提交 1f6cb19b 编写于 作者: A Andrii Nakryiko 提交者: Daniel Borkmann

bpf: Prevent re-mmap()'ing BPF map as writable for initially r/o mapping

VM_MAYWRITE flag during initial memory mapping determines if already mmap()'ed
pages can be later remapped as writable ones through mprotect() call. To
prevent user application to rewrite contents of memory-mapped as read-only and
subsequently frozen BPF map, remove VM_MAYWRITE flag completely on initially
read-only mapping.

Alternatively, we could treat any memory-mapping on unfrozen map as writable
and bump writecnt instead. But there is little legitimate reason to map
BPF map as read-only and then re-mmap() it as writable through mprotect(),
instead of just mmap()'ing it as read/write from the very beginning.

Also, at the suggestion of Jann Horn, drop unnecessary refcounting in mmap
operations. We can just rely on VMA holding reference to BPF map's file
properly.

Fixes: fc970227 ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
Reported-by: NJann Horn <jannh@google.com>
Signed-off-by: NAndrii Nakryiko <andriin@fb.com>
Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
Reviewed-by: NJann Horn <jannh@google.com>
Link: https://lore.kernel.org/bpf/20200410202613.3679837-1-andriin@fb.com
上级 4178417c
...@@ -586,9 +586,7 @@ static void bpf_map_mmap_open(struct vm_area_struct *vma) ...@@ -586,9 +586,7 @@ static void bpf_map_mmap_open(struct vm_area_struct *vma)
{ {
struct bpf_map *map = vma->vm_file->private_data; struct bpf_map *map = vma->vm_file->private_data;
bpf_map_inc_with_uref(map); if (vma->vm_flags & VM_MAYWRITE) {
if (vma->vm_flags & VM_WRITE) {
mutex_lock(&map->freeze_mutex); mutex_lock(&map->freeze_mutex);
map->writecnt++; map->writecnt++;
mutex_unlock(&map->freeze_mutex); mutex_unlock(&map->freeze_mutex);
...@@ -600,13 +598,11 @@ static void bpf_map_mmap_close(struct vm_area_struct *vma) ...@@ -600,13 +598,11 @@ static void bpf_map_mmap_close(struct vm_area_struct *vma)
{ {
struct bpf_map *map = vma->vm_file->private_data; struct bpf_map *map = vma->vm_file->private_data;
if (vma->vm_flags & VM_WRITE) { if (vma->vm_flags & VM_MAYWRITE) {
mutex_lock(&map->freeze_mutex); mutex_lock(&map->freeze_mutex);
map->writecnt--; map->writecnt--;
mutex_unlock(&map->freeze_mutex); mutex_unlock(&map->freeze_mutex);
} }
bpf_map_put_with_uref(map);
} }
static const struct vm_operations_struct bpf_map_default_vmops = { static const struct vm_operations_struct bpf_map_default_vmops = {
...@@ -635,14 +631,16 @@ static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma) ...@@ -635,14 +631,16 @@ static int bpf_map_mmap(struct file *filp, struct vm_area_struct *vma)
/* set default open/close callbacks */ /* set default open/close callbacks */
vma->vm_ops = &bpf_map_default_vmops; vma->vm_ops = &bpf_map_default_vmops;
vma->vm_private_data = map; vma->vm_private_data = map;
vma->vm_flags &= ~VM_MAYEXEC;
if (!(vma->vm_flags & VM_WRITE))
/* disallow re-mapping with PROT_WRITE */
vma->vm_flags &= ~VM_MAYWRITE;
err = map->ops->map_mmap(map, vma); err = map->ops->map_mmap(map, vma);
if (err) if (err)
goto out; goto out;
bpf_map_inc_with_uref(map); if (vma->vm_flags & VM_MAYWRITE)
if (vma->vm_flags & VM_WRITE)
map->writecnt++; map->writecnt++;
out: out:
mutex_unlock(&map->freeze_mutex); mutex_unlock(&map->freeze_mutex);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册