Message ID | 1400018755-3049-1-git-send-email-ast@plumgrid.com |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
On Tue, 2014-05-13 at 15:05 -0700, Alexei Starovoitov wrote: > > Fix it by making sure that &header->image[prandom_u32() % hole] and &header > are in the same page > > Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks") > Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> > --- > arch/x86/net/bpf_jit_comp.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) Thanks Alexei. Acked-by: Eric Dumazet <edumazet@google.com> -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
From: Alexei Starovoitov <ast@plumgrid.com> Date: Tue, 13 May 2014 15:05:55 -0700 > bpf_alloc_binary() adds 128 bytes of room to JITed program image > and rounds it up to the nearest page size. If image size is close > to page size (like 4000), it is rounded to two pages: > round_up(4000 + 4 + 128) == 8192 > then 'hole' is computed as 8192 - (4000 + 4) = 4188 > If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header) > then kernel will crash during bpf_jit_free(): > > kernel BUG at arch/x86/mm/pageattr.c:887! > Call Trace: > [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460 > [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50 > [<ffffffff810378ff>] set_memory_rw+0x2f/0x40 > [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60 > [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0 > [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0 > [<ffffffff8106c90c>] worker_thread+0x11c/0x370 > > since bpf_jit_free() does: > unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; > struct bpf_binary_header *header = (void *)addr; > to compute start address of 'bpf_binary_header' > and header->pages will pass junk to: > set_memory_rw(addr, header->pages); > > Fix it by making sure that &header->image[prandom_u32() % hole] and &header > are in the same page > > Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks") > Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> Applied and queued up for -stable, thank you. -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index dc01773..6d5663a 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c @@ -171,7 +171,7 @@ static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen, memset(header, 0xcc, sz); /* fill whole space with int3 instructions */ header->pages = sz / PAGE_SIZE; - hole = sz - (proglen + sizeof(*header)); + hole = min(sz - (proglen + sizeof(*header)), PAGE_SIZE - sizeof(*header)); /* insert a random number of int3 instructions before BPF code */ *image_ptr = &header->image[prandom_u32() % hole];
bpf_alloc_binary() adds 128 bytes of room to JITed program image and rounds it up to the nearest page size. If image size is close to page size (like 4000), it is rounded to two pages: round_up(4000 + 4 + 128) == 8192 then 'hole' is computed as 8192 - (4000 + 4) = 4188 If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header) then kernel will crash during bpf_jit_free(): kernel BUG at arch/x86/mm/pageattr.c:887! Call Trace: [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460 [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50 [<ffffffff810378ff>] set_memory_rw+0x2f/0x40 [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60 [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0 [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0 [<ffffffff8106c90c>] worker_thread+0x11c/0x370 since bpf_jit_free() does: unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; struct bpf_binary_header *header = (void *)addr; to compute start address of 'bpf_binary_header' and header->pages will pass junk to: set_memory_rw(addr, header->pages); Fix it by making sure that &header->image[prandom_u32() % hole] and &header are in the same page Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks") Signed-off-by: Alexei Starovoitov <ast@plumgrid.com> --- arch/x86/net/bpf_jit_comp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)