From patchwork Wed Jan  3 19:17:24 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Maxwell Bland <mbland@motorola.com>
X-Patchwork-Id: 13510441
X-Patchwork-Delegate: bpf@iogearbox.net
Received: from mx0a-00823401.pphosted.com (mx0a-00823401.pphosted.com
 [148.163.148.104])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BEF61CA9B
	for <bpf@vger.kernel.org>; Wed,  3 Jan 2024 19:17:31 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=motorola.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=motorola.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com
 header.b="4ba/9cSm"
Received: from pps.filterd (m0355087.ppops.net [127.0.0.1])
	by mx0a-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id
 403FTCEG030178;
	Wed, 3 Jan 2024 19:17:29 GMT
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h=
	from:to:cc:subject:date:message-id:references:in-reply-to
	:content-type:content-transfer-encoding:mime-version; s=
	DKIM202306; bh=D3Bdefyh9QiPcAwH0oDuF6vXMRvmnFTRihAGrJAtxio=; b=4
	ba/9cSmtubC/XtupFEBwclUs1/Jno6ChsR5rUMGVDmS4QNu233eOEPedpHtv9jBX
	CYEoWiiZwHt/Wcdwr+vvpKYdiI9UdF+QncoWbyabQ/NXpbL9DZtX9tRtDsVNXFh9
	y6lS7d5Uuo5NZMUlOfx6axgrD/c0KEJoh/98WXMbdvpUWqQhTJ2873dxNwNOM0GG
	Bwv2lexufSOx6LEKPEyIkV8NspY1/7Q5bp6h2XQCq//NoWD+KhnRIMmykpRpSCvL
	hCmylwdR7wRs41TBwKhwoHkfS7U/hB3rS/ArbNcOmf2CEkw4cAM1qWPbDU9wpFUa
	5OSMX9hD8JI4iAWdyxZKA==
Received: from apc01-tyz-obe.outbound.protection.outlook.com
 (mail-tyzapc01lp2040.outbound.protection.outlook.com [104.47.110.40])
	by mx0a-00823401.pphosted.com (PPS) with ESMTPS id 3vcv45j4pp-1
	(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT);
	Wed, 03 Jan 2024 19:17:27 +0000 (GMT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
 b=T0GcQPeQnZRv9Ujqa4LIr5Yp6jUFTzuoDGwO6joXwrPJ3Ut79HBGHGTGXxeJC0wbpdSY6Y6o2koFfUCaTKJljvZ/OlWN4DWDVzjvmLCiF0k+K++7cP9Vr5F+UxlGQ29bqdEYVRvxahQtrGxqfBbMtt1mmA8e5+HwQD/EcQuwOXKadGUzmUJc5SyqLGOoiCCnvsIYcfUDFgOy9WjS4vyD0UkU84lR8ljKKQMPQ9ueB3C/CIT3JlFo5EGJWSg/bQ+YZeldixmij1/OawcgnGKSc/unJizCt8f+ez2g3P+d2NKZLff0ItMYUBJrYxRsCWrBnzw/JiTGtNh3spvNd608qw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
 s=arcselector9901;
 h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
 bh=D3Bdefyh9QiPcAwH0oDuF6vXMRvmnFTRihAGrJAtxio=;
 b=gf1bc8bCdTgbopcZFXF91nez/arSmCCWc1povTdL+f3aWFW/K4mJNb072FCBjHeEc2mzkQLsr25PxN5mYheNVQiw4odhVsHVWsyhHiN6/WsWyAgAzYUWL8QIw1HeBz77iFrGrKkIelSB18kL+58OIyE+w0fRR7fFfI+4cv/PbvcgaoEGuHcINpoApFA/Zu5U1YlrmuHrIWSnek58VIp9s61tfIv5NQKmY3fiulRI0C8hEtKeo8/LljNa4figfmXdBzLGfzVhA11iBlQMBjKgfjFRWT6Vv+/GGid1y/7J1yghMqqsvJo+6mSPvDnk9pOZ/GWY3V4r4lTwdW0s76WEwA==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass
 smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com;
 dkim=pass header.d=motorola.com; arc=none
Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5)
 by TYZPR03MB5437.apcprd03.prod.outlook.com (2603:1096:400:37::8) with
 Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan
 2024 19:17:24 +0000
Received: from SEZPR03MB6786.apcprd03.prod.outlook.com
 ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com
 ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024
 19:17:24 +0000
From: Maxwell Bland <mbland@motorola.com>
To: Greg KH <gregkh@linuxfoundation.org>
CC: "bpf@vger.kernel.org" <bpf@vger.kernel.org>,
 Andrew Wheeler <awheeler@motorola.com>, =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8IA==?=
	=?utf-8?b?6ZiZ5paM55Sf?= <quebs2@motorola.com>,
 "di_jin@brown.edu" <di_jin@brown.edu>
Subject: [PATCH 2/2] Adding BPF CFI
Thread-Topic: [PATCH 2/2] Adding BPF CFI
Thread-Index: AQHaPnl7djtOTwLDhUGiaFvJDuPOjw==
Date: Wed, 3 Jan 2024 19:17:24 +0000
Message-ID: 
 <SEZPR03MB6786D49D9668F8F091598FA2B4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
References: 
 <SEZPR03MB6786598744F4D5DE29C46651B4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
 <2024010317-undercoat-widow-e087@gregkh>
 <SEZPR03MB678613E8257AD66C6CE47410B4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
 <SEZPR03MB6786B27446DE261893D911B5B4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
In-Reply-To: 
 <SEZPR03MB6786B27446DE261893D911B5B4602@SEZPR03MB6786.apcprd03.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach: 
X-MS-TNEF-Correlator: 
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|TYZPR03MB5437:EE_
x-ms-office365-filtering-correlation-id: eb7db95c-988b-4435-c56c-08dc0c909dec
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 
 xZz6dRUi33Fjvj8oVfhEbKop+6oxhL+/mrAGtN09S/I6ahOzLYck633QLJtplhM9/p0Ek6JWBEh0cgF8Fj4ThrORvFn3GtcR2oLOCJWfetCOzzIn1Trq506ptHiA2WdmCRRA2JKF2kRE6Pa2VWEH844FlsN9UhMWBJxPaOGC2skchDo1BTWAvaxHsE3xVHgpHsHB6mKRV6gSLQSlRpadZPDjYSGk8YF9EOEce78e/L9ucT6mYSlfMtkBNMVEwtaaomUnPQrOSgjjugBiRyrTJmaBb3hg2BSLLNJ0xV4qtvoaWo1nHoiB1z9W8x7edsyMll0w509XdmhiiRHbWmNya9yGnhDuRiF+Fw5jO4x760xRtnw+IJNmkFVZNnH9cTIoV/heBFTntfCqMqsxeLq053e7JMySXlkXfBwDvui3OPsOASYB1aQzopkyHn6viIkn9Bne0eTQATk+tpHkTn0uyM8G39GYOuX6B3NMLTGcRVcoIgg7rdkLXQdWeVwGgX5l5q6ZhjBWEVW2QLelFkWM4j48odzWM3gWp6Ritz2B1PyuOTTcvBBjkX8CDHZSeXd428rfvBJ/xeAewzmikSwa48rjckL10dXPo8kYUqtxQF32GUsP85lSKj4XdfQgmYPlwW52D1+n/9Q3gVA6Jqwy9MLYDO2/pBv5UwyGGYLA9R0=
x-forefront-antispam-report: 
 CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(39860400002)(346002)(376002)(136003)(396003)(230922051799003)(451199024)(186009)(64100799003)(1800799012)(83380400001)(41300700001)(2906002)(26005)(38100700002)(2940100002)(122000001)(82960400001)(54906003)(8676002)(52536014)(8936002)(316002)(71200400001)(5660300002)(4326008)(478600001)(6506007)(64756008)(7696005)(66556008)(76116006)(9686003)(66476007)(66446008)(6916009)(66946007)(86362001)(38070700009)(33656002)(55016003);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: =?utf-8?q?xdsbqlPJGk6P9tF4rH/OQQVBq/BT?=
	=?utf-8?q?zTpzRtLZBaA9/eUiA/XZkxaeHquo/UMHPsk4d1B8nLOiZQG+Czl8HUBr309k5sf+y?=
	=?utf-8?q?nmxl/1UnKPo5AgOvgDpDYpfdoFZi1Ts6ZkPcTvBG78yp8XWuQRcqDKpr1mwiylGyu?=
	=?utf-8?q?7bvBpJ8S2nBuM+WQpFkY98Uu/L0lfZj3H81j8BS7bNiJpZA2/XXOWfdtdswHGQkg/?=
	=?utf-8?q?vKM+9SA9VVIE9qFuzoog/rBi6T89R871DqNxuygQEs32rLYKQbRtsSFadOYFmGMgt?=
	=?utf-8?q?5iYnIb/UJvI7xcm0ka/v8xilU5hkavSBjwsgXpWgb0rsJTSFu/n06L1+q+sZ3klnY?=
	=?utf-8?q?ipG+IZhF3ajXXv8VtN/trTooAP1PrsXJ+L1yVe+Vaz/UP95uSztwrDgG8LMp8TPXV?=
	=?utf-8?q?Ia3IO3guqHayt9KmBAaV0tcN2xhEsOrlI5GMN0VSNdIoNpfvW3Wy75YmkvTKrlnPJ?=
	=?utf-8?q?oK3ytVNp+Jcya8du/FAHUeOJM+MULxLWfLDuuTEsSzyquAzvi6cTEnsmVW985yha6?=
	=?utf-8?q?Ha8h/sBKl1AcmkAzaazHUvDVoxrN1zTFWAKsPKmKbt/RTDOvVEbqi7T/n8ChOJtTJ?=
	=?utf-8?q?N26hzeJisJmZqr7LmOemnIYr4G7bbs8ovH9S7fcYXeWU9b7mNU5sAdj+lKg7dlU90?=
	=?utf-8?q?mGSRFdz70/X6jucEO0pScgYctgIsvlt0xEjf9AeXgqZfbmvXkNsl50yVEAbtr4lGg?=
	=?utf-8?q?+FkrcaMCKnnFpyGrXz50mGcxnOy0H4C1HMe2znPNy0tDle0ufs31ttliElxYGBvSl?=
	=?utf-8?q?AXGOepjm1qrdO7sWxYtVmAz5C/TvQoKEirC/AWyuIKW934EjYGqE2Cxo7xpHoYTZX?=
	=?utf-8?q?yMA7JgrAQw3h8lurlshlBXGhf6G9P+B3UnT5uip8C6ej/QHIp7Royf8983x2MUnln?=
	=?utf-8?q?zs16DzC44Tu/o3FTBWgrWSRnf1D1ePBrAMSs2f61a6KRwaZI9hery7Cq2Ld8Cu5EA?=
	=?utf-8?q?5RtIzccPVcGsQSD5DpIVg2195onfzxqGYX2uQEvG95AuRqXta41/xa5N+mutPyTzT?=
	=?utf-8?q?6Uqi+WvCJ6VcZ+9Q6j/14NRFn0aUGVnou5fME9dlsc2LX9tSfC/lsIBs1w85iqVaz?=
	=?utf-8?q?AmetlH+JqmLhYNXRFTzZ6d/cKsXLtMK/SJmy9ZfTlf1ufbvt56b1yHVUWVQDxN8CC?=
	=?utf-8?q?rV8oJO5Ao4l2Sp3yQaXcOzJqF/i1vsLX8Mlj1ggTEP5Qq7ulnoF0cpdrLdoaRD1l8?=
	=?utf-8?q?hWcQnZ7qeA7GkQAUPrZvhhUEScPrP9SViKnlHxNU9+yvvn78H1kQSeJIdlvtphaOZ?=
	=?utf-8?q?63pfgu0v6ndGCzSvaclq38EMVGr9cgAAHMbkXAfWuL6TZr1/PKbfHUQO2ZKa6jZci?=
	=?utf-8?q?OvuzRajuHroJyxJhCAbbHngn6yegOce+H4lL/yLndfr9oeWzjDxSO0KECFubw2zSy?=
	=?utf-8?q?Ihv9/WjmnYeX8n8VCCQ9ljmEBx50Fw1bBO6tICGCqqs3LjmesCERZqbwKS8Lb0JPt?=
	=?utf-8?q?8vKN1/9GkceWlUstmfHinPVCZttu4Vh3s/Fp0C7JVBhcbajAlQxuEz2A=3D?=
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-OriginatorOrg: motorola.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 
 eb7db95c-988b-4435-c56c-08dc0c909dec
X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 19:17:24.3854
 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: 
 m11nfkYtFrnbu7zPF5CJGUhPkzjwsqj2jc83CLWiBdQRuRQiI5DWk3eYYLurHgmY4A8pFhqIfpxpR7V7ei1D4Q==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR03MB5437
X-Proofpoint-ORIG-GUID: sBo8_t8Y677zAl4lHgS1aEVYwlOJ-gqV
X-Proofpoint-GUID: sBo8_t8Y677zAl4lHgS1aEVYwlOJ-gqV
X-Proofpoint-Virus-Version: vendor=baseguard
 engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26
 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02
X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0
 suspectscore=0 adultscore=0
 clxscore=1015 bulkscore=0 mlxlogscore=999 lowpriorityscore=0
 impostorscore=0 malwarescore=0 mlxscore=0 priorityscore=1501 spamscore=0
 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1
 engine=8.19.0-2311290000 definitions=main-2401030156

From: Tenut <tenut@Niobium>
Subject: [PATCH 2/2] Adding BPF CFI

Check offset of BPF instructions in the interpreter to make sure the BPF program is executed from the correct starting point

Signed-off-by: Maxwell Bland <mbland@motorola.com>
---
kernel/bpf/Kconfig | 10 +++++++
 kernel/bpf/core.c  | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+)

 	bpf_insn_check_range(insn);
+	check_bpf_exec_mode();
 	goto *jumptable[insn->code];
 
 	/* Explicitly mask the register-based shift amounts with 63 or 31 @@ -2034,6 +2110,9 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)
 		insn += insn->imm;
 		CONT;
 	JMP_EXIT:
+#ifdef CONFIG_BPF_CFI
+		leave_bpf_exec_mode(&flags);
+#endif
 		return BPF_R0;
 	/* JMP */
 #define COND_JMP(SIGN, OPCODE, CMP_OP)				\

diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 7160dcaaa58a..9c64db0ddd63 100644
--- a/kernel/bpf/Kconfig
+++ b/kernel/bpf/Kconfig
@@ -94,6 +94,7 @@ config BPF_HARDENING
 	help
 	  Enhance bpf interpreter's security
 
+if BPF_HARDENING
 config BPF_NX
 bool "Enable bpf NX"
 	depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT @@ -102,6 +103,15 @@ bool "Enable bpf NX"
 	  Allocate eBPF programs in seperate area and make sure the
 	  interpreted programs are in the region.
 
+config BPF_CFI
+	bool "Enable bpf CFI"
+	depends on BPF_NX
+	default n
+	help
+	  Enable alignment checks for eBPF program starting points
+
+endif
+
 source "kernel/bpf/preload/Kconfig"
 
 config BPF_LSM
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 56d9e8d4a6de..dee0d2713c3b 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -116,6 +116,75 @@ static void bpf_insn_check_range(const struct bpf_insn *insn)  }  #endif /* CONFIG_BPF_NX */
 
+#ifdef CONFIG_BPF_CFI
+#define BPF_ON  1
+#define BPF_OFF 0
+
+struct bpf_mode_flag {
+	u8 byte_array[PAGE_SIZE];
+};
+DEFINE_PER_CPU_PAGE_ALIGNED(struct bpf_mode_flag, bpf_exec_mode);
+
+static void __init lock_bpf_exec_mode(void) {
+	struct bpf_mode_flag *flag_page;
+	int cpu;
+	for_each_possible_cpu(cpu) {
+		flag_page = per_cpu_ptr(&bpf_exec_mode, cpu);
+		set_memory_ro((unsigned long)flag_page, 1);
+	};
+}
+subsys_initcall(lock_bpf_exec_mode);
+
+static void write_cr0_nocheck(unsigned long val) {
+	asm volatile("mov %0,%%cr0": "+r" (val) : : "memory"); }
+
+/*
+ * Notice that get_cpu_var also disables preemption so no
+ * extra care needed for that.
+ */
+static void enter_bpf_exec_mode(unsigned long *flagsp) {
+	struct bpf_mode_flag *flag_page;
+	flag_page = &get_cpu_var(bpf_exec_mode);
+	local_irq_save(*flagsp);
+	write_cr0_nocheck(read_cr0() & ~X86_CR0_WP);
+	flag_page->byte_array[0] = BPF_ON;
+	write_cr0_nocheck(read_cr0() | X86_CR0_WP); }
+
+static void leave_bpf_exec_mode(unsigned long *flagsp) {
+	struct bpf_mode_flag *flag_page;
+	flag_page = this_cpu_ptr(&bpf_exec_mode);
+	write_cr0_nocheck(read_cr0() & ~X86_CR0_WP);
+	flag_page->byte_array[0] = BPF_OFF;
+	write_cr0_nocheck(read_cr0() | X86_CR0_WP);
+	local_irq_restore(*flagsp);
+	put_cpu_var(bpf_exec_mode);
+}
+
+static void check_bpf_exec_mode(void)
+{
+	struct bpf_mode_flag *flag_page;
+	flag_page = this_cpu_ptr(&bpf_exec_mode);
+	BUG_ON(flag_page->byte_array[0] != BPF_ON); }
+
+static void bpf_check_cfi(const struct bpf_insn *insn) {
+	const struct bpf_prog *fp;
+	fp = container_of(insn, struct bpf_prog, insnsi[0]);
+	if (!IS_ALIGNED((unsigned long)fp, BPF_MEMORY_ALIGN))
+		BUG();
+}
+
+#else /* CONFIG_BPF_CFI */
+static void check_bpf_exec_mode(void) {} #endif /* CONFIG_BPF_CFI */
+
 struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags)  {
 	gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -1719,11 +1788,18 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn)  #undef BPF_INSN_2_LBL
 	u32 tail_call_cnt = 0;
 
+#ifdef CONFIG_BPF_CFI
+	unsigned long flags;
+	enter_bpf_exec_mode(&flags);
+	bpf_check_cfi(insn);
+#endif
+
 #define CONT	 ({ insn++; goto select_insn; })
 #define CONT_JMP ({ insn++; goto select_insn; })
 
 select_insn: