lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <1466940078-65581-22-git-send-email-hekuang@huawei.com>
Date:	Sun, 26 Jun 2016 11:21:13 +0000
From:	He Kuang <hekuang@...wei.com>
To:	<acme@...nel.org>, <peterz@...radead.org>, <mingo@...hat.com>,
	<jolsa@...hat.com>, <brendan.d.gregg@...il.com>, <ast@...nel.org>,
	<alexander.shishkin@...ux.intel.com>, <wangnan0@...wei.com>,
	<hekuang@...wei.com>
CC:	<linux-kernel@...r.kernel.org>
Subject: [RFC PATCH v2 21/26] bpf: Support bpf load/store boundary check for ubpf

A boundary check is added before each store/load instruction, since we
don't have a verifier in userspace bpf. There's no functionality
change without UBPF_BUILD flag.

Signed-off-by: He Kuang <hekuang@...wei.com>
---
 kernel/bpf/vm.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/vm.c b/kernel/bpf/vm.c
index add5669..0ddb592 100644
--- a/kernel/bpf/vm.c
+++ b/kernel/bpf/vm.c
@@ -76,9 +76,13 @@ static inline int bpf_vm_jmp_tail_call_handler(u64 *regs, u32 *p_tail_call_cnt,
 	*p_insn = prog->insnsi;
 	return 0;
 }
-#endif /* UBPF_BUILD */
-
+#define BOUNDS_CHECK_STORE(size)
+#define BOUNDS_CHECK_LOAD(size)
 unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn)
+#else
+unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn,
+			    size_t ctx_len)
+#endif /* UBPF_BUILD */
 {
 	u64 stack[MAX_BPF_STACK / sizeof(u64)];
 	u64 regs[MAX_BPF_REG], tmp;
@@ -419,12 +423,15 @@ select_insn:
 	/* STX and ST and LDX*/
 #define LDST(SIZEOP, SIZE)						\
 	STX_MEM_##SIZEOP:						\
+		BOUNDS_CHECK_STORE(sizeof(SIZE));			\
 		*(SIZE *)(unsigned long) (DST + insn->off) = SRC;	\
 		CONT;							\
 	ST_MEM_##SIZEOP:						\
+		BOUNDS_CHECK_STORE(sizeof(SIZE));			\
 		*(SIZE *)(unsigned long) (DST + insn->off) = IMM;	\
 		CONT;							\
 	LDX_MEM_##SIZEOP:						\
+		BOUNDS_CHECK_LOAD(sizeof(SIZE));			\
 		DST = *(SIZE *)(unsigned long) (SRC + insn->off);	\
 		CONT;
 
-- 
1.8.5.2

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ