Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit aa2d2c73 authored by Heiko Carstens's avatar Heiko Carstens Committed by Martin Schwidefsky
Browse files

s390/bpf,jit: address randomize and write protect jit code 



This is the s390 variant of 314beb9b "x86: bpf_jit_comp: secure bpf
jit against spraying attacks".
With this change the whole jit code and literal pool will be write
protected after creation. In addition the start address of the jit
code won't be always on a page boundary anymore.

Signed-off-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
parent fee1b548

arch/s390/net/bpf_jit_comp.c

+46 −5
Original line number Original line Diff line number Diff line
@@ -9,6 +9,7 @@ 
#include <linux/netdevice.h>

#include <linux/netdevice.h>

#include <linux/if_vlan.h>

#include <linux/if_vlan.h>

#include <linux/filter.h>

#include <linux/filter.h>

#include <linux/random.h>

#include <asm/cacheflush.h>

#include <asm/cacheflush.h>

#include <asm/processor.h>

#include <asm/processor.h>

#include <asm/facility.h>

#include <asm/facility.h>
@@ -738,8 +739,41 @@ load_abs: if ((int) K < 0) 
	return -1;

	return -1;

}

}





/*

 * Note: for security reasons, bpf code will follow a randomly

 *	 sized amount of illegal instructions.

 */

struct bpf_binary_header {

	unsigned int pages;

	u8 image[];

};



static struct bpf_binary_header *bpf_alloc_binary(unsigned int bpfsize,

						  u8 **image_ptr)

{

	struct bpf_binary_header *header;

	unsigned int sz, hole;



	/* Most BPF filters are really small, but if some of them fill a page,

	 * allow at least 128 extra bytes for illegal instructions.

	 */

	sz = round_up(bpfsize + sizeof(*header) + 128, PAGE_SIZE);

	header = module_alloc(sz);

	if (!header)

		return NULL;

	memset(header, 0, sz);

	header->pages = sz / PAGE_SIZE;

	hole = sz - bpfsize + sizeof(*header);

	/* Insert random number of illegal instructions before BPF code

	 * and make sure the first instruction starts at an even address.

	 */

	*image_ptr = &header->image[(prandom_u32() % hole) & -2];

	return header;

}



void bpf_jit_compile(struct sk_filter *fp)

void bpf_jit_compile(struct sk_filter *fp)

{

{

	struct bpf_binary_header *header = NULL;

	unsigned long size, prg_len, lit_len;

	unsigned long size, prg_len, lit_len;

	struct bpf_jit jit, cjit;

	struct bpf_jit jit, cjit;

	unsigned int *addrs;

	unsigned int *addrs;
@@ -775,8 +809,8 @@ void bpf_jit_compile(struct sk_filter *fp) 
			size = prg_len + lit_len;

			size = prg_len + lit_len;

			if (size >= BPF_SIZE_MAX)

			if (size >= BPF_SIZE_MAX)

				goto out;

				goto out;

			jit.start = module_alloc(size);

			header = bpf_alloc_binary(size, &jit.start);

			if (!jit.start)

			if (!header)

				goto out;

				goto out;

			jit.prg = jit.mid = jit.start + prg_len;

			jit.prg = jit.mid = jit.start + prg_len;

			jit.lit = jit.end = jit.start + prg_len + lit_len;

			jit.lit = jit.end = jit.start + prg_len + lit_len;
@@ -791,14 +825,21 @@ void bpf_jit_compile(struct sk_filter *fp) 
		if (jit.start)

		if (jit.start)

			print_fn_code(jit.start, jit.mid - jit.start);

			print_fn_code(jit.start, jit.mid - jit.start);

	}

	}

	if (jit.start)

	if (jit.start) {

		set_memory_ro((unsigned long)header, header->pages);

		fp->bpf_func = (void *) jit.start;

		fp->bpf_func = (void *) jit.start;

	}

out:

out:

	kfree(addrs);

	kfree(addrs);

}

}





void bpf_jit_free(struct sk_filter *fp)

void bpf_jit_free(struct sk_filter *fp)

{

{

	if (fp->bpf_func != sk_run_filter)

	unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;

		module_free(NULL, fp->bpf_func);

	struct bpf_binary_header *header = (void *)addr;



	if (fp->bpf_func == sk_run_filter)

		return;

	set_memory_rw(addr, header->pages);

	module_free(NULL, header);

}
 
}