Commit d0f1a451 authored May 04, 2018 by Daniel Borkmann Committed by Alexei Starovoitov May 03, 2018

bpf: use array_index_nospec in find_prog_type



Commit 9ef09e35 ("bpf: fix possible spectre-v1 in find_and_alloc_map()")
converted find_and_alloc_map() over to use array_index_nospec() to sanitize
map type that user space passes on map creation, and this patch does an
analogous conversion for progs in find_prog_type() as it's also passed from
user space when loading progs as attr->prog_type.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent 9ef09e35

kernel/bpf/syscall.c

+8 −2

Original line number	Diff line number	Diff line
		@@ -874,11 +874,17 @@ static const struct bpf_prog_ops * const bpf_prog_types[] = {

		static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
		{
		if (type >= ARRAY_SIZE(bpf_prog_types) \|\| !bpf_prog_types[type])
		const struct bpf_prog_ops *ops;

		if (type >= ARRAY_SIZE(bpf_prog_types))
		return -EINVAL;
		type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types));
		ops = bpf_prog_types[type];
		if (!ops)
		return -EINVAL;

		if (!bpf_prog_is_dev_bound(prog->aux))
		prog->aux->ops = bpf_prog_types[type];
		prog->aux->ops = ops;
		else
		prog->aux->ops = &bpf_offload_prog_ops;
		prog->type = type;