]> git.baikalelectronics.ru Git - kernel.git/commit
projects / kernel.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: e8fe1a8) | patch
bpf: do not allow root to mangle valid pointers
authorAlexei Starovoitov <ast@kernel.org>
Tue, 19 Dec 2017 04:15:20 +0000 (20:15 -0800)
committerDaniel Borkmann <daniel@iogearbox.net>
Thu, 21 Dec 2017 01:26:29 +0000 (02:26 +0100)
commitb201d4e1762ba4ac8330c579ad2e3b258f91e64d
tree288d426963ab3a782ef0876a8ad41ce1d5856401tree | snapshot
parente8fe1a89b48e61f5a684a7a4b5344b81ed056fcdcommit | diff
bpf: do not allow root to mangle valid pointers

Do not allow root to convert valid pointers into unknown scalars.
In particular disallow:
 ptr &= reg
 ptr <<= reg
 ptr += ptr
and explicitly allow:
 ptr -= ptr
since pkt_end - pkt == length

1.
This minimizes amount of address leaks root can do.
In the future may need to further tighten the leaks with kptr_restrict.

2.
If program has such pointer math it's likely a user mistake and
when verifier complains about it right away instead of many instructions
later on invalid memory access it's easier for users to fix their progs.

3.
when register holding a pointer cannot change to scalar it allows JITs to
optimize better. Like 32-bit archs could use single register for pointers
instead of a pair required to hold 64-bit scalars.

4.
reduces architecture dependent behavior. Since code:
r1 = r10;
r1 &= 0xff;
if (r1 ...)
will behave differently arm64 vs x64 and offloaded vs native.

A significant chunk of ptr mangling was allowed by
commit d4b79d1043b4 ("bpf/verifier: rework value tracking")
yet some of it was allowed even earlier.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel/bpf/verifier.c diff | blob | history
tools/testing/selftests/bpf/test_verifier.c diff | blob | history
Linux Kernel Source Tree.