Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ede7c460 authored by Naveen N. Rao's avatar Naveen N. Rao Committed by Daniel Borkmann
Browse files

bpf: handle 32-bit zext during constant blinding 



Since BPF constant blinding is performed after the verifier pass, the
ALU32 instructions inserted for doubleword immediate loads don't have a
corresponding zext instruction. This is causing a kernel oops on powerpc
and can be reproduced by running 'test_cgroup_storage' with
bpf_jit_harden=2.

Fix this by emitting BPF_ZEXT during constant blinding if
prog->aux->verifier_zext is set.

Fixes: a4b1d3c1 ("bpf: verifier: insert zero extension according to analysis result")
Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
Signed-off-by: default avatarNaveen N. Rao <naveen.n.rao@linux.vnet.ibm.com>
Reviewed-by: default avatarJiong Wang <jiong.wang@netronome.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent 86c28b2d

kernel/bpf/core.c

+6 −2
Original line number Diff line number Diff line
@@ -890,7 +890,8 @@ int bpf_jit_get_func_addr(const struct bpf_prog *prog, 


static int bpf_jit_blind_insn(const struct bpf_insn *from,

			      const struct bpf_insn *aux,

			      struct bpf_insn *to_buff)

			      struct bpf_insn *to_buff,

			      bool emit_zext)

{

	struct bpf_insn *to = to_buff;

	u32 imm_rnd = get_random_int();
@@ -1005,6 +1006,8 @@ static int bpf_jit_blind_insn(const struct bpf_insn *from, 
	case 0: /* Part 2 of BPF_LD | BPF_IMM | BPF_DW. */

		*to++ = BPF_ALU32_IMM(BPF_MOV, BPF_REG_AX, imm_rnd ^ aux[0].imm);

		*to++ = BPF_ALU32_IMM(BPF_XOR, BPF_REG_AX, imm_rnd);

		if (emit_zext)

			*to++ = BPF_ZEXT_REG(BPF_REG_AX);

		*to++ = BPF_ALU64_REG(BPF_OR,  aux[0].dst_reg, BPF_REG_AX);

		break;
@@ -1088,7 +1091,8 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog) 
		    insn[1].code == 0)

			memcpy(aux, insn, sizeof(aux));



		rewritten = bpf_jit_blind_insn(insn, aux, insn_buff);

		rewritten = bpf_jit_blind_insn(insn, aux, insn_buff,

						clone->aux->verifier_zext);

		if (!rewritten)

			continue;