Commit a6da8e0b authored by Christophe Leroy's avatar Christophe Leroy Committed by Tengda Wu
Browse files

bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro() 

mainline inclusion
from mainline-v6.10-rc1
commit 7d2cc63eca0c993c99d18893214abf8f85d566d8
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEOM
CVE: CVE-2024-42068

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=7d2cc63eca0c993c99d18893214abf8f85d566d8

--------------------------------

set_memory_ro() can fail, leaving memory unprotected.

Check its return and take it into account as an error.

Link: https://github.com/KSPP/linux/issues/7


Signed-off-by: default avatarChristophe Leroy <christophe.leroy@csgroup.eu>
Cc: linux-hardening@vger.kernel.org <linux-hardening@vger.kernel.org>
Reviewed-by: default avatarKees Cook <keescook@chromium.org>
Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@csgroup.eu>
Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
Fixes: 85782e03 ("bpf: undo prog rejection on read-only lock failure")
Signed-off-by: default avatarTengda Wu <wutengda2@huawei.com>
parent 614e062a

include/linux/filter.h

+3 −2
Original line number Diff line number Diff line
@@ -835,14 +835,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default) 


#define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0]))



static inline void bpf_prog_lock_ro(struct bpf_prog *fp)

static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp)

{

#ifndef CONFIG_BPF_JIT_ALWAYS_ON

	if (!fp->jited) {

		set_vm_flush_reset_perms(fp);

		set_memory_ro((unsigned long)fp, fp->pages);

		return set_memory_ro((unsigned long)fp, fp->pages);

	}

#endif

	return 0;

}



static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)

kernel/bpf/core.c

+3 −1
Original line number Diff line number Diff line
@@ -1882,7 +1882,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err) 
	}



finalize:

	bpf_prog_lock_ro(fp);

	*err = bpf_prog_lock_ro(fp);

	if (*err)

		return fp;



	/* The tail call compatibility check can only be done at

	 * this late stage as we need to determine, if we deal

kernel/bpf/verifier.c

+6 −2
Original line number Diff line number Diff line
@@ -11547,10 +11547,14 @@ static int jit_subprogs(struct bpf_verifier_env *env) 
	 * bpf_prog_load will add the kallsyms for the main program.

	 */

	for (i = 1; i < env->subprog_cnt; i++) {

		bpf_prog_lock_ro(func[i]);

		bpf_prog_kallsyms_add(func[i]);

		err = bpf_prog_lock_ro(func[i]);

		if (err)

			goto out_free;

	}



	for (i = 1; i < env->subprog_cnt; i++)

		bpf_prog_kallsyms_add(func[i]);



	/* Last step: make now unused interpreter insns from main

	 * prog consistent for later dump requests, so they can

	 * later look the same as if they were interpreted only.