From patchwork Wed Jan 3 19:16:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxwell Bland X-Patchwork-Id: 13510440 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E00881CF83 for ; Wed, 3 Jan 2024 19:16:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=motorola.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=motorola.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com header.b="D8gKN+aI" Received: from pps.filterd (m0355091.ppops.net [127.0.0.1]) by mx0b-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 403C8Q69026690; Wed, 3 Jan 2024 19:16:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s= DKIM202306; bh=iM2Tg/ogwwQUCrHkJZEfoUR4fPTNmXRTvnvL5bFmZdM=; b=D 8gKN+aI8+7V2Alhrcb86B7FAKG9d2rilgqGZqGx8Uminw3IsmA1wNa12qZ6/XPv7 Y1PH0F9Ml7HrDvPe8CA7blXnjfsMrCQvqdp1rSVrdwNbSSvHCdRvuIbVKLwHY9ES IyY4CdB70F8J2hXViVdNvGhjoWWSRG7Me2VlHVpstVp7ywJAGwVtzXXuymuILeRZ GeFw1XCPfFP++kxheIAd6pZYEUCkSQ6Fkv02evpx64vRkwZmNQ/vJZdQuQlsnEfk YQtGSxEymLE/i1lygxrurGuWJVxc6SywjFHp6Fl+gFBrrddCqxkf6HbVRydbce6Y qYgoKYH8gjZU52GuszeeA== Received: from apc01-psa-obe.outbound.protection.outlook.com (mail-psaapc01lp2041.outbound.protection.outlook.com [104.47.26.41]) by mx0b-00823401.pphosted.com (PPS) with ESMTPS id 3vd7aw0p8n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jan 2024 19:16:35 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C0+Fn7/6deFBiuBN//0dVaD7qov2kQO1Ub4OVNdvIPEfFyRQQkHjPAr0MtQgO+9PuwRt8fQ/bVfYaTOg6q6UVk6jr4WPHL+zYoR6+B4gNOdHKiazgzTNUVvAMTSTdlCSn4ejKZYRmX+54g3MExuYJ4us8QIzL0AcmhNdUmLRi4zIqQRQ6OghyFQj7bSoJ4lDLhJmZ5m7K6nqIrNqIdVXV/V3oC0sOHA+UzwtypdJOVtaRSuJo/MIECJO6DcRd0t9VKCfveAMP0ByqRite2o7urYlkSjIoSVLP2Hp6s7KHpLymSPtS0eu4TlxJqfDijBZpytCOYc03ayxzy+p9bKZug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iM2Tg/ogwwQUCrHkJZEfoUR4fPTNmXRTvnvL5bFmZdM=; b=XXJ5jWmg5e47tOu2KmumNTtLBCzs+dF7EB13qm4FR4A+Bo5vj6lpFeCcNJ0mk2EhMyWmkHo2MxbqGPOApMuN6VhFTf5Pk/sBvVydFHiOvOyh3qJG8ZYVv2GkP/5Uw3zRkqYU5jhlTsXFmEWH2TyLYn0A1/9MIhATME1qSfdNQxpjKZkI+0QbOpmNdSCUH2jrAGnxO6ORvM2iTzTDhvalcaKgeXdSRRpKonM1EwoCi1Hd0d00RiFkajbLMhXSP01cpJYK4CMhGNutRlxBHLCfo3+n0wQURxI7xRpqFDKwwhb1XvfCHI2g5hc0mSYbXnwVktx3TsvWqVUySNZJxNmwzg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com; dkim=pass header.d=motorola.com; arc=none Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5) by TYZPR03MB5437.apcprd03.prod.outlook.com (2603:1096:400:37::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan 2024 19:16:32 +0000 Received: from SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024 19:16:32 +0000 From: Maxwell Bland To: Greg KH CC: "bpf@vger.kernel.org" , Andrew Wheeler , =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8IA==?= =?utf-8?b?6ZiZ5paM55Sf?= , "di_jin@brown.edu" Subject: [PATCH 1/2] Adding BPF NX Thread-Topic: [PATCH 1/2] Adding BPF NX Thread-Index: AQHaPnlcQ/EeS56CsE2L+Zet/Q/kJw== Date: Wed, 3 Jan 2024 19:16:32 +0000 Message-ID: References: <2024010317-undercoat-widow-e087@gregkh> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|TYZPR03MB5437:EE_ x-ms-office365-filtering-correlation-id: 63542b0d-f80e-43a9-c4ac-08dc0c907ec0 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 7sUQUWfhkGk5oTehjjwumi5De+RR0H42Vtyz0j8Ap9lD8grjK80tCs5cSxILPymdy3AtIRCkN+k6t5qwcniP0/KKyvV3ywaRKh5i6gPVxpyMRj+hDvdqwwwesSVGZvXJxTpPgBObfYSuI7kwATHF5bJG5nlw13OGQIE+N8B6zQK1vCXk6YVrbiFXDIW+we9vNOFAyCHG2Ex+xDNgaHDIfinsfxYXGBSqBu0r6vBSMmylS0yyrWzIZD/2IRpH+I+Q+PsWx4wxJxVFdgAcSHA1rh/p5OVxadk6Z30g8OR/aB0Lefpn8Dt1GKjWZdngYN6C3oA/qD7c4FeH1AAcCa0t5Gl/L++JdmiGJHpYzmsTm+aem/4QCt1iMVCgACpexF/koMYagj6+lrzTiLBCxcZ7CK4L3xXt77IdKN7QJwfR9ZFJ/uZSgVpkahBakGJV+NieTGfy6+1P0MQkGNyNcJTS6t2XopnpEs6dneFvgEfhU6mtkNGu+K5rz2bQxa7c20yKq2wMwLrkfBrSSWF2YKNEKPXVgKqEjcaqFKSKGZj4AoQCRQ9vV6vwXMjXqkRxiYWCVsIrkjvZHB0/b4yw1JEU5CUvcHNQ5DNQoGCUfYDVbCpPJmLE6OjQUcS66PO+W9azPQdXIpllrkSy/csAsKqvWyn3zGS5jo9nMLx1j/C+srs= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(39860400002)(346002)(376002)(136003)(396003)(230922051799003)(451199024)(186009)(64100799003)(1800799012)(83380400001)(41300700001)(2906002)(26005)(38100700002)(2940100002)(122000001)(82960400001)(54906003)(8676002)(52536014)(8936002)(316002)(71200400001)(5660300002)(4326008)(478600001)(6506007)(64756008)(7696005)(66556008)(76116006)(9686003)(66476007)(66446008)(6916009)(66946007)(86362001)(38070700009)(33656002)(55016003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?wuv186Q+fiO7ux+Rjh/UzfffT/xQ?= =?utf-8?q?Dy61/tpEe17z+eD7INQdRy54ciiLuqXGYDHzrSdcJU5adgUW/MWEYD6X+wg9le2bw?= =?utf-8?q?o7e758sUUoCkqry7G56c/kHd3ChA6oV7N4addXsGUwsauv4yMLonBkctFN+hysrAc?= =?utf-8?q?UHwFvxaTZHKPYfEehzQ+FPsWK+nV6dexYleyw07M2Ujj+HUAxsg2CADVzaebGo1SB?= =?utf-8?q?bwExMsgZQ7d2SlqlGJ6zIwUrsh4Ta+DG4HUZkBj1rSOnAdSWYIw9BTBOPbjswpDwI?= =?utf-8?q?R8mKzd4cMR0B6R59Uy1S3l7J1Pg+J+oGg3kJZHf67G7wtJELKwP122glPx9Gaxq+8?= =?utf-8?q?VI1uG+HBiLz8XgCbci6olXGwui4xUF9E9joBNctEul6lxVmub7fX1NHmFChWWhNei?= =?utf-8?q?YzVlqD4OaMlHOn/h4Q2yu1EV4pV7AiTP5bNYrDDggLRLd7eJcucWuqelnVXoWJr+Z?= =?utf-8?q?7ilsU/5mGTtdqAV8UJhP5ZqMTQ/XJQVrt6lNOSOyVDo3LjhAPglgBs+KuDuq9bcGX?= =?utf-8?q?mFFwHzhTl7s30ew9JO62xsnIkL5ILxbRU0nE28PsTQhYwSAAVhp4TsxfeRKLV8nld?= =?utf-8?q?BSIajxUnv33Gtlcx8FewMmAiGLqhhOQlO5MJkMVBVwmOg3ytRd0iExEO19VrQuPjJ?= =?utf-8?q?WFr2TcOIO2edix1LnVQ9dxEXx0YK0+35EpsnvfZScDu+fCD4fgHfzO5bPLU+MjjxX?= =?utf-8?q?bPiNrgHxx4SW9QhiJJdjPlzl8t99tp0Zvdmij9ai0Ncpw2nEH2UvfruzSfUX9q60H?= =?utf-8?q?4hRchTSOv14PrI7W0SELzwyN8/GvtUbNG4N/j/Hw+/Nu3mNeWtsOHpi9keAkgsLi2?= =?utf-8?q?vX4f/EDMPhN9bjVBnhOL/XsbrmkNrAmqtgY8+7K6K27cxi27bKoLgzQtsO3xZv8ZN?= =?utf-8?q?egrFq50sBBRaPwYaMn2Pz1G0IOtboN0ulCxF/W2jdOVzea0jDvGHf8qrozybJapeX?= =?utf-8?q?4W4t+4g6VZZ+t0ixFAGZINuoQRDx6Wgi9Mhz05taQ/Db33tJo46Q1q7j0ukxDabXa?= =?utf-8?q?N/5gSNlh6CrNGQikhpFScGhcr64KJ4rzIVqQoGT61Xxfl8mmB/baBThihsu1jhP2E?= =?utf-8?q?Yy3WNHyWkJHDZk5UWt9K9Dj6+KgeYV2CdBMtWtI2iwvLGBM+uVPJwWC+6qEIpmfkV?= =?utf-8?q?beRE3+2Fqi49jvOowGAqUQIaUDMMn/UY0nQl7VjVzyQ1/fCxC0i7LvnrPblYRK54p?= =?utf-8?q?Dj+CkHqchH45sg9mQoINbb0LY4ay4VqpYbLamZEfrcuNSyeXlGzolNn3WFpewf3rl?= =?utf-8?q?UATZozHnAgAZjD0D2MT/N61xRb7JIppZYA/Q5g+K3B4ccnzvhNaOs2PXjsQascUrZ?= =?utf-8?q?cZNOnzdx2K0srRbacpiOzcYmyt5rdHuJewwh6y9im7MJwCddlMuj24lC78HviK8wj?= =?utf-8?q?u1MfJ2lLo/hehgb9ztDh4l3ApX5I//cEqHrcejx9Zci/OBkKzBACR0LAjZNxXiOVN?= =?utf-8?q?PXkx5GQzc5beiCdzwDIAygciAUvwvJraAmK0Trl1vt/piuS7H2FJZTC4=3D?= Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: motorola.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 63542b0d-f80e-43a9-c4ac-08dc0c907ec0 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 19:16:32.0986 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: T1W6DO5DTN/lS9MUl8lSEERIhFmhBF0aVZi2u+fixwjZka/MdL0/DlcKa9rdeBoZwJf1DWc2+9dw+wZnXDOmZA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR03MB5437 X-Proofpoint-ORIG-GUID: zg3F4QOZr1n48DJW85IKbNfrLvH2yJ-7 X-Proofpoint-GUID: zg3F4QOZr1n48DJW85IKbNfrLvH2yJ-7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxlogscore=949 spamscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401030156 From: Tenut Subject: [PATCH 1/2] Adding BPF NX Reserve a memory region for BPF program, and check for it in the interpreter. This simulate the effect of non-executable memory for BPF execution. Signed-off-by: Maxwell Bland --- arch/x86/include/asm/pgtable_64_types.h | 9 +++++++++ arch/x86/mm/fault.c | 6 +++++- kernel/bpf/Kconfig | 16 +++++++++++++++ kernel/bpf/core.c | 35 ++++++++++++++++++++++++++++++--- 4 files changed, 62 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 38b54b992f32..ad11651eb073 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -123,6 +123,9 @@ extern unsigned int ptrs_per_p4d; #define __VMALLOC_BASE_L4 0xffffc90000000000UL #define __VMALLOC_BASE_L5 0xffa0000000000000UL +#ifdef CONFIG_BPF_NX +#define __BPF_VBASE 0xffffeb0000000000UL +#endif #define VMALLOC_SIZE_TB_L4 32UL #define VMALLOC_SIZE_TB_L5 12800UL @@ -169,6 +172,12 @@ extern unsigned int ptrs_per_p4d; #define VMALLOC_QUARTER_SIZE ((VMALLOC_SIZE_TB << 40) >> 2) #define VMALLOC_END (VMALLOC_START + VMALLOC_QUARTER_SIZE - 1) +#ifdef CONFIG_BPF_NX +#define BPF_SIZE_GB 512UL +#define BPF_VSTART __BPF_VBASE +#define BPF_VEND (BPF_VSTART + _AC(BPF_SIZE_GB << 30, UL)) +#endif /* CONFIG_BPF_NX */ + /* * vmalloc metadata addresses are calculated by adding shadow/origin offsets * to vmalloc address. diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index ab778eac1952..cfb63ef72168 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -235,7 +235,11 @@ static noinline int vmalloc_fault(unsigned long address) pte_t *pte_k; /* Make sure we are in vmalloc area: */ - if (!(address >= VMALLOC_START && address < VMALLOC_END)) + if (!(address >= VMALLOC_START && address < VMALLOC_END) #ifdef BPF_NX + && !(address >= BPF_VSTART && address < BPF_VEND) #endif + ) return -1; /* diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 6a906ff93006..7160dcaaa58a 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -86,6 +86,22 @@ config BPF_UNPRIV_DEFAULT_OFF If you are unsure how to answer this question, answer Y. +config BPF_HARDENING + bool "Enable BPF interpreter hardening" + select BPF + depends on X86_64 && !RANDOMIZE_MEMORY && !BPF_JIT_ALWAYS_ON + default n + help + Enhance bpf interpreter's security + +config BPF_NX +bool "Enable bpf NX" + depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT + default n + help + Allocate eBPF programs in seperate area and make sure the + interpreted programs are in the region. + source "kernel/bpf/preload/Kconfig" config BPF_LSM diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index fe254ae035fe..56d9e8d4a6de 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -88,6 +88,34 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns return NULL; } +#ifdef CONFIG_BPF_NX +#define BPF_MEMORY_ALIGN roundup_pow_of_two(sizeof(struct bpf_prog) + \ + BPF_MAXINSNS * sizeof(struct bpf_insn)) +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc_node_range(size, BPF_MEMORY_ALIGN, BPF_VSTART, BPF_VEND, + gfp_mask, PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ + if ((unsigned long)insn < BPF_VSTART + || (unsigned long)insn >= BPF_VEND - sizeof(struct bpf_insn)) + BUG(); +} + +#else +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc(size, gfp_mask); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ +} +#endif /* CONFIG_BPF_NX */ + struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags) { gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -95,7 +123,7 @@ struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flag struct bpf_prog *fp; size = round_up(size, PAGE_SIZE); - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp == NULL) return NULL; @@ -246,7 +274,7 @@ struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size, if (pages <= fp_old->pages) return fp_old; - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp) { memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE); fp->pages = pages; @@ -1380,7 +1408,7 @@ static struct bpf_prog *bpf_prog_clone_create(struct bpf_prog *fp_other, gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags; struct bpf_prog *fp; - fp = __vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); + fp = __bpf_vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); if (fp != NULL) { /* aux->prog still points to the fp_other one, so * when promoting the clone to the real program, @@ -1695,6 +1723,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) #define CONT_JMP ({ insn++; goto select_insn; }) select_insn: + bpf_insn_check_range(insn); goto *jumptable[insn->code]; /* Explicitly mask the register-based shift amounts with 63 or 31