• D
    net: bpf: make eBPF interpreter images read-only · 60a3b225
    Daniel Borkmann 提交于
    With eBPF getting more extended and exposure to user space is on it's way,
    hardening the memory range the interpreter uses to steer its command flow
    seems appropriate.  This patch moves the to be interpreted bytecode to
    read-only pages.
    
    In case we execute a corrupted BPF interpreter image for some reason e.g.
    caused by an attacker which got past a verifier stage, it would not only
    provide arbitrary read/write memory access but arbitrary function calls
    as well. After setting up the BPF interpreter image, its contents do not
    change until destruction time, thus we can setup the image on immutable
    made pages in order to mitigate modifications to that code. The idea
    is derived from commit 314beb9b ("x86: bpf_jit_comp: secure bpf jit
    against spraying attacks").
    
    This is possible because bpf_prog is not part of sk_filter anymore.
    After setup bpf_prog cannot be altered during its life-time. This prevents
    any modifications to the entire bpf_prog structure (incl. function/JIT
    image pointer).
    
    Every eBPF program (including classic BPF that are migrated) have to call
    bpf_prog_select_runtime() to select either interpreter or a JIT image
    as a last setup step, and they all are being freed via bpf_prog_free(),
    including non-JIT. Therefore, we can easily integrate this into the
    eBPF life-time, plus since we directly allocate a bpf_prog, we have no
    performance penalty.
    
    Tested with seccomp and test_bpf testsuite in JIT/non-JIT mode and manual
    inspection of kernel_page_tables.  Brad Spengler proposed the same idea
    via Twitter during development of this patch.
    
    Joint work with Hannes Frederic Sowa.
    Suggested-by: NBrad Spengler <spender@grsecurity.net>
    Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
    Signed-off-by: NHannes Frederic Sowa <hannes@stressinduktion.org>
    Cc: Alexei Starovoitov <ast@plumgrid.com>
    Cc: Kees Cook <keescook@chromium.org>
    Acked-by: NAlexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: NDavid S. Miller <davem@davemloft.net>
    60a3b225
filter.h 12.6 KB