git.baikalelectronics.ru Git - kernel.git/commit

author	Andrii Nakryiko <andriin@fb.com>
	Fri, 10 Apr 2020 20:26:12 +0000 (13:26 -0700)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Tue, 14 Apr 2020 19:28:57 +0000 (21:28 +0200)
commit	f29508e06c4789355bb5fe424090c8f5c05c2fb2
tree	f403308df2df8c60baedaa5eed2444e617e320f0	tree \| snapshot
parent	5dc5af0b1ede5b4211fcdadbdd3235fc0adc11d8	commit \| diff

bpf: Prevent re-mmap()'ing BPF map as writable for initially r/o mapping

VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed
pages can be later remapped as writable ones through mprotect() call. To
prevent user application to rewrite contents of memory-mapped as read-only and
subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially
read-only mapping.

Alternatively, we could treat any memory-mapping on unfrozen map as writable
and bump writecnt instead. But there is little legitimate reason to map
BPF map as read-only and then re-mmap() it as writable through mprotect(),
instead of just mmap()'ing it as read/write from the very beginning.

Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap
operations. We can just rely on VMA holding reference to BPF map's file
properly.

Fixes: d41da1a54b88 ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrii Nakryiko <andriin@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/bpf/20200410202613.3679837-1-andriin@fb.com