From patchwork Wed Jan 3 19:16:32 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxwell Bland X-Patchwork-Id: 13510440 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E00881CF83 for ; Wed, 3 Jan 2024 19:16:38 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=motorola.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=motorola.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com header.b="D8gKN+aI" Received: from pps.filterd (m0355091.ppops.net [127.0.0.1]) by mx0b-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 403C8Q69026690; Wed, 3 Jan 2024 19:16:36 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s= DKIM202306; bh=iM2Tg/ogwwQUCrHkJZEfoUR4fPTNmXRTvnvL5bFmZdM=; b=D 8gKN+aI8+7V2Alhrcb86B7FAKG9d2rilgqGZqGx8Uminw3IsmA1wNa12qZ6/XPv7 Y1PH0F9Ml7HrDvPe8CA7blXnjfsMrCQvqdp1rSVrdwNbSSvHCdRvuIbVKLwHY9ES IyY4CdB70F8J2hXViVdNvGhjoWWSRG7Me2VlHVpstVp7ywJAGwVtzXXuymuILeRZ GeFw1XCPfFP++kxheIAd6pZYEUCkSQ6Fkv02evpx64vRkwZmNQ/vJZdQuQlsnEfk YQtGSxEymLE/i1lygxrurGuWJVxc6SywjFHp6Fl+gFBrrddCqxkf6HbVRydbce6Y qYgoKYH8gjZU52GuszeeA== Received: from apc01-psa-obe.outbound.protection.outlook.com (mail-psaapc01lp2041.outbound.protection.outlook.com [104.47.26.41]) by mx0b-00823401.pphosted.com (PPS) with ESMTPS id 3vd7aw0p8n-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jan 2024 19:16:35 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=C0+Fn7/6deFBiuBN//0dVaD7qov2kQO1Ub4OVNdvIPEfFyRQQkHjPAr0MtQgO+9PuwRt8fQ/bVfYaTOg6q6UVk6jr4WPHL+zYoR6+B4gNOdHKiazgzTNUVvAMTSTdlCSn4ejKZYRmX+54g3MExuYJ4us8QIzL0AcmhNdUmLRi4zIqQRQ6OghyFQj7bSoJ4lDLhJmZ5m7K6nqIrNqIdVXV/V3oC0sOHA+UzwtypdJOVtaRSuJo/MIECJO6DcRd0t9VKCfveAMP0ByqRite2o7urYlkSjIoSVLP2Hp6s7KHpLymSPtS0eu4TlxJqfDijBZpytCOYc03ayxzy+p9bKZug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=iM2Tg/ogwwQUCrHkJZEfoUR4fPTNmXRTvnvL5bFmZdM=; b=XXJ5jWmg5e47tOu2KmumNTtLBCzs+dF7EB13qm4FR4A+Bo5vj6lpFeCcNJ0mk2EhMyWmkHo2MxbqGPOApMuN6VhFTf5Pk/sBvVydFHiOvOyh3qJG8ZYVv2GkP/5Uw3zRkqYU5jhlTsXFmEWH2TyLYn0A1/9MIhATME1qSfdNQxpjKZkI+0QbOpmNdSCUH2jrAGnxO6ORvM2iTzTDhvalcaKgeXdSRRpKonM1EwoCi1Hd0d00RiFkajbLMhXSP01cpJYK4CMhGNutRlxBHLCfo3+n0wQURxI7xRpqFDKwwhb1XvfCHI2g5hc0mSYbXnwVktx3TsvWqVUySNZJxNmwzg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com; dkim=pass header.d=motorola.com; arc=none Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5) by TYZPR03MB5437.apcprd03.prod.outlook.com (2603:1096:400:37::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan 2024 19:16:32 +0000 Received: from SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024 19:16:32 +0000 From: Maxwell Bland To: Greg KH CC: "bpf@vger.kernel.org" , Andrew Wheeler , =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8IA==?= =?utf-8?b?6ZiZ5paM55Sf?= , "di_jin@brown.edu" Subject: [PATCH 1/2] Adding BPF NX Thread-Topic: [PATCH 1/2] Adding BPF NX Thread-Index: AQHaPnlcQ/EeS56CsE2L+Zet/Q/kJw== Date: Wed, 3 Jan 2024 19:16:32 +0000 Message-ID: References: <2024010317-undercoat-widow-e087@gregkh> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|TYZPR03MB5437:EE_ x-ms-office365-filtering-correlation-id: 63542b0d-f80e-43a9-c4ac-08dc0c907ec0 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: 7sUQUWfhkGk5oTehjjwumi5De+RR0H42Vtyz0j8Ap9lD8grjK80tCs5cSxILPymdy3AtIRCkN+k6t5qwcniP0/KKyvV3ywaRKh5i6gPVxpyMRj+hDvdqwwwesSVGZvXJxTpPgBObfYSuI7kwATHF5bJG5nlw13OGQIE+N8B6zQK1vCXk6YVrbiFXDIW+we9vNOFAyCHG2Ex+xDNgaHDIfinsfxYXGBSqBu0r6vBSMmylS0yyrWzIZD/2IRpH+I+Q+PsWx4wxJxVFdgAcSHA1rh/p5OVxadk6Z30g8OR/aB0Lefpn8Dt1GKjWZdngYN6C3oA/qD7c4FeH1AAcCa0t5Gl/L++JdmiGJHpYzmsTm+aem/4QCt1iMVCgACpexF/koMYagj6+lrzTiLBCxcZ7CK4L3xXt77IdKN7QJwfR9ZFJ/uZSgVpkahBakGJV+NieTGfy6+1P0MQkGNyNcJTS6t2XopnpEs6dneFvgEfhU6mtkNGu+K5rz2bQxa7c20yKq2wMwLrkfBrSSWF2YKNEKPXVgKqEjcaqFKSKGZj4AoQCRQ9vV6vwXMjXqkRxiYWCVsIrkjvZHB0/b4yw1JEU5CUvcHNQ5DNQoGCUfYDVbCpPJmLE6OjQUcS66PO+W9azPQdXIpllrkSy/csAsKqvWyn3zGS5jo9nMLx1j/C+srs= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(39860400002)(346002)(376002)(136003)(396003)(230922051799003)(451199024)(186009)(64100799003)(1800799012)(83380400001)(41300700001)(2906002)(26005)(38100700002)(2940100002)(122000001)(82960400001)(54906003)(8676002)(52536014)(8936002)(316002)(71200400001)(5660300002)(4326008)(478600001)(6506007)(64756008)(7696005)(66556008)(76116006)(9686003)(66476007)(66446008)(6916009)(66946007)(86362001)(38070700009)(33656002)(55016003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?wuv186Q+fiO7ux+Rjh/UzfffT/xQ?= =?utf-8?q?Dy61/tpEe17z+eD7INQdRy54ciiLuqXGYDHzrSdcJU5adgUW/MWEYD6X+wg9le2bw?= =?utf-8?q?o7e758sUUoCkqry7G56c/kHd3ChA6oV7N4addXsGUwsauv4yMLonBkctFN+hysrAc?= =?utf-8?q?UHwFvxaTZHKPYfEehzQ+FPsWK+nV6dexYleyw07M2Ujj+HUAxsg2CADVzaebGo1SB?= =?utf-8?q?bwExMsgZQ7d2SlqlGJ6zIwUrsh4Ta+DG4HUZkBj1rSOnAdSWYIw9BTBOPbjswpDwI?= =?utf-8?q?R8mKzd4cMR0B6R59Uy1S3l7J1Pg+J+oGg3kJZHf67G7wtJELKwP122glPx9Gaxq+8?= =?utf-8?q?VI1uG+HBiLz8XgCbci6olXGwui4xUF9E9joBNctEul6lxVmub7fX1NHmFChWWhNei?= =?utf-8?q?YzVlqD4OaMlHOn/h4Q2yu1EV4pV7AiTP5bNYrDDggLRLd7eJcucWuqelnVXoWJr+Z?= =?utf-8?q?7ilsU/5mGTtdqAV8UJhP5ZqMTQ/XJQVrt6lNOSOyVDo3LjhAPglgBs+KuDuq9bcGX?= =?utf-8?q?mFFwHzhTl7s30ew9JO62xsnIkL5ILxbRU0nE28PsTQhYwSAAVhp4TsxfeRKLV8nld?= =?utf-8?q?BSIajxUnv33Gtlcx8FewMmAiGLqhhOQlO5MJkMVBVwmOg3ytRd0iExEO19VrQuPjJ?= =?utf-8?q?WFr2TcOIO2edix1LnVQ9dxEXx0YK0+35EpsnvfZScDu+fCD4fgHfzO5bPLU+MjjxX?= =?utf-8?q?bPiNrgHxx4SW9QhiJJdjPlzl8t99tp0Zvdmij9ai0Ncpw2nEH2UvfruzSfUX9q60H?= =?utf-8?q?4hRchTSOv14PrI7W0SELzwyN8/GvtUbNG4N/j/Hw+/Nu3mNeWtsOHpi9keAkgsLi2?= =?utf-8?q?vX4f/EDMPhN9bjVBnhOL/XsbrmkNrAmqtgY8+7K6K27cxi27bKoLgzQtsO3xZv8ZN?= =?utf-8?q?egrFq50sBBRaPwYaMn2Pz1G0IOtboN0ulCxF/W2jdOVzea0jDvGHf8qrozybJapeX?= =?utf-8?q?4W4t+4g6VZZ+t0ixFAGZINuoQRDx6Wgi9Mhz05taQ/Db33tJo46Q1q7j0ukxDabXa?= =?utf-8?q?N/5gSNlh6CrNGQikhpFScGhcr64KJ4rzIVqQoGT61Xxfl8mmB/baBThihsu1jhP2E?= =?utf-8?q?Yy3WNHyWkJHDZk5UWt9K9Dj6+KgeYV2CdBMtWtI2iwvLGBM+uVPJwWC+6qEIpmfkV?= =?utf-8?q?beRE3+2Fqi49jvOowGAqUQIaUDMMn/UY0nQl7VjVzyQ1/fCxC0i7LvnrPblYRK54p?= =?utf-8?q?Dj+CkHqchH45sg9mQoINbb0LY4ay4VqpYbLamZEfrcuNSyeXlGzolNn3WFpewf3rl?= =?utf-8?q?UATZozHnAgAZjD0D2MT/N61xRb7JIppZYA/Q5g+K3B4ccnzvhNaOs2PXjsQascUrZ?= =?utf-8?q?cZNOnzdx2K0srRbacpiOzcYmyt5rdHuJewwh6y9im7MJwCddlMuj24lC78HviK8wj?= =?utf-8?q?u1MfJ2lLo/hehgb9ztDh4l3ApX5I//cEqHrcejx9Zci/OBkKzBACR0LAjZNxXiOVN?= =?utf-8?q?PXkx5GQzc5beiCdzwDIAygciAUvwvJraAmK0Trl1vt/piuS7H2FJZTC4=3D?= Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: motorola.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 63542b0d-f80e-43a9-c4ac-08dc0c907ec0 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 19:16:32.0986 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: T1W6DO5DTN/lS9MUl8lSEERIhFmhBF0aVZi2u+fixwjZka/MdL0/DlcKa9rdeBoZwJf1DWc2+9dw+wZnXDOmZA== X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR03MB5437 X-Proofpoint-ORIG-GUID: zg3F4QOZr1n48DJW85IKbNfrLvH2yJ-7 X-Proofpoint-GUID: zg3F4QOZr1n48DJW85IKbNfrLvH2yJ-7 X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxlogscore=949 spamscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401030156 From: Tenut Subject: [PATCH 1/2] Adding BPF NX Reserve a memory region for BPF program, and check for it in the interpreter. This simulate the effect of non-executable memory for BPF execution. Signed-off-by: Maxwell Bland --- arch/x86/include/asm/pgtable_64_types.h | 9 +++++++++ arch/x86/mm/fault.c | 6 +++++- kernel/bpf/Kconfig | 16 +++++++++++++++ kernel/bpf/core.c | 35 ++++++++++++++++++++++++++++++--- 4 files changed, 62 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 38b54b992f32..ad11651eb073 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -123,6 +123,9 @@ extern unsigned int ptrs_per_p4d; #define __VMALLOC_BASE_L4 0xffffc90000000000UL #define __VMALLOC_BASE_L5 0xffa0000000000000UL +#ifdef CONFIG_BPF_NX +#define __BPF_VBASE 0xffffeb0000000000UL +#endif #define VMALLOC_SIZE_TB_L4 32UL #define VMALLOC_SIZE_TB_L5 12800UL @@ -169,6 +172,12 @@ extern unsigned int ptrs_per_p4d; #define VMALLOC_QUARTER_SIZE ((VMALLOC_SIZE_TB << 40) >> 2) #define VMALLOC_END (VMALLOC_START + VMALLOC_QUARTER_SIZE - 1) +#ifdef CONFIG_BPF_NX +#define BPF_SIZE_GB 512UL +#define BPF_VSTART __BPF_VBASE +#define BPF_VEND (BPF_VSTART + _AC(BPF_SIZE_GB << 30, UL)) +#endif /* CONFIG_BPF_NX */ + /* * vmalloc metadata addresses are calculated by adding shadow/origin offsets * to vmalloc address. diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index ab778eac1952..cfb63ef72168 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -235,7 +235,11 @@ static noinline int vmalloc_fault(unsigned long address) pte_t *pte_k; /* Make sure we are in vmalloc area: */ - if (!(address >= VMALLOC_START && address < VMALLOC_END)) + if (!(address >= VMALLOC_START && address < VMALLOC_END) #ifdef BPF_NX + && !(address >= BPF_VSTART && address < BPF_VEND) #endif + ) return -1; /* diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 6a906ff93006..7160dcaaa58a 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -86,6 +86,22 @@ config BPF_UNPRIV_DEFAULT_OFF If you are unsure how to answer this question, answer Y. +config BPF_HARDENING + bool "Enable BPF interpreter hardening" + select BPF + depends on X86_64 && !RANDOMIZE_MEMORY && !BPF_JIT_ALWAYS_ON + default n + help + Enhance bpf interpreter's security + +config BPF_NX +bool "Enable bpf NX" + depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT + default n + help + Allocate eBPF programs in seperate area and make sure the + interpreted programs are in the region. + source "kernel/bpf/preload/Kconfig" config BPF_LSM diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index fe254ae035fe..56d9e8d4a6de 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -88,6 +88,34 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns return NULL; } +#ifdef CONFIG_BPF_NX +#define BPF_MEMORY_ALIGN roundup_pow_of_two(sizeof(struct bpf_prog) + \ + BPF_MAXINSNS * sizeof(struct bpf_insn)) +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc_node_range(size, BPF_MEMORY_ALIGN, BPF_VSTART, BPF_VEND, + gfp_mask, PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ + if ((unsigned long)insn < BPF_VSTART + || (unsigned long)insn >= BPF_VEND - sizeof(struct bpf_insn)) + BUG(); +} + +#else +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc(size, gfp_mask); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ +} +#endif /* CONFIG_BPF_NX */ + struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags) { gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -95,7 +123,7 @@ struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flag struct bpf_prog *fp; size = round_up(size, PAGE_SIZE); - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp == NULL) return NULL; @@ -246,7 +274,7 @@ struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size, if (pages <= fp_old->pages) return fp_old; - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp) { memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE); fp->pages = pages; @@ -1380,7 +1408,7 @@ static struct bpf_prog *bpf_prog_clone_create(struct bpf_prog *fp_other, gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags; struct bpf_prog *fp; - fp = __vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); + fp = __bpf_vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); if (fp != NULL) { /* aux->prog still points to the fp_other one, so * when promoting the clone to the real program, @@ -1695,6 +1723,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) #define CONT_JMP ({ insn++; goto select_insn; }) select_insn: + bpf_insn_check_range(insn); goto *jumptable[insn->code]; /* Explicitly mask the register-based shift amounts with 63 or 31 From patchwork Wed Jan 3 19:17:24 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxwell Bland X-Patchwork-Id: 13510441 X-Patchwork-Delegate: bpf@iogearbox.net Received: from mx0a-00823401.pphosted.com (mx0a-00823401.pphosted.com [148.163.148.104]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 0BEF61CA9B for ; Wed, 3 Jan 2024 19:17:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=motorola.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=motorola.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com header.b="4ba/9cSm" Received: from pps.filterd (m0355087.ppops.net [127.0.0.1]) by mx0a-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 403FTCEG030178; Wed, 3 Jan 2024 19:17:29 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= from:to:cc:subject:date:message-id:references:in-reply-to :content-type:content-transfer-encoding:mime-version; s= DKIM202306; bh=D3Bdefyh9QiPcAwH0oDuF6vXMRvmnFTRihAGrJAtxio=; b=4 ba/9cSmtubC/XtupFEBwclUs1/Jno6ChsR5rUMGVDmS4QNu233eOEPedpHtv9jBX CYEoWiiZwHt/Wcdwr+vvpKYdiI9UdF+QncoWbyabQ/NXpbL9DZtX9tRtDsVNXFh9 y6lS7d5Uuo5NZMUlOfx6axgrD/c0KEJoh/98WXMbdvpUWqQhTJ2873dxNwNOM0GG Bwv2lexufSOx6LEKPEyIkV8NspY1/7Q5bp6h2XQCq//NoWD+KhnRIMmykpRpSCvL hCmylwdR7wRs41TBwKhwoHkfS7U/hB3rS/ArbNcOmf2CEkw4cAM1qWPbDU9wpFUa 5OSMX9hD8JI4iAWdyxZKA== Received: from apc01-tyz-obe.outbound.protection.outlook.com (mail-tyzapc01lp2040.outbound.protection.outlook.com [104.47.110.40]) by mx0a-00823401.pphosted.com (PPS) with ESMTPS id 3vcv45j4pp-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jan 2024 19:17:27 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=T0GcQPeQnZRv9Ujqa4LIr5Yp6jUFTzuoDGwO6joXwrPJ3Ut79HBGHGTGXxeJC0wbpdSY6Y6o2koFfUCaTKJljvZ/OlWN4DWDVzjvmLCiF0k+K++7cP9Vr5F+UxlGQ29bqdEYVRvxahQtrGxqfBbMtt1mmA8e5+HwQD/EcQuwOXKadGUzmUJc5SyqLGOoiCCnvsIYcfUDFgOy9WjS4vyD0UkU84lR8ljKKQMPQ9ueB3C/CIT3JlFo5EGJWSg/bQ+YZeldixmij1/OawcgnGKSc/unJizCt8f+ez2g3P+d2NKZLff0ItMYUBJrYxRsCWrBnzw/JiTGtNh3spvNd608qw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=D3Bdefyh9QiPcAwH0oDuF6vXMRvmnFTRihAGrJAtxio=; b=gf1bc8bCdTgbopcZFXF91nez/arSmCCWc1povTdL+f3aWFW/K4mJNb072FCBjHeEc2mzkQLsr25PxN5mYheNVQiw4odhVsHVWsyhHiN6/WsWyAgAzYUWL8QIw1HeBz77iFrGrKkIelSB18kL+58OIyE+w0fRR7fFfI+4cv/PbvcgaoEGuHcINpoApFA/Zu5U1YlrmuHrIWSnek58VIp9s61tfIv5NQKmY3fiulRI0C8hEtKeo8/LljNa4figfmXdBzLGfzVhA11iBlQMBjKgfjFRWT6Vv+/GGid1y/7J1yghMqqsvJo+6mSPvDnk9pOZ/GWY3V4r4lTwdW0s76WEwA== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com; dkim=pass header.d=motorola.com; arc=none Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5) by TYZPR03MB5437.apcprd03.prod.outlook.com (2603:1096:400:37::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan 2024 19:17:24 +0000 Received: from SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024 19:17:24 +0000 From: Maxwell Bland To: Greg KH CC: "bpf@vger.kernel.org" , Andrew Wheeler , =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8IA==?= =?utf-8?b?6ZiZ5paM55Sf?= , "di_jin@brown.edu" Subject: [PATCH 2/2] Adding BPF CFI Thread-Topic: [PATCH 2/2] Adding BPF CFI Thread-Index: AQHaPnl7djtOTwLDhUGiaFvJDuPOjw== Date: Wed, 3 Jan 2024 19:17:24 +0000 Message-ID: References: <2024010317-undercoat-widow-e087@gregkh> In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|TYZPR03MB5437:EE_ x-ms-office365-filtering-correlation-id: eb7db95c-988b-4435-c56c-08dc0c909dec x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: xZz6dRUi33Fjvj8oVfhEbKop+6oxhL+/mrAGtN09S/I6ahOzLYck633QLJtplhM9/p0Ek6JWBEh0cgF8Fj4ThrORvFn3GtcR2oLOCJWfetCOzzIn1Trq506ptHiA2WdmCRRA2JKF2kRE6Pa2VWEH844FlsN9UhMWBJxPaOGC2skchDo1BTWAvaxHsE3xVHgpHsHB6mKRV6gSLQSlRpadZPDjYSGk8YF9EOEce78e/L9ucT6mYSlfMtkBNMVEwtaaomUnPQrOSgjjugBiRyrTJmaBb3hg2BSLLNJ0xV4qtvoaWo1nHoiB1z9W8x7edsyMll0w509XdmhiiRHbWmNya9yGnhDuRiF+Fw5jO4x760xRtnw+IJNmkFVZNnH9cTIoV/heBFTntfCqMqsxeLq053e7JMySXlkXfBwDvui3OPsOASYB1aQzopkyHn6viIkn9Bne0eTQATk+tpHkTn0uyM8G39GYOuX6B3NMLTGcRVcoIgg7rdkLXQdWeVwGgX5l5q6ZhjBWEVW2QLelFkWM4j48odzWM3gWp6Ritz2B1PyuOTTcvBBjkX8CDHZSeXd428rfvBJ/xeAewzmikSwa48rjckL10dXPo8kYUqtxQF32GUsP85lSKj4XdfQgmYPlwW52D1+n/9Q3gVA6Jqwy9MLYDO2/pBv5UwyGGYLA9R0= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(39860400002)(346002)(376002)(136003)(396003)(230922051799003)(451199024)(186009)(64100799003)(1800799012)(83380400001)(41300700001)(2906002)(26005)(38100700002)(2940100002)(122000001)(82960400001)(54906003)(8676002)(52536014)(8936002)(316002)(71200400001)(5660300002)(4326008)(478600001)(6506007)(64756008)(7696005)(66556008)(76116006)(9686003)(66476007)(66446008)(6916009)(66946007)(86362001)(38070700009)(33656002)(55016003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?xdsbqlPJGk6P9tF4rH/OQQVBq/BT?= =?utf-8?q?zTpzRtLZBaA9/eUiA/XZkxaeHquo/UMHPsk4d1B8nLOiZQG+Czl8HUBr309k5sf+y?= =?utf-8?q?nmxl/1UnKPo5AgOvgDpDYpfdoFZi1Ts6ZkPcTvBG78yp8XWuQRcqDKpr1mwiylGyu?= =?utf-8?q?7bvBpJ8S2nBuM+WQpFkY98Uu/L0lfZj3H81j8BS7bNiJpZA2/XXOWfdtdswHGQkg/?= =?utf-8?q?vKM+9SA9VVIE9qFuzoog/rBi6T89R871DqNxuygQEs32rLYKQbRtsSFadOYFmGMgt?= =?utf-8?q?5iYnIb/UJvI7xcm0ka/v8xilU5hkavSBjwsgXpWgb0rsJTSFu/n06L1+q+sZ3klnY?= =?utf-8?q?ipG+IZhF3ajXXv8VtN/trTooAP1PrsXJ+L1yVe+Vaz/UP95uSztwrDgG8LMp8TPXV?= =?utf-8?q?Ia3IO3guqHayt9KmBAaV0tcN2xhEsOrlI5GMN0VSNdIoNpfvW3Wy75YmkvTKrlnPJ?= =?utf-8?q?oK3ytVNp+Jcya8du/FAHUeOJM+MULxLWfLDuuTEsSzyquAzvi6cTEnsmVW985yha6?= =?utf-8?q?Ha8h/sBKl1AcmkAzaazHUvDVoxrN1zTFWAKsPKmKbt/RTDOvVEbqi7T/n8ChOJtTJ?= =?utf-8?q?N26hzeJisJmZqr7LmOemnIYr4G7bbs8ovH9S7fcYXeWU9b7mNU5sAdj+lKg7dlU90?= =?utf-8?q?mGSRFdz70/X6jucEO0pScgYctgIsvlt0xEjf9AeXgqZfbmvXkNsl50yVEAbtr4lGg?= =?utf-8?q?+FkrcaMCKnnFpyGrXz50mGcxnOy0H4C1HMe2znPNy0tDle0ufs31ttliElxYGBvSl?= =?utf-8?q?AXGOepjm1qrdO7sWxYtVmAz5C/TvQoKEirC/AWyuIKW934EjYGqE2Cxo7xpHoYTZX?= =?utf-8?q?yMA7JgrAQw3h8lurlshlBXGhf6G9P+B3UnT5uip8C6ej/QHIp7Royf8983x2MUnln?= =?utf-8?q?zs16DzC44Tu/o3FTBWgrWSRnf1D1ePBrAMSs2f61a6KRwaZI9hery7Cq2Ld8Cu5EA?= =?utf-8?q?5RtIzccPVcGsQSD5DpIVg2195onfzxqGYX2uQEvG95AuRqXta41/xa5N+mutPyTzT?= =?utf-8?q?6Uqi+WvCJ6VcZ+9Q6j/14NRFn0aUGVnou5fME9dlsc2LX9tSfC/lsIBs1w85iqVaz?= =?utf-8?q?AmetlH+JqmLhYNXRFTzZ6d/cKsXLtMK/SJmy9ZfTlf1ufbvt56b1yHVUWVQDxN8CC?= =?utf-8?q?rV8oJO5Ao4l2Sp3yQaXcOzJqF/i1vsLX8Mlj1ggTEP5Qq7ulnoF0cpdrLdoaRD1l8?= =?utf-8?q?hWcQnZ7qeA7GkQAUPrZvhhUEScPrP9SViKnlHxNU9+yvvn78H1kQSeJIdlvtphaOZ?= =?utf-8?q?63pfgu0v6ndGCzSvaclq38EMVGr9cgAAHMbkXAfWuL6TZr1/PKbfHUQO2ZKa6jZci?= =?utf-8?q?OvuzRajuHroJyxJhCAbbHngn6yegOce+H4lL/yLndfr9oeWzjDxSO0KECFubw2zSy?= =?utf-8?q?Ihv9/WjmnYeX8n8VCCQ9ljmEBx50Fw1bBO6tICGCqqs3LjmesCERZqbwKS8Lb0JPt?= =?utf-8?q?8vKN1/9GkceWlUstmfHinPVCZttu4Vh3s/Fp0C7JVBhcbajAlQxuEz2A=3D?= Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: motorola.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: eb7db95c-988b-4435-c56c-08dc0c909dec X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 19:17:24.3854 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: m11nfkYtFrnbu7zPF5CJGUhPkzjwsqj2jc83CLWiBdQRuRQiI5DWk3eYYLurHgmY4A8pFhqIfpxpR7V7ei1D4Q== X-MS-Exchange-Transport-CrossTenantHeadersStamped: TYZPR03MB5437 X-Proofpoint-ORIG-GUID: sBo8_t8Y677zAl4lHgS1aEVYwlOJ-gqV X-Proofpoint-GUID: sBo8_t8Y677zAl4lHgS1aEVYwlOJ-gqV X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 suspectscore=0 adultscore=0 clxscore=1015 bulkscore=0 mlxlogscore=999 lowpriorityscore=0 impostorscore=0 malwarescore=0 mlxscore=0 priorityscore=1501 spamscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401030156 From: Tenut Subject: [PATCH 2/2] Adding BPF CFI Check offset of BPF instructions in the interpreter to make sure the BPF program is executed from the correct starting point Signed-off-by: Maxwell Bland --- kernel/bpf/Kconfig | 10 +++++++ kernel/bpf/core.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) bpf_insn_check_range(insn); + check_bpf_exec_mode(); goto *jumptable[insn->code]; /* Explicitly mask the register-based shift amounts with 63 or 31 @@ -2034,6 +2110,9 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) insn += insn->imm; CONT; JMP_EXIT: +#ifdef CONFIG_BPF_CFI + leave_bpf_exec_mode(&flags); +#endif return BPF_R0; /* JMP */ #define COND_JMP(SIGN, OPCODE, CMP_OP) \ diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 7160dcaaa58a..9c64db0ddd63 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -94,6 +94,7 @@ config BPF_HARDENING help Enhance bpf interpreter's security +if BPF_HARDENING config BPF_NX bool "Enable bpf NX" depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT @@ -102,6 +103,15 @@ bool "Enable bpf NX" Allocate eBPF programs in seperate area and make sure the interpreted programs are in the region. +config BPF_CFI + bool "Enable bpf CFI" + depends on BPF_NX + default n + help + Enable alignment checks for eBPF program starting points + +endif + source "kernel/bpf/preload/Kconfig" config BPF_LSM diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 56d9e8d4a6de..dee0d2713c3b 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -116,6 +116,75 @@ static void bpf_insn_check_range(const struct bpf_insn *insn) } #endif /* CONFIG_BPF_NX */ +#ifdef CONFIG_BPF_CFI +#define BPF_ON 1 +#define BPF_OFF 0 + +struct bpf_mode_flag { + u8 byte_array[PAGE_SIZE]; +}; +DEFINE_PER_CPU_PAGE_ALIGNED(struct bpf_mode_flag, bpf_exec_mode); + +static void __init lock_bpf_exec_mode(void) { + struct bpf_mode_flag *flag_page; + int cpu; + for_each_possible_cpu(cpu) { + flag_page = per_cpu_ptr(&bpf_exec_mode, cpu); + set_memory_ro((unsigned long)flag_page, 1); + }; +} +subsys_initcall(lock_bpf_exec_mode); + +static void write_cr0_nocheck(unsigned long val) { + asm volatile("mov %0,%%cr0": "+r" (val) : : "memory"); } + +/* + * Notice that get_cpu_var also disables preemption so no + * extra care needed for that. + */ +static void enter_bpf_exec_mode(unsigned long *flagsp) { + struct bpf_mode_flag *flag_page; + flag_page = &get_cpu_var(bpf_exec_mode); + local_irq_save(*flagsp); + write_cr0_nocheck(read_cr0() & ~X86_CR0_WP); + flag_page->byte_array[0] = BPF_ON; + write_cr0_nocheck(read_cr0() | X86_CR0_WP); } + +static void leave_bpf_exec_mode(unsigned long *flagsp) { + struct bpf_mode_flag *flag_page; + flag_page = this_cpu_ptr(&bpf_exec_mode); + write_cr0_nocheck(read_cr0() & ~X86_CR0_WP); + flag_page->byte_array[0] = BPF_OFF; + write_cr0_nocheck(read_cr0() | X86_CR0_WP); + local_irq_restore(*flagsp); + put_cpu_var(bpf_exec_mode); +} + +static void check_bpf_exec_mode(void) +{ + struct bpf_mode_flag *flag_page; + flag_page = this_cpu_ptr(&bpf_exec_mode); + BUG_ON(flag_page->byte_array[0] != BPF_ON); } + +static void bpf_check_cfi(const struct bpf_insn *insn) { + const struct bpf_prog *fp; + fp = container_of(insn, struct bpf_prog, insnsi[0]); + if (!IS_ALIGNED((unsigned long)fp, BPF_MEMORY_ALIGN)) + BUG(); +} + +#else /* CONFIG_BPF_CFI */ +static void check_bpf_exec_mode(void) {} #endif /* CONFIG_BPF_CFI */ + struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags) { gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -1719,11 +1788,18 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) #undef BPF_INSN_2_LBL u32 tail_call_cnt = 0; +#ifdef CONFIG_BPF_CFI + unsigned long flags; + enter_bpf_exec_mode(&flags); + bpf_check_cfi(insn); +#endif + #define CONT ({ insn++; goto select_insn; }) #define CONT_JMP ({ insn++; goto select_insn; }) select_insn: