From patchwork Wed Jan  3 18:56:03 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxwell Bland <mbland@motorola.com>
X-Patchwork-Id: 13510504
Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com
 [148.163.152.46])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 643F11DA20
	for <bpf@vger.kernel.org>; Wed,  3 Jan 2024 20:43:17 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=motorola.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=motorola.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com
 header.b="ndy+QCm6"
Received: from pps.filterd (m0355091.ppops.net [127.0.0.1])
	by mx0b-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
 403C8S2L026707;
	Wed, 3 Jan 2024 18:56:07 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h=
	from:to:cc:subject:date:message-id:content-type
	:content-transfer-encoding:mime-version; s=DKIM202306; bh=NoV7S5
	BoAj3ZuegrlM8yIsdAjbljryhdK95Z1QO1W7g=; b=ndy+QCm6nis+PtfiTsss8M
	Fe3yU1KcEdTgk1NO1ocrzNmrg2vWIrsrcD+oqn7on9bnv7gP7OxltX2ROHDn8cmA
	BI4oHVTqpAPWohknLzUskVdy31IEWkKwAtAMz+USx7VAAvKqVwLp2xYAPdfWiXKu
	MZdFT7G6MBMb2UtjU4fI4VuYpe+OGKXY+aEmUeTR21BJD+DqJCA0LuFpkKxjzvpD
	MQ8RCoZkmBBQcV6htTk9RYsITDbffcIF2KW1AKODz8naWLHoiidKW813OMg5lkHA
	pLfNRzAADPkCa2/isJuy6kkZMk5T7pB+IUMfsMIwK03G3yainpTmXUT6B7YmRjWA
	==
Received: from apc01-psa-obe.outbound.protection.outlook.com
 (mail-psaapc01lp2040.outbound.protection.outlook.com [104.47.26.40])
	by mx0b-00823401.pphosted.com (PPS) with ESMTPS id 3vd7aw0nc0-2
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 03 Jan 2024 18:56:06 +0000 (GMT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=XpxkPfxUb8EmwnfJwLP7z1j4imnJyQgGmoE29Q8+Ibk1ZnxjKCy+pIgN9seNjzKBG9Ewwt/r6eXBai/r3U1VK+z1eFIeOTHiETBgqlJpJMfqWGXSjrZotKkQTq8dhDZAqZe64bBDlzNZqzvAlgmhACT6yXqszyA3QFF6TfwDtJ8j2O4MlemPb1l9ON2DBwlboah89Bj4EsXcL3b4RlN/lnVdVEOgjYzwZxvfJE9S+icBbHQI+14Fx31eRCWA0bMvDqs6+com6ruBRK+PNQy6RTtnLhuGXoP9G+VAstDkOGi4+mOie3SIatdbv8UdsvtNZ9m46WZo5OIt7ORGzPzVYg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=NoV7S5BoAj3ZuegrlM8yIsdAjbljryhdK95Z1QO1W7g=;
 b=dcpsce9u8yw/HawIDPDwbdJ/B4249CKOJ17zWoebg7Bpyx9grC91OMzq4nCnwHmTQznAzjPZmf3AAKmnd1TbidKF/qV48OzqTaWS8Wn/qxm6m014xDBbbIbmO8EldEFpvv8PTB4WuIaDaLCWFkSFQI/6l6VMwfWqFauNsGP5P3itKAL2N8pah3d360Z2Bnjl0eOi8FuqBNmIycEpDR+2gy3xxGNv14YpMEHicy+xZnrjaVdt4kj6CMBH9E+x645Ecy1XfJX4NK4NwYcbvx/x1vSSKN5adwL+V8t/JVZyeQSxjKvdFQjdNRKEn5UYDPhbxGdOoP6ZL5Fb1k9QkGu7Xg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com;
 dkim=pass header.d=motorola.com; arc=none
Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5)
 by KL1PR0302MB5412.apcprd03.prod.outlook.com (2603:1096:820:36::11) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan
 2024 18:56:03 +0000
Received: from SEZPR03MB6786.apcprd03.prod.outlook.com
 ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com
 ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024
 18:56:03 +0000
From: Maxwell Bland <mbland@motorola.com>
To: "bpf@vger.kernel.org" <bpf@vger.kernel.org>
CC: Andrew Wheeler <awheeler@motorola.com>, =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8?=
	=?utf-8?b?IOmYmeaWjOeUnw==?= <quebs2@motorola.com>,
 "di_jin@brown.edu" <di_jin@brown.edu>, Greg KH <gregkh@linuxfoundation.org>,
 "vpk@cs.brown.edu" <vpk@cs.brown.edu>,
 "v.atlidakis@gmail.com" <v.atlidakis@gmail.com>
Subject: [PATCH 2/2] Adding BPF CFI
Thread-Topic: [PATCH 2/2] Adding BPF CFI
Thread-Index: Ado+dgeat11I/pBISMy5MB62Pqngww==
Date: Wed, 3 Jan 2024 18:56:03 +0000
Message-ID: 
 <SEZPR03MB67866BC3232BC67023B7E24CB4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|KL1PR0302MB5412:EE_
x-ms-office365-filtering-correlation-id: 41533f5e-8e81-4757-83c2-08dc0c8da293
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 EbD1ByLrJLG293NKeP2LGggJBChpUiNdplrRhwPSjYC6i8/V8yuHfV06NPl3OJ+xU6D/m80yht8boyeSKBHC1wbQ0ujpEXFwaHQ+ckZ6S5eKm++sERnLShUa7iC+tu0SRJtfv3n/nU9ZWjJ69SpNI2u0mkJT2zhdTc0B9VJgDCFqLoL9lIs5TxxVBgDL1yyE4Xbg/1MJqhe2rHcIaLjyFu4MYxaYu+dQ4jcvuzjYu47BySKB75bFWtwzCxEkbuACyTzJvTpYzRik/v/MDM0svA1mB9424ZG5/gQ11STSNw7luzuN0V2xxx3v48A/mtcESINf/2Rd+Kh+L9+U5C1213R3EfzmwXCU7Kk/t54oc+ToA5qBJ3i5TOSwIKy0ThO+AugOi2h8YH1+7bd6Tp2YLML+rkU8xnanuHf90EbuC9kIdqkzScBCLL+XgTkR1X5b/sImpDlDXdV8XUh5emAnBQimSyBoq0aY7aGF55dJKPEW+IaIg+ZnHRllbyowLnMHFjrbnmcNfWuMWornGVJGFMTNEedKXWo2DyJqGGvPi82DLNWKDRR1dkIaZsQXzjqv5QK9aiW7ckY7JPFSDk93F/Xf9/i7uIEv3rTwnrZDqLFaMO20qktZ1IGzBfoJJ6lMuVbhU81xM9/Nn0lNQvOcQ1CgiR4ZBNy4oC9UFNFbJcA=
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(376002)(136003)(346002)(39860400002)(396003)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(41300700001)(33656002)(83380400001)(55016003)(7696005)(2906002)(64756008)(66476007)(76116006)(66556008)(66446008)(316002)(54906003)(66946007)(38070700009)(38100700002)(478600001)(6506007)(71200400001)(26005)(9686003)(6916009)(86362001)(82960400001)(122000001)(5660300002)(8936002)(8676002)(4326008)(52536014);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?q?39CcUjUE0+uJFkL91ivHVpRCmhLv?=
	=?utf-8?q?qjrpHmCXI2QncZdShZdokDKeMa5fKSiJ8EKHs/H8+O5NjIRYFP1KJGcZKRmwJeB5Q?=
	=?utf-8?q?e37XSZvkNZNFRG3T/b0PBAkaNZqbVDi4J357Vml3nxQ0MvQWJ2lBgTeebV05TVVKL?=
	=?utf-8?q?EvHm8t1FUWbvkTkPsFVppNNtPsW/2M40euDzkv6M6ivmz4sp5f0seVaSS9Kz7/1pp?=
	=?utf-8?q?SQPk2gK1qCm9CZaRE5NSHgG1/sDmtyWpc1shnwZxjL0QIXp6DryBssz+agIgZVcs3?=
	=?utf-8?q?tv6mUuojqWXmQbOCqxKTopUKn+Mcw6PaAIP5eeXM4jAjn6j23JWlGpXas4S700enK?=
	=?utf-8?q?XlCaZU3P8a7ankBITHBtyEqBaLhhyHS4ndHrVzSMjnRUXOj46F8lvERoTZXY7HYO/?=
	=?utf-8?q?jCt36QlLqNRrlwVvpChxRBYrdh5vMIEudCRGNaqzuLx6aIKnBkxwVL6tlFGO2r7Jq?=
	=?utf-8?q?bjzwEull9mve/m93qJQBDLR1/d9z+IBWdN4UJCwLXKgL4eIsbWcJOCSAQZAcu42ih?=
	=?utf-8?q?TWXVW9HnYmKlgE4RGU7AuEPJvsp5wybVZ5smV0JGK649gTe3vhpmr+urEATILl2bA?=
	=?utf-8?q?nbtP0PJg+zw3fb21WO6BaHuEAPOubfQUJItyyhPZN4maF5s5U2Chcd8aBtaljaily?=
	=?utf-8?q?ddMoIt/HiuBSkQz9QfRB89Dgj5gbpu9psGlIulikWbT+PPqCqJOE4OmgC5KOD1PzT?=
	=?utf-8?q?U3GcGLOxrFdN4TK/IJRpk10wvnExenryAJmNpCF1MZfAipuikj7evaruEg/7y+wyN?=
	=?utf-8?q?GX7chsn75sUGkcURJq/6wgLh7QWcHxhKbCqkNgItYK3K84ssCY6TAvhB4PXgJioU7?=
	=?utf-8?q?4sMykuLpxZBTbiGZF7ApyOxZYoGofkrhBE8n8SDOzHvXsWGiv4QNeW+A/z/mfeQNR?=
	=?utf-8?q?iu/RzVVKbAbKH/0BP35nhXwj+igW94YxkF9kaoRcPetXkQiF4okXTViu5TY+12aVg?=
	=?utf-8?q?WJNrw+OUYaWFPv0uwbFKwiwExY4t9qx10JZwyuOUkqE5s1/8348fJ0jCdsMsA4fUC?=
	=?utf-8?q?ojXvqhqo07RvCGJsXVTYMslHT4GdR53zpT6UBqGuzot+whQ31k2x+u5te/KnRmZir?=
	=?utf-8?q?JjaPL9Q0MQ0Jv2OOxQEQtNvYfyRdaO9wW4QbKLaVgvgsjTwHMRVCeAJpRqjBKKDBn?=
	=?utf-8?q?cb56xJNYwao4Y90S1Cy6wwXPIXqe56dRDDOz5g9eKVcktstygOtY95B/Xknh2KaV7?=
	=?utf-8?q?ScrZ5m6er7jwNvrQVATdHfu+5l2yPErX9iO/TOd6QJiprJUJY4WmVtrSO81Nd3Hxi?=
	=?utf-8?q?/BdD7H6fEOzOvC+Gdsf0Sta47NHjhgx4FYKzOpoGjB+h0r8dFMus1OdKIT8SFUAAB?=
	=?utf-8?q?CFGLOf0vQVUnriNvN4j1KeK9bxTlUjGraL8ZKxeUVmcI6LSIuxvLuDYxSe/xPjD8l?=
	=?utf-8?q?7YsXjsS/ItU/VyMXmj4EUIpoLznI2xG8zwnDfQ2ZSKkqQNopIPP0nhPDqWqkQbJ38?=
	=?utf-8?q?JdGt8t/4TTXwUf2l4dgdU07vHv2UOHxW2RJp0Mb6BrSvXBk/ayUdEelE=3D?=
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-OriginatorOrg: motorola.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 41533f5e-8e81-4757-83c2-08dc0c8da293
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 18:56:03.7196
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 l9awrSHyn7yxVOUIPMjip0cOU7dbUCGhdfemICCdOwUQIixlEkK9jbPC0PO9VqB2/d5AgxMflWC5T9VAwDyR8A==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1PR0302MB5412
X-Proofpoint-ORIG-GUID: 7ZMRFfZmydWo-EuZ_SPLrqleReczmpUK
X-Proofpoint-GUID: 7ZMRFfZmydWo-EuZ_SPLrqleReczmpUK
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 mlxscore=0 malwarescore=0
 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0
 mlxlogscore=999 spamscore=0 clxscore=1015 priorityscore=1501
 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx
 scancount=1 engine=8.19.0-2311290000 definitions=main-2401030153

From: Tenut <tenut@Niobium>
Subject: [PATCH 2/2] Adding BPF CFI

Check offset of BPF instructions in the interpreter to make sure the BPF program is
executed from the correct starting point

Signed-off-by: Maxwell Bland <mbland@motorola.com>
---
kernel/bpf/Kconfig | 10 +++++++
 kernel/bpf/core.c  | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig
index 7160dcaaa58a..9c64db0ddd63 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -94,6 +94,7 @@ config BPF_HARDENING
 	help
 	  Enhance bpf interpreter's security
 
+if BPF_HARDENING
 config BPF_NX
 bool "Enable bpf NX"
 	depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT
@@ -102,6 +103,15 @@ bool "Enable bpf NX"
 	  Allocate eBPF programs in seperate area and make sure the
 	  interpreted programs are in the region.
 
+config BPF_CFI
+	bool "Enable bpf CFI"
+	depends on BPF_NX
+	default n
+	help
+	  Enable alignment checks for eBPF program starting points
+
+endif
+
 source "kernel/bpf/preload/Kconfig"
 
 config BPF_LSM
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 56d9e8d4a6de..dee0d2713c3b 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -116,6 +116,75 @@ static void bpf_insn_check_range(const struct bpf_insn *insn)
 }
 #endif /* CONFIG_BPF_NX */
 
+#ifdef CONFIG_BPF_CFI
+#define BPF_ON  1
+#define BPF_OFF 0
+
+struct bpf_mode_flag {
+	u8 byte_array[PAGE_SIZE];
+};
+DEFINE_PER_CPU_PAGE_ALIGNED(struct bpf_mode_flag, bpf_exec_mode);
+
+static void __init lock_bpf_exec_mode(void)
+{
+	struct bpf_mode_flag *flag_page;
+	int cpu;
+	for_each_possible_cpu(cpu) {
+		flag_page = per_cpu_ptr(&bpf_exec_mode, cpu);
+		set_memory_ro((unsigned long)flag_page, 1);
+	};
+}
+subsys_initcall(lock_bpf_exec_mode);
+
+static void write_cr0_nocheck(unsigned long val)
+{
+	asm volatile("mov %0,%%cr0": "+r" (val) : : "memory");
+}
+
+/*
+ * Notice that get_cpu_var also disables preemption so no
+ * extra care needed for that.
+ */
+static void enter_bpf_exec_mode(unsigned long *flagsp)
+{
+	struct bpf_mode_flag *flag_page;
+	flag_page = &get_cpu_var(bpf_exec_mode);
+	local_irq_save(*flagsp);
+	write_cr0_nocheck(read_cr0() & ~X86_CR0_WP);
+	flag_page->byte_array[0] = BPF_ON;
+	write_cr0_nocheck(read_cr0() | X86_CR0_WP);
+}
+
+static void leave_bpf_exec_mode(unsigned long *flagsp)
+{
+	struct bpf_mode_flag *flag_page;
+	flag_page = this_cpu_ptr(&bpf_exec_mode);
+	write_cr0_nocheck(read_cr0() & ~X86_CR0_WP);
+	flag_page->byte_array[0] = BPF_OFF;
+	write_cr0_nocheck(read_cr0() | X86_CR0_WP);
+	local_irq_restore(*flagsp);
+	put_cpu_var(bpf_exec_mode);
+}
+
+static void check_bpf_exec_mode(void)
+{
+	struct bpf_mode_flag *flag_page;
+	flag_page = this_cpu_ptr(&bpf_exec_mode);
+	BUG_ON(flag_page->byte_array[0] != BPF_ON);
+}
+
+static void bpf_check_cfi(const struct bpf_insn *insn)
+{
+	const struct bpf_prog *fp;
+	fp = container_of(insn, struct bpf_prog, insnsi[0]);
+	if (!IS_ALIGNED((unsigned long)fp, BPF_MEMORY_ALIGN))
+		BUG();
+}
+
+#else /* CONFIG_BPF_CFI */
+static void check_bpf_exec_mode(void) {}
+#endif /* CONFIG_BPF_CFI */
+
 struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags)
 {
 	gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags);
@@ -1719,11 +1788,18 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
 #undef BPF_INSN_2_LBL
 	u32 tail_call_cnt = 0;
 
+#ifdef CONFIG_BPF_CFI
+	unsigned long flags;
+	enter_bpf_exec_mode(&flags);
+	bpf_check_cfi(insn);
+#endif
+
 #define CONT	 ({ insn++; goto select_insn; })
 #define CONT_JMP ({ insn++; goto select_insn; })
 
 select_insn:
 	bpf_insn_check_range(insn);
+	check_bpf_exec_mode();
 	goto *jumptable[insn->code];
 
 	/* Explicitly mask the register-based shift amounts with 63 or 31
@@ -2034,6 +2110,9 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
 		insn += insn->imm;
 		CONT;
 	JMP_EXIT:
+#ifdef CONFIG_BPF_CFI
+		leave_bpf_exec_mode(&flags);
+#endif
 		return BPF_R0;
 	/* JMP */
 #define COND_JMP(SIGN, OPCODE, CMP_OP)				\