Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 16495445 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

filter: do not output bpf image address for security reason 



Do not leak starting address of BPF JIT code for non root users,
as it might help intruders to perform an attack.

Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 314beb9b

include/linux/filter.h

+2 −2
Original line number Diff line number Diff line
@@ -58,10 +58,10 @@ extern void bpf_jit_free(struct sk_filter *fp); 
static inline void bpf_jit_dump(unsigned int flen, unsigned int proglen,

				u32 pass, void *image)

{

	pr_err("flen=%u proglen=%u pass=%u image=%p\n",

	pr_err("flen=%u proglen=%u pass=%u image=%pK\n",

	       flen, proglen, pass, image);

	if (image)

		print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_ADDRESS,

		print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_OFFSET,

			       16, 1, image, proglen, false);

}

#define SK_RUN_FILTER(FILTER, SKB) (*FILTER->bpf_func)(SKB, FILTER->insns)