Patchwork [net-next] filter: do not output bpf image address for security reason

login
register
mail settings
Submitter Eric Dumazet
Date May 18, 2013, 2:57 a.m.
Message ID <1368845857.3301.148.camel@edumazet-glaptop>
Download mbox | patch
Permalink /patch/244728/
State Accepted
Delegated to: David Miller
Headers show

Comments

Eric Dumazet - May 18, 2013, 2:57 a.m.
From: Eric Dumazet <edumazet@google.com>

Do not leak starting address of BPF JIT code for non root users,
as it might help intruders to perform an attack.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Daniel Borkmann <dborkman@redhat.com>
---
v2: use %pK as Ben suggestion

 include/linux/filter.h |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
David Miller - May 20, 2013, 6:57 a.m.
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Fri, 17 May 2013 19:57:37 -0700

> From: Eric Dumazet <edumazet@google.com>
> 
> Do not leak starting address of BPF JIT code for non root users,
> as it might help intruders to perform an attack.
> 
> Signed-off-by: Eric Dumazet <edumazet@google.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/include/linux/filter.h b/include/linux/filter.h
index c050dcc..56a6b7f 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -58,10 +58,10 @@  extern void bpf_jit_free(struct sk_filter *fp);
 static inline void bpf_jit_dump(unsigned int flen, unsigned int proglen,
 				u32 pass, void *image)
 {
-	pr_err("flen=%u proglen=%u pass=%u image=%p\n",
+	pr_err("flen=%u proglen=%u pass=%u image=%pK\n",
 	       flen, proglen, pass, image);
 	if (image)
-		print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_ADDRESS,
+		print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_OFFSET,
 			       16, 1, image, proglen, false);
 }
 #define SK_RUN_FILTER(FILTER, SKB) (*FILTER->bpf_func)(SKB, FILTER->insns)