Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-12-30 06:41:43 +00:00
Code Issues Packages Projects Releases Wiki Activity
60a3b2253c
linux/arch/powerpc
History
Daniel Borkmann 60a3b2253c net: bpf: make eBPF interpreter images read-only 
With eBPF getting more extended and exposure to user space is on it's way,
hardening the memory range the interpreter uses to steer its command flow
seems appropriate.  This patch moves the to be interpreted bytecode to
read-only pages.

In case we execute a corrupted BPF interpreter image for some reason e.g.
caused by an attacker which got past a verifier stage, it would not only
provide arbitrary read/write memory access but arbitrary function calls
as well. After setting up the BPF interpreter image, its contents do not
change until destruction time, thus we can setup the image on immutable
made pages in order to mitigate modifications to that code. The idea
is derived from commit 314beb9bca ("x86: bpf_jit_comp: secure bpf jit
against spraying attacks").

This is possible because bpf_prog is not part of sk_filter anymore.
After setup bpf_prog cannot be altered during its life-time. This prevents
any modifications to the entire bpf_prog structure (incl. function/JIT
image pointer).

Every eBPF program (including classic BPF that are migrated) have to call
bpf_prog_select_runtime() to select either interpreter or a JIT image
as a last setup step, and they all are being freed via bpf_prog_free(),
including non-JIT. Therefore, we can easily integrate this into the
eBPF life-time, plus since we directly allocate a bpf_prog, we have no
performance penalty.

Tested with seccomp and test_bpf testsuite in JIT/non-JIT mode and manual
inspection of kernel_page_tables.  Brad Spengler proposed the same idea
via Twitter during development of this patch.

Joint work with Hannes Frederic Sowa.

Suggested-by: Brad Spengler <spender@grsecurity.net>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Cc: Kees Cook <keescook@chromium.org>
Acked-by: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-09-05 12:02:48 -07:00
..
boot Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2014-08-14 10:14:07 -06:00
configs Here are the PPC and ARM changes for KVM, which I separated because 2014-08-07 11:35:30 -07:00
crypto
include powerpc/mm: Use read barrier when creating real_pte 2014-08-13 18:20:41 +10:00
kernel Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2014-08-14 10:14:07 -06:00
kvm PC, KVM, CMA: Fix regression caused by wrong get_order() use 2014-08-19 15:11:57 +02:00
lib powerpc: Add smp_mb()s to arch_spin_unlock_wait() 2014-08-13 15:13:27 +10:00
math-emu powerpc: Correct emulated mtfsf instruction 2014-04-07 10:33:11 +10:00
mm powerpc/thp: Add tracepoints to track hugepage invalidate 2014-08-13 18:20:42 +10:00
net net: bpf: make eBPF interpreter images read-only 2014-09-05 12:02:48 -07:00
oprofile powerpc: Remove oprofile RS64 support 2014-07-28 14:10:25 +10:00
perf powerpc/perf/hv-24x7: Use kmem_cache_free 2014-08-13 15:14:04 +10:00
platforms Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/benh/powerpc 2014-08-14 10:14:07 -06:00
sysdev Merge remote-tracking branch 'scott/next' into next 2014-08-05 14:13:41 +10:00
xmon powerpc: Hard disable interrupts in xmon 2014-08-13 15:13:48 +10:00
Kconfig kexec: load and relocate purgatory at kernel load time 2014-08-08 15:57:32 -07:00
Kconfig.debug Patch queue for ppc - 2014-08-01 2014-08-05 09:58:11 +02:00
Makefile Merge branch 'merge' into next 2014-05-28 13:30:12 +10:00
relocs_check.pl