Unverified Commit 8c61d985 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!11847 bpf: verifier: prevent userspace memory access 

Merge Pull Request from: @ci-robot 
 
PR sync from: Pu Lehui <pulehui@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/6OGMHQLHBQOFR6RYRWRNKWKS2VDM77JL/ 
 
https://gitee.com/openeuler/kernel/issues/IATK7C 
 
Link:https://gitee.com/openeuler/kernel/pulls/11847

 

Reviewed-by: default avatarXu Kuohai <xukuohai@huawei.com>
Reviewed-by: default avatarYe Weihua <yeweihua4@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parents b389f0e0 449ae160

arch/x86/net/bpf_jit_comp.c

+6 −0
Original line number Diff line number Diff line
@@ -2156,3 +2156,9 @@ struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog) 
					   tmp : orig_prog);

	return prog;

}



/* x86-64 JIT emits its own code to filter user addresses so return 0 here */

u64 bpf_arch_uaddress_limit(void)

{

	return 0;

}

include/linux/filter.h

+1 −0
Original line number Diff line number Diff line
@@ -918,6 +918,7 @@ u64 __bpf_call_base(u64 r1, u64 r2, u64 r3, u64 r4, u64 r5); 
struct bpf_prog *bpf_int_jit_compile(struct bpf_prog *prog);

void bpf_jit_compile(struct bpf_prog *prog);

bool bpf_jit_needs_zext(void);

u64 bpf_arch_uaddress_limit(void);

bool bpf_helper_changes_pkt_data(void *func);



static inline bool bpf_dump_raw_ok(const struct cred *cred)

kernel/bpf/core.c

+9 −0
Original line number Diff line number Diff line
@@ -2325,6 +2325,15 @@ bool __weak bpf_helper_changes_pkt_data(void *func) 
	return false;

}



u64 __weak bpf_arch_uaddress_limit(void)

{

#if defined(CONFIG_64BIT) && defined(CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE)

	return TASK_SIZE;

#else

	return 0;

#endif

}



/* Return TRUE if the JIT backend wants verifier to enable sub-register usage

 * analysis code and wants explicit zero extension inserted by verifier.

 * Otherwise, return FALSE.

kernel/bpf/verifier.c

+29 −0
Original line number Diff line number Diff line
@@ -11709,6 +11709,35 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) 
			continue;

		}



		/* Make it impossible to de-reference a userspace address */

		if (BPF_CLASS(insn->code) == BPF_LDX &&

		    BPF_MODE(insn->code) == BPF_PROBE_MEM) {

			struct bpf_insn *patch = &insn_buf[0];

			u64 uaddress_limit = bpf_arch_uaddress_limit();



			if (!uaddress_limit)

				continue;



			*patch++ = BPF_MOV64_REG(BPF_REG_AX, insn->src_reg);

			if (insn->off)

				*patch++ = BPF_ALU64_IMM(BPF_ADD, BPF_REG_AX, insn->off);

			*patch++ = BPF_ALU64_IMM(BPF_RSH, BPF_REG_AX, 32);

			*patch++ = BPF_JMP_IMM(BPF_JLE, BPF_REG_AX, uaddress_limit >> 32, 2);

			*patch++ = *insn;

			*patch++ = BPF_JMP_IMM(BPF_JA, 0, 0, 1);

			*patch++ = BPF_MOV64_IMM(insn->dst_reg, 0);



			cnt = patch - insn_buf;

			new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);

			if (!new_prog)

				return -ENOMEM;



			delta    += cnt - 1;

			env->prog = prog = new_prog;

			insn      = new_prog->insnsi + i + delta;

			continue;

		}



		if (BPF_CLASS(insn->code) == BPF_LD &&

		    (BPF_MODE(insn->code) == BPF_ABS ||

		     BPF_MODE(insn->code) == BPF_IND)) {