jit_compile(func[i]);
21773+
subprog_start_adjustment += func[i]->len - old_len;
21774+
2176621775
if (!func[i]->jited) {
2176721776
err = -ENOTSUPP;
2176821777
goto out_free;

0 commit comments

Comments
 (0)