| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-Id: <20191113204737.31623-2-bjorn.topel@gmail.com>
Date: Wed, 13 Nov 2019 21:47:34 +0100
From: Björn Töpel <bjorn.topel@...il.com>
To: netdev@...r.kernel.org, ast@...nel.org, daniel@...earbox.net
Cc: Björn Töpel <bjorn.topel@...el.com>,
bpf@...r.kernel.org, magnus.karlsson@...il.com,
magnus.karlsson@...el.com, jonathan.lemon@...il.com
Subject: [RFC PATCH bpf-next 1/4] bpf: teach bpf_arch_text_poke() jumps
From: Björn Töpel <bjorn.topel@...el.com>
The BPF dispatcher, introduced in future commits, hijacks a trampoline
function. This commit teaches the text poker to emit jmpq in addtion
to callq.
Signed-off-by: Björn Töpel <bjorn.topel@...el.com>
---
arch/x86/net/bpf_jit_comp.c | 34 +++++++++++++++++++++++++++++-----
include/linux/bpf.h | 3 +++
2 files changed, 32 insertions(+), 5 deletions(-)
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
index 79157d886a3e..28782a1c386e 100644
--- a/arch/x86/net/bpf_jit_comp.c
+++ b/arch/x86/net/bpf_jit_comp.c
@@ -481,7 +481,7 @@ static void emit_stx(u8 **pprog, u32 size, u32 dst_reg, u32 src_reg, int off)
*pprog = prog;
}
-static int emit_call(u8 **pprog, void *func, void *ip)
+static int emit_call_jmp(u8 **pprog, void *func, void *ip, u8 insn)
{
u8 *prog = *pprog;
int cnt = 0;
@@ -492,17 +492,28 @@ static int emit_call(u8 **pprog, void *func, void *ip)
pr_err("Target call %p is out of range\n", func);
return -EINVAL;
}
- EMIT1_off32(0xE8, offset);
+ EMIT1_off32(insn, offset);
*pprog = prog;
return 0;
}
+static int emit_call(u8 **pprog, void *func, void *ip)
+{
+ return emit_call_jmp(pprog, func, ip, 0xE8);
+}
+
+/* Emits tail-call */
+static int emit_jmp(u8 **pprog, void *func, void *ip)
+{
+ return emit_call_jmp(pprog, func, ip, 0xE9);
+}
+
int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
void *old_addr, void *new_addr)
{
u8 old_insn[X86_CALL_SIZE] = {};
u8 new_insn[X86_CALL_SIZE] = {};
- u8 *prog;
+ u8 *prog, insn;
int ret;
if (!is_kernel_text((long)ip) &&
@@ -510,31 +521,44 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
/* BPF trampoline in modules is not supported */
return -EINVAL;
+ switch (t) {
+ case BPF_MOD_NOP_TO_CALL:
+ case BPF_MOD_CALL_TO_CALL:
+ case BPF_MOD_CALL_TO_NOP:
+ insn = 0xE8;
+ break;
+ default:
+ insn = 0xE9;
+ }
+
if (old_addr) {
prog = old_insn;
- ret = emit_call(&prog, old_addr, (void *)ip);
+ ret = emit_call_jmp(&prog, old_addr, (void *)ip, insn);
if (ret)
return ret;
}
if (new_addr) {
prog = new_insn;
- ret = emit_call(&prog, new_addr, (void *)ip);
+ ret = emit_call_jmp(&prog, new_addr, (void *)ip, insn);
if (ret)
return ret;
}
ret = -EBUSY;
mutex_lock(&text_mutex);
switch (t) {
+ case BPF_MOD_NOP_TO_JMP:
case BPF_MOD_NOP_TO_CALL:
if (memcmp(ip, ideal_nops[NOP_ATOMIC5], X86_CALL_SIZE))
goto out;
text_poke(ip, new_insn, X86_CALL_SIZE);
break;
+ case BPF_MOD_JMP_TO_JMP:
case BPF_MOD_CALL_TO_CALL:
if (memcmp(ip, old_insn, X86_CALL_SIZE))
goto out;
text_poke(ip, new_insn, X86_CALL_SIZE);
break;
+ case BPF_MOD_JMP_TO_NOP:
case BPF_MOD_CALL_TO_NOP:
if (memcmp(ip, old_insn, X86_CALL_SIZE))
goto out;
diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 6a80af092048..38b0715050a9 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1270,6 +1270,9 @@ enum bpf_text_poke_type {
BPF_MOD_NOP_TO_CALL,
BPF_MOD_CALL_TO_CALL,
BPF_MOD_CALL_TO_NOP,
+ BPF_MOD_NOP_TO_JMP,
+ BPF_MOD_JMP_TO_JMP,
+ BPF_MOD_JMP_TO_NOP,
};
int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
void *addr1, void *addr2);
--
2.20.1
Powered by blists - more mailing lists