| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20190910172253.GA164966@google.com>
Date: Tue, 10 Sep 2019 10:22:53 -0700
From: Sami Tolvanen <samitolvanen@...gle.com>
To: Yonghong Song <yhs@...com>
Cc: Alexei Starovoitov <ast@...nel.org>,
Daniel Borkmann <daniel@...earbox.net>,
Kees Cook <keescook@...omium.org>, Martin Lau <kafai@...com>,
Song Liu <songliubraving@...com>,
"netdev@...r.kernel.org" <netdev@...r.kernel.org>,
"bpf@...r.kernel.org" <bpf@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] bpf: validate bpf_func when BPF_JIT is enabled
On Tue, Sep 10, 2019 at 08:37:19AM +0000, Yonghong Song wrote:
> You did not mention BPF_BINARY_HEADER_MAGIC and added member
> of `magic` in bpf_binary_header. Could you add some details
> on what is the purpose for this `magic` member?
Sure, I'll add a description to the next version.
The magic is a random number used to identify bpf_binary_header in
memory. The purpose of this patch is to limit the possible call
targets for the function pointer and checking for the magic helps
ensure we are jumping to a page that contains a jited function,
instead of allowing calls to arbitrary targets.
This is particularly useful when combined with the compiler-based
Control-Flow Integrity (CFI) mitigation, which Google started shipping
in Pixel kernels last year. The compiler injects checks to all
indirect calls, but cannot obviously validate jumps to dynamically
generated code.
> > +unsigned int bpf_call_func(const struct bpf_prog *prog, const void *ctx)
> > +{
> > + const struct bpf_binary_header *hdr = bpf_jit_binary_hdr(prog);
> > +
> > + if (!IS_ENABLED(CONFIG_BPF_JIT_ALWAYS_ON) && !prog->jited)
> > + return prog->bpf_func(ctx, prog->insnsi);
> > +
> > + if (unlikely(hdr->magic != BPF_BINARY_HEADER_MAGIC ||
> > + !arch_bpf_jit_check_func(prog))) {
> > + WARN(1, "attempt to jump to an invalid address");
> > + return 0;
> > + }
> > +
> > + return prog->bpf_func(ctx, prog->insnsi);
> > +}
> The above can be rewritten as
> if (IS_ENABLED(CONFIG_BPF_JIT_ALWAYS_ON) || prog->jited ||
> hdr->magic != BPF_BINARY_HEADER_MAGIC ||
> !arch_bpf_jit_check_func(prog))) {
> WARN(1, "attempt to jump to an invalid address");
> return 0;
> }
That doesn't look quite equivalent, but yes, this can be rewritten as a
single if statement like this:
if ((IS_ENABLED(CONFIG_BPF_JIT_ALWAYS_ON) ||
prog->jited) &&
(hdr->magic != BPF_BINARY_HEADER_MAGIC ||
!arch_bpf_jit_check_func(prog)))
I think splitting the interpreter and JIT paths would be more readable,
but I can certainly change this if you prefer.
> BPF_PROG_RUN() will be called during xdp fast path.
> Have you measured how much slowdown the above change could
> cost for the performance?
I have not measured the overhead, but it shouldn't be significant. Is
there a particular benchmark you'd like me to run?
Sami
Powered by blists - more mailing lists