lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sun, 26 Jun 2016 11:21:14 +0000
From:	He Kuang <hekuang@...wei.com>
To:	<acme@...nel.org>, <peterz@...radead.org>, <mingo@...hat.com>,
	<jolsa@...hat.com>, <brendan.d.gregg@...il.com>, <ast@...nel.org>,
	<alexander.shishkin@...ux.intel.com>, <wangnan0@...wei.com>,
	<hekuang@...wei.com>
CC:	<linux-kernel@...r.kernel.org>
Subject: [RFC PATCH v2 22/26] perf bpf: Implement boundary check code in ubpf

Make sure that ubpf load/store instructions only access the context
and stack region.

Signed-off-by: He Kuang <hekuang@...wei.com>
---
 tools/perf/util/bpf-vm.c | 35 +++++++++++++++++++++++++++++++++++
 tools/perf/util/bpf-vm.h |  3 ++-
 2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/bpf-vm.c b/tools/perf/util/bpf-vm.c
index 23ac784..191ed42 100644
--- a/tools/perf/util/bpf-vm.c
+++ b/tools/perf/util/bpf-vm.c
@@ -2,6 +2,11 @@
 #include "util.h"
 #include "tools/be_byteshift.h"
 #include "bpf-vm.h"
+#include "debug.h"
+#include <linux/filter.h>
+
+#define DST	regs[insn->dst_reg]
+#define SRC	regs[insn->src_reg]
 
 static inline void
 bpf_vm_jmp_call_handler(u64 *regs __maybe_unused, void *ctx __maybe_unused,
@@ -30,5 +35,35 @@ static inline void *bpf_load_pointer(const void *skb __maybe_unused,
 	return NULL;
 }
 
+static bool
+bounds_check(void *addr, int size, void *ctx, size_t ctx_len, void *stack)
+{
+	if (ctx && (addr >= ctx && (addr + size) <= (ctx + ctx_len))) {
+		/* Context access */
+		return true;
+	} else if (addr >= stack && (addr + size) <= (stack + MAX_BPF_STACK)) {
+		/* Stack access */
+		return true;
+	}
+
+	pr_debug("bpf: bounds_check failed\n");
+	return false;
+}
+
+#define BOUNDS_CHECK_LOAD(size)						\
+	do {								\
+		if (!bounds_check((void *)SRC + insn->off, size,	\
+				  ctx, ctx_len, stack)) {		\
+			return -1;					\
+		}							\
+	} while (0)
+#define BOUNDS_CHECK_STORE(size)					\
+	do {								\
+		if (!bounds_check((void *)DST + insn->off, size,	\
+				  ctx, ctx_len, stack)) {		\
+			return -1;					\
+		}							\
+	} while (0)
+
 #define UBPF_BUILD
 #include <../../../kernel/bpf/vm.c>
diff --git a/tools/perf/util/bpf-vm.h b/tools/perf/util/bpf-vm.h
index bf96caa..66956fbb 100644
--- a/tools/perf/util/bpf-vm.h
+++ b/tools/perf/util/bpf-vm.h
@@ -2,6 +2,7 @@
 #define _BPF_VM_H
 
 struct bpf_insn;
-unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn);
+unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn,
+			    size_t ctx_len);
 
 #endif /* _BPF_VM_H */
-- 
1.8.5.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ