Commit 019b355b authored Aug 01, 2024 by Christophe Leroy Committed by Tengda Wu Aug 01, 2024

bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()

stable inclusion
from stable-v6.6.37
commit fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOM
CVE: CVE-2024-42068

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=fdd411af8178edc6b7bf260f8fa4fba1bedd0a6d

--------------------------------

[ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ]

set_memory_ro() can fail, leaving memory unprotected.

Check its return and take it into account as an error.

Link: https://github.com/KSPP/linux/issues/7


Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: linux-hardening@vger.kernel.org <linux-hardening@vger.kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Fixes: 85782e03 ("bpf: undo prog rejection on read-only lock failure")
Signed-off-by: Tengda Wu <wutengda2@huawei.com>

parent 4ad15c7f

include/linux/filter.h

+3 −2

Original line number	Diff line number	Diff line
		@@ -842,14 +842,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default)

		#define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0]))

		static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
		static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp)
		{
		#ifndef CONFIG_BPF_JIT_ALWAYS_ON
		if (!fp->jited) {
		set_vm_flush_reset_perms(fp);
		set_memory_ro((unsigned long)fp, fp->pages);
		return set_memory_ro((unsigned long)fp, fp->pages);
		}
		#endif
		return 0;
		}

		static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)

kernel/bpf/core.c

+3 −1

Original line number	Diff line number	Diff line
		@@ -2375,7 +2375,9 @@ struct bpf_prog bpf_prog_select_runtime(struct bpf_prog fp, int *err)
		}

		finalize:
		bpf_prog_lock_ro(fp);
		*err = bpf_prog_lock_ro(fp);
		if (*err)
		return fp;

		/* The tail call compatibility check can only be done at
		* this late stage as we need to determine, if we deal

kernel/bpf/verifier.c

+6 −2

Original line number	Diff line number	Diff line
		@@ -18627,10 +18627,14 @@ static int jit_subprogs(struct bpf_verifier_env *env)
		* bpf_prog_load will add the kallsyms for the main program.
		*/
		for (i = 1; i < env->subprog_cnt; i++) {
		bpf_prog_lock_ro(func[i]);
		bpf_prog_kallsyms_add(func[i]);
		err = bpf_prog_lock_ro(func[i]);
		if (err)
		goto out_free;
		}

		for (i = 1; i < env->subprog_cnt; i++)
		bpf_prog_kallsyms_add(func[i]);

		/* Last step: make now unused interpreter insns from main
		* prog consistent for later dump requests, so they can
		* later look the same as if they were interpreted only.