From patchwork Wed Jan 3 18:56:00 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxwell Bland X-Patchwork-Id: 13510520 Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id DD3341DA23 for ; Wed, 3 Jan 2024 21:55:31 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=motorola.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=motorola.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com header.b="5+Pqed04" Received: from pps.filterd (m0355091.ppops.net [127.0.0.1]) by mx0b-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 403C8S2K026707; Wed, 3 Jan 2024 18:56:05 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= from:to:cc:subject:date:message-id:content-type :content-transfer-encoding:mime-version; s=DKIM202306; bh=vqzjzW jZu9rO3aGKW/yPR1jTOaAjWmgnnc3WiG+zlHU=; b=5+Pqed04wX5LqCDmV08h9U COTbGk3JuS2xolqMjKO6xT5Cd2ckAU8IGCCoZpwgKTA5rmj1wJat+p/jESUcUz1d cvWNG56dNf8eoCku0PtafUZWNj5ToEKZzG3Ip37QLwTG4MISbXnOf80wTXOxKjnJ 6puATOUUSxKcfK34NSeSb9vnRuCbgX7pfsja7HZRf9YvvZIdmrWRuKFHw9g1oStR edyH2sWXodXUNmzvhuqeEUBwXPpULa/4Yk+tORTk6vlp87W7x5bNi/7H3uYfkvxx JtvZYeAiM2w5ITTNMp2H6dlWhT06KRigDrzNg25Wjagtj7h++uNwnlxNXuaQ0xag == Received: from apc01-psa-obe.outbound.protection.outlook.com (mail-psaapc01lp2040.outbound.protection.outlook.com [104.47.26.40]) by mx0b-00823401.pphosted.com (PPS) with ESMTPS id 3vd7aw0nc0-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jan 2024 18:56:05 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=QtVEsTMjXLVPvrq5qZ6FGMEczOCgKFX3dLO7pbXP/BOp7WT5Y3B+R+cbYp70mxRug3HAOoGMMwZ2gz7Bs12q4F1yfINmXkE91OVBr+Y3BkDlFwH2vYfmgq+uXu6YmBw4XPTfGzyREd1jzLC08aGmwYo/mtfZPU/AFJZ1aPPBcD4OvVC4tJat7AYqDc49xkIugV0jpe28WEsS3fVGLmcBKvCIU3WfeBNKq6KHEzsyXQvpVzSZmU10AD/bXeQUa2lr7KHIC7RZVFsfE7sJtQms3asHiUTfyuKrUZv71gXKYxFO6WBeIV9kUhWrjK99KVtDGJesXmHDOguuvOr7VKcXkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=vqzjzWjZu9rO3aGKW/yPR1jTOaAjWmgnnc3WiG+zlHU=; b=SkfXegjURMAV42f5H1NkRLzfPZrmlQcvF5h9J+UyQmOvgvtnwPzTVA8PMJU3XJTp8AahwWO2CW+Qf7bBHWEHNsab6K9PEsJpueykjGe+NLOF820cA9+pS8+oa86F/UAeIpOMYZdjeiOIMe2iUr3svEyxP5Q9BR3z4enap/CYVpyX5aPgmoSdbqXH5LcdO5oo24mRtvBPBFeXCJJB7lXNQhS6AUxdPjC8hplbNovY/hL0GkFf85uxWlED2qmK+iGSWxb+JGPvY8AhGFYM5e40q8POeIvAn4g0+vHD9fqQyCz1YuPhdztfV9SYU8goaYpKmJl7uOVwzsvHh2qIey0BLQ== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com; dkim=pass header.d=motorola.com; arc=none Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5) by KL1PR0302MB5412.apcprd03.prod.outlook.com (2603:1096:820:36::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan 2024 18:56:01 +0000 Received: from SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024 18:56:01 +0000 From: Maxwell Bland To: "bpf@vger.kernel.org" CC: Andrew Wheeler , =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8?= =?utf-8?b?IOmYmeaWjOeUnw==?= , "di_jin@brown.edu" , Greg KH , "vpk@cs.brown.edu" , "v.atlidakis@gmail.com" Subject: [PATCH 1/2] Adding BPF NX Thread-Topic: [PATCH 1/2] Adding BPF NX Thread-Index: Ado+dbT9jfWatuBPQB+UpA/3vxssOw== Date: Wed, 3 Jan 2024 18:56:00 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|KL1PR0302MB5412:EE_ x-ms-office365-filtering-correlation-id: add1d9ea-78bf-4132-0ea1-08dc0c8da0f7 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: S/6JiQdqqFD6ryfRZuKgrkKVTqtnWlhHaGs+7VBRwzFj+Ok2wMh8W8n5mH23z0DVc/nT/V0KdOdjyLaELOAmulnlrFx02T4k34X5+aEPPdc6Db6eXfHqywP0H7MzKy6jcuaQDwygZdgHmVwb/euUvgNl3q3exExLQ2Fa3yMK3v6oXNFZO6BYb6f12CJsqS4EHARd6PZa+1gSIbc2Q/9VRJMyv6tY08Z42P3dazyWwC5+ZGB9jgK/bvYHTMHTzTUcuB1PHZfPxWp9Gluia4RF3lBzB6+zMv4/M1aA86XF0bLV0Pl3jREnpVFHxnwg0OXXEJuFkfhMZuH+FOeJTOkFS0d+6SPaiJk2BCH9jAV0NWtHrC+k0AdDJwPFJzLwtaKS3y/J6B4nHk7vYX6bYxHQqqyVYesS6y5bVv0eA47E43rH1BY1VdRclf94mZr5ihMK14K8Y4T7Uju+uSx+6Egx/rINGXyuYiBHqwaiFOS6HQRxzQ5f+Wu9gQBgV350N+Dof6JKAlgQeuZd5hU1d7eLgoPyrr0BtAVIrtVOK3uHlveZxLQUyl0uP9Lhcebvvww5G2WZQGt9Us2iin4s1n3JHbPcsaXb8zyCpU1BdJbDp9UA0NEz26rJS1Coa7O6iChmkP1f3VexPSEHyLam/VeZcZSwYdXxf1fUBae7MECAnno= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(396003)(39860400002)(346002)(136003)(376002)(366004)(230922051799003)(64100799003)(451199024)(186009)(1800799012)(2906002)(52536014)(8936002)(4326008)(8676002)(5660300002)(54906003)(316002)(66446008)(66946007)(38070700009)(66476007)(64756008)(66556008)(76116006)(6916009)(82960400001)(86362001)(122000001)(38100700002)(26005)(9686003)(6506007)(478600001)(71200400001)(7696005)(33656002)(83380400001)(41300700001)(55016003);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?Aq19f58WKRw94y0IGHBr1KJL3pw2?= =?utf-8?q?n0L5YDID9OvtUIpAbxuxss4GKxRDeR2duqilg0ar5Bnof/YaNZr5WF2ZbxznVBzr8?= =?utf-8?q?fKW9Y6DwcK9A7SvUag5bZSGOgT1AwpsKd9LmBnvynRYVSdZIvLwUI1/KEImyHKGoO?= =?utf-8?q?JmysENSnPj3uD+skGr5sfn9pVU3PT7eH5nOtZmggKMM0PR/72QtGp2jBBBkekBFJl?= =?utf-8?q?/sfB0afTftRRUXsjczTscvkmc+In4lbxjjNO5nS2A+x1CzazNS3++uWPmrz9Fufld?= =?utf-8?q?RnGCtfQgRbZslWjhDDEbdun6d8/iNQU+TBlzeK7xwIa531fzOoslLCGkCF37PYaT8?= =?utf-8?q?TQ/bExckKc0n5tlJjIYVEkPO+G/s+hHF/nC7qrfVnZhSMobpNuP0Yr2VRleI9Igu9?= =?utf-8?q?qmcq49BMVRilvky9IV+0EWQnBngqX5IZKahnTSrfofdxLjKykbWHVqky55A5zcKw5?= =?utf-8?q?uh79+MQT4qrq/kTFj0XZm7k80/fRUeZz0XTgl+WsoyDdTM59sDLsGJuQFDIzxalEm?= =?utf-8?q?FRWZB8074OWoQTen5VTOSUM2wx285Up+BgQPHH0rzedcEezp0CKX/1gjCXkSFIgEG?= =?utf-8?q?qkwnynDwb+X7LkzsVrW14/e1HEGoQkjG/tE5xVtHnvNCWk92f5TAlTYf9DQ5ZVX38?= =?utf-8?q?Uejqi2TmGC0TsPyHjKaAn8jKqVlJJRvIXLJ1/QS1w1vqwsY+QNdNXZCbtHdgD+HKx?= =?utf-8?q?gNJ7xOyAC47aqOv+Ao/351BB5AyfvjbdDcsUKc1G3KSsnvcrQcS87O2PQL5MU/fq1?= =?utf-8?q?Rdv4c6fgnEt0WZZ7bLAoW6ZJkaS3uoU6rPjhj7zgqPomTJTuFdQ5M/7nHUqAkF21b?= =?utf-8?q?M4KOLO0jQ6AE+uSdcW2eGhczaoGtjBfJwTUceROpMM7zSTxy9Q3AKE9F92ghmqqPP?= =?utf-8?q?cK8w/y3Gz1+njBSrp8z460DfD7F8SsEgT7qZyBMwDJfRbTLZERB5KnEfP7gLxHggk?= =?utf-8?q?EGQ+4Ixt8o9iTLbwm7Hssxpi1t75kIskZTHhR1cCefV5wgQ9CzZS+PdAGfIFGL8Gy?= =?utf-8?q?/eS/UcTUVOWHSYgtD/TFVRkTgGAKhJokcOWJJ6xWvv0poIdNDb8dc8mckJOufxmo5?= =?utf-8?q?DwL6noLSWItMYgIGhVw4g1Q73t3ImyOINQofBwQdgGqZZ3iYDQEyWHlaa8e52rKyK?= =?utf-8?q?6t8oVp56hO5IkffInw1VL1t2vQ82yBEK9aITcuof/3P3Fw9q2Ep2sh1REcbhILc1u?= =?utf-8?q?yNIYWGnX36/jOajGbDbq0gS0POESc0UpfK1TWYhBMSpqU6Gume4V2GrPKBGl4h76B?= =?utf-8?q?vRNHlCGfRx8N+JiJrPWrQvG1VlvTn3T49F/t1cry3ZkB+TPUBxd2in0oFtPK8dMlh?= =?utf-8?q?v0vlNKeD30+pPk4mk4fQOlgLBjY4ktNcD7sSCIjhnGalb/Q9hle6sjCjnWnVLJSDs?= =?utf-8?q?LSc6VdO/Ofxzn6JtKbPh1CtmKLlMQHwirOk6bar/px9W4ps9OMSr2dVKg3yjpYZDH?= =?utf-8?q?LP6TFJYyC/5Yv8O1UVwrtozoRY2VQZG5Bryut9p/XErB7OCRapXkBrrg=3D?= Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: motorola.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: add1d9ea-78bf-4132-0ea1-08dc0c8da0f7 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 18:56:00.9838 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: LpH51uYDIVrgjwxS82hpx1UEj7gvhCINM1RrXosEGmJ6DI5tpqLsv6RvfgZWBUTNm3hKWJiDzgfT1jlqk39KWQ== X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1PR0302MB5412 X-Proofpoint-ORIG-GUID: AudrD0C79z3WOBLsxPdQZlu90KqBwBtT X-Proofpoint-GUID: AudrD0C79z3WOBLsxPdQZlu90KqBwBtT X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxlogscore=896 spamscore=0 clxscore=1011 priorityscore=1501 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401030153 From: Tenut Subject: [PATCH 1/2] Adding BPF NX Reserve a memory region for BPF program, and check for it in the interpreter. This simulate the effect of non-executable memory for BPF execution. Signed-off-by: Maxwell Bland --- arch/x86/include/asm/pgtable_64_types.h | 9 +++++++++ arch/x86/mm/fault.c | 6 +++++- kernel/bpf/Kconfig | 16 +++++++++++++++ kernel/bpf/core.c | 35 ++++++++++++++++++++++++++++++--- 4 files changed, 62 insertions(+), 4 deletions(-) diff --git a/arch/x86/include/asm/pgtable_64_types.h b/arch/x86/include/asm/pgtable_64_types.h index 38b54b992f32..ad11651eb073 100644 --- a/arch/x86/include/asm/pgtable_64_types.h +++ b/arch/x86/include/asm/pgtable_64_types.h @@ -123,6 +123,9 @@ extern unsigned int ptrs_per_p4d; #define __VMALLOC_BASE_L4 0xffffc90000000000UL #define __VMALLOC_BASE_L5 0xffa0000000000000UL +#ifdef CONFIG_BPF_NX +#define __BPF_VBASE 0xffffeb0000000000UL +#endif #define VMALLOC_SIZE_TB_L4 32UL #define VMALLOC_SIZE_TB_L5 12800UL @@ -169,6 +172,12 @@ extern unsigned int ptrs_per_p4d; #define VMALLOC_QUARTER_SIZE ((VMALLOC_SIZE_TB << 40) >> 2) #define VMALLOC_END (VMALLOC_START + VMALLOC_QUARTER_SIZE - 1) +#ifdef CONFIG_BPF_NX +#define BPF_SIZE_GB 512UL +#define BPF_VSTART __BPF_VBASE +#define BPF_VEND (BPF_VSTART + _AC(BPF_SIZE_GB << 30, UL)) +#endif /* CONFIG_BPF_NX */ + /* * vmalloc metadata addresses are calculated by adding shadow/origin offsets * to vmalloc address. diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c index ab778eac1952..cfb63ef72168 100644 --- a/arch/x86/mm/fault.c +++ b/arch/x86/mm/fault.c @@ -235,7 +235,11 @@ static noinline int vmalloc_fault(unsigned long address) pte_t *pte_k; /* Make sure we are in vmalloc area: */ - if (!(address >= VMALLOC_START && address < VMALLOC_END)) + if (!(address >= VMALLOC_START && address < VMALLOC_END) +#ifdef BPF_NX + && !(address >= BPF_VSTART && address < BPF_VEND) +#endif + ) return -1; /* diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 6a906ff93006..7160dcaaa58a 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -86,6 +86,22 @@ config BPF_UNPRIV_DEFAULT_OFF If you are unsure how to answer this question, answer Y. +config BPF_HARDENING + bool "Enable BPF interpreter hardening" + select BPF + depends on X86_64 && !RANDOMIZE_MEMORY && !BPF_JIT_ALWAYS_ON + default n + help + Enhance bpf interpreter's security + +config BPF_NX +bool "Enable bpf NX" + depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT + default n + help + Allocate eBPF programs in seperate area and make sure the + interpreted programs are in the region. + source "kernel/bpf/preload/Kconfig" config BPF_LSM diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index fe254ae035fe..56d9e8d4a6de 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -88,6 +88,34 @@ void *bpf_internal_load_pointer_neg_helper(const struct sk_buff *skb, int k, uns return NULL; } +#ifdef CONFIG_BPF_NX +#define BPF_MEMORY_ALIGN roundup_pow_of_two(sizeof(struct bpf_prog) + \ + BPF_MAXINSNS * sizeof(struct bpf_insn)) +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc_node_range(size, BPF_MEMORY_ALIGN, BPF_VSTART, BPF_VEND, + gfp_mask, PAGE_KERNEL, 0, NUMA_NO_NODE, + __builtin_return_address(0)); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ + if ((unsigned long)insn < BPF_VSTART + || (unsigned long)insn >= BPF_VEND - sizeof(struct bpf_insn)) + BUG(); +} + +#else +static void *__bpf_vmalloc(unsigned long size, gfp_t gfp_mask) +{ + return __vmalloc(size, gfp_mask); +} + +static void bpf_insn_check_range(const struct bpf_insn *insn) +{ +} +#endif /* CONFIG_BPF_NX */ + struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags) { gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -95,7 +123,7 @@ struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flag struct bpf_prog *fp; size = round_up(size, PAGE_SIZE); - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp == NULL) return NULL; @@ -246,7 +274,7 @@ struct bpf_prog *bpf_prog_realloc(struct bpf_prog *fp_old, unsigned int size, if (pages <= fp_old->pages) return fp_old; - fp = __vmalloc(size, gfp_flags); + fp = __bpf_vmalloc(size, gfp_flags); if (fp) { memcpy(fp, fp_old, fp_old->pages * PAGE_SIZE); fp->pages = pages; @@ -1380,7 +1408,7 @@ static struct bpf_prog *bpf_prog_clone_create(struct bpf_prog *fp_other, gfp_t gfp_flags = GFP_KERNEL | __GFP_ZERO | gfp_extra_flags; struct bpf_prog *fp; - fp = __vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); + fp = __bpf_vmalloc(fp_other->pages * PAGE_SIZE, gfp_flags); if (fp != NULL) { /* aux->prog still points to the fp_other one, so * when promoting the clone to the real program, @@ -1695,6 +1723,7 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) #define CONT_JMP ({ insn++; goto select_insn; }) select_insn: + bpf_insn_check_range(insn); goto *jumptable[insn->code]; /* Explicitly mask the register-based shift amounts with 63 or 31 From patchwork Wed Jan 3 18:56:03 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maxwell Bland X-Patchwork-Id: 13510504 Received: from mx0b-00823401.pphosted.com (mx0b-00823401.pphosted.com [148.163.152.46]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 643F11DA20 for ; Wed, 3 Jan 2024 20:43:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=motorola.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=motorola.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=motorola.com header.i=@motorola.com header.b="ndy+QCm6" Received: from pps.filterd (m0355091.ppops.net [127.0.0.1]) by mx0b-00823401.pphosted.com (8.17.1.24/8.17.1.24) with ESMTP id 403C8S2L026707; Wed, 3 Jan 2024 18:56:07 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=motorola.com; h= from:to:cc:subject:date:message-id:content-type :content-transfer-encoding:mime-version; s=DKIM202306; bh=NoV7S5 BoAj3ZuegrlM8yIsdAjbljryhdK95Z1QO1W7g=; b=ndy+QCm6nis+PtfiTsss8M Fe3yU1KcEdTgk1NO1ocrzNmrg2vWIrsrcD+oqn7on9bnv7gP7OxltX2ROHDn8cmA BI4oHVTqpAPWohknLzUskVdy31IEWkKwAtAMz+USx7VAAvKqVwLp2xYAPdfWiXKu MZdFT7G6MBMb2UtjU4fI4VuYpe+OGKXY+aEmUeTR21BJD+DqJCA0LuFpkKxjzvpD MQ8RCoZkmBBQcV6htTk9RYsITDbffcIF2KW1AKODz8naWLHoiidKW813OMg5lkHA pLfNRzAADPkCa2/isJuy6kkZMk5T7pB+IUMfsMIwK03G3yainpTmXUT6B7YmRjWA == Received: from apc01-psa-obe.outbound.protection.outlook.com (mail-psaapc01lp2040.outbound.protection.outlook.com [104.47.26.40]) by mx0b-00823401.pphosted.com (PPS) with ESMTPS id 3vd7aw0nc0-2 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Wed, 03 Jan 2024 18:56:06 +0000 (GMT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=XpxkPfxUb8EmwnfJwLP7z1j4imnJyQgGmoE29Q8+Ibk1ZnxjKCy+pIgN9seNjzKBG9Ewwt/r6eXBai/r3U1VK+z1eFIeOTHiETBgqlJpJMfqWGXSjrZotKkQTq8dhDZAqZe64bBDlzNZqzvAlgmhACT6yXqszyA3QFF6TfwDtJ8j2O4MlemPb1l9ON2DBwlboah89Bj4EsXcL3b4RlN/lnVdVEOgjYzwZxvfJE9S+icBbHQI+14Fx31eRCWA0bMvDqs6+com6ruBRK+PNQy6RTtnLhuGXoP9G+VAstDkOGi4+mOie3SIatdbv8UdsvtNZ9m46WZo5OIt7ORGzPzVYg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=NoV7S5BoAj3ZuegrlM8yIsdAjbljryhdK95Z1QO1W7g=; b=dcpsce9u8yw/HawIDPDwbdJ/B4249CKOJ17zWoebg7Bpyx9grC91OMzq4nCnwHmTQznAzjPZmf3AAKmnd1TbidKF/qV48OzqTaWS8Wn/qxm6m014xDBbbIbmO8EldEFpvv8PTB4WuIaDaLCWFkSFQI/6l6VMwfWqFauNsGP5P3itKAL2N8pah3d360Z2Bnjl0eOi8FuqBNmIycEpDR+2gy3xxGNv14YpMEHicy+xZnrjaVdt4kj6CMBH9E+x645Ecy1XfJX4NK4NwYcbvx/x1vSSKN5adwL+V8t/JVZyeQSxjKvdFQjdNRKEn5UYDPhbxGdOoP6ZL5Fb1k9QkGu7Xg== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=motorola.com; dmarc=pass action=none header.from=motorola.com; dkim=pass header.d=motorola.com; arc=none Received: from SEZPR03MB6786.apcprd03.prod.outlook.com (2603:1096:101:66::5) by KL1PR0302MB5412.apcprd03.prod.outlook.com (2603:1096:820:36::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7159.13; Wed, 3 Jan 2024 18:56:03 +0000 Received: from SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6]) by SEZPR03MB6786.apcprd03.prod.outlook.com ([fe80::c0d5:21be:6c82:e5f6%6]) with mapi id 15.20.7159.013; Wed, 3 Jan 2024 18:56:03 +0000 From: Maxwell Bland To: "bpf@vger.kernel.org" CC: Andrew Wheeler , =?utf-8?b?U2FtbXkgQlMyIFF1ZSB8?= =?utf-8?b?IOmYmeaWjOeUnw==?= , "di_jin@brown.edu" , Greg KH , "vpk@cs.brown.edu" , "v.atlidakis@gmail.com" Subject: [PATCH 2/2] Adding BPF CFI Thread-Topic: [PATCH 2/2] Adding BPF CFI Thread-Index: Ado+dgeat11I/pBISMy5MB62Pqngww== Date: Wed, 3 Jan 2024 18:56:03 +0000 Message-ID: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-ms-publictraffictype: Email x-ms-traffictypediagnostic: SEZPR03MB6786:EE_|KL1PR0302MB5412:EE_ x-ms-office365-filtering-correlation-id: 41533f5e-8e81-4757-83c2-08dc0c8da293 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: EbD1ByLrJLG293NKeP2LGggJBChpUiNdplrRhwPSjYC6i8/V8yuHfV06NPl3OJ+xU6D/m80yht8boyeSKBHC1wbQ0ujpEXFwaHQ+ckZ6S5eKm++sERnLShUa7iC+tu0SRJtfv3n/nU9ZWjJ69SpNI2u0mkJT2zhdTc0B9VJgDCFqLoL9lIs5TxxVBgDL1yyE4Xbg/1MJqhe2rHcIaLjyFu4MYxaYu+dQ4jcvuzjYu47BySKB75bFWtwzCxEkbuACyTzJvTpYzRik/v/MDM0svA1mB9424ZG5/gQ11STSNw7luzuN0V2xxx3v48A/mtcESINf/2Rd+Kh+L9+U5C1213R3EfzmwXCU7Kk/t54oc+ToA5qBJ3i5TOSwIKy0ThO+AugOi2h8YH1+7bd6Tp2YLML+rkU8xnanuHf90EbuC9kIdqkzScBCLL+XgTkR1X5b/sImpDlDXdV8XUh5emAnBQimSyBoq0aY7aGF55dJKPEW+IaIg+ZnHRllbyowLnMHFjrbnmcNfWuMWornGVJGFMTNEedKXWo2DyJqGGvPi82DLNWKDRR1dkIaZsQXzjqv5QK9aiW7ckY7JPFSDk93F/Xf9/i7uIEv3rTwnrZDqLFaMO20qktZ1IGzBfoJJ6lMuVbhU81xM9/Nn0lNQvOcQ1CgiR4ZBNy4oC9UFNFbJcA= x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:SEZPR03MB6786.apcprd03.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230031)(366004)(376002)(136003)(346002)(39860400002)(396003)(230922051799003)(186009)(451199024)(1800799012)(64100799003)(41300700001)(33656002)(83380400001)(55016003)(7696005)(2906002)(64756008)(66476007)(76116006)(66556008)(66446008)(316002)(54906003)(66946007)(38070700009)(38100700002)(478600001)(6506007)(71200400001)(26005)(9686003)(6916009)(86362001)(82960400001)(122000001)(5660300002)(8936002)(8676002)(4326008)(52536014);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?utf-8?q?39CcUjUE0+uJFkL91ivHVpRCmhLv?= =?utf-8?q?qjrpHmCXI2QncZdShZdokDKeMa5fKSiJ8EKHs/H8+O5NjIRYFP1KJGcZKRmwJeB5Q?= =?utf-8?q?e37XSZvkNZNFRG3T/b0PBAkaNZqbVDi4J357Vml3nxQ0MvQWJ2lBgTeebV05TVVKL?= =?utf-8?q?EvHm8t1FUWbvkTkPsFVppNNtPsW/2M40euDzkv6M6ivmz4sp5f0seVaSS9Kz7/1pp?= =?utf-8?q?SQPk2gK1qCm9CZaRE5NSHgG1/sDmtyWpc1shnwZxjL0QIXp6DryBssz+agIgZVcs3?= =?utf-8?q?tv6mUuojqWXmQbOCqxKTopUKn+Mcw6PaAIP5eeXM4jAjn6j23JWlGpXas4S700enK?= =?utf-8?q?XlCaZU3P8a7ankBITHBtyEqBaLhhyHS4ndHrVzSMjnRUXOj46F8lvERoTZXY7HYO/?= =?utf-8?q?jCt36QlLqNRrlwVvpChxRBYrdh5vMIEudCRGNaqzuLx6aIKnBkxwVL6tlFGO2r7Jq?= =?utf-8?q?bjzwEull9mve/m93qJQBDLR1/d9z+IBWdN4UJCwLXKgL4eIsbWcJOCSAQZAcu42ih?= =?utf-8?q?TWXVW9HnYmKlgE4RGU7AuEPJvsp5wybVZ5smV0JGK649gTe3vhpmr+urEATILl2bA?= =?utf-8?q?nbtP0PJg+zw3fb21WO6BaHuEAPOubfQUJItyyhPZN4maF5s5U2Chcd8aBtaljaily?= =?utf-8?q?ddMoIt/HiuBSkQz9QfRB89Dgj5gbpu9psGlIulikWbT+PPqCqJOE4OmgC5KOD1PzT?= =?utf-8?q?U3GcGLOxrFdN4TK/IJRpk10wvnExenryAJmNpCF1MZfAipuikj7evaruEg/7y+wyN?= =?utf-8?q?GX7chsn75sUGkcURJq/6wgLh7QWcHxhKbCqkNgItYK3K84ssCY6TAvhB4PXgJioU7?= =?utf-8?q?4sMykuLpxZBTbiGZF7ApyOxZYoGofkrhBE8n8SDOzHvXsWGiv4QNeW+A/z/mfeQNR?= =?utf-8?q?iu/RzVVKbAbKH/0BP35nhXwj+igW94YxkF9kaoRcPetXkQiF4okXTViu5TY+12aVg?= =?utf-8?q?WJNrw+OUYaWFPv0uwbFKwiwExY4t9qx10JZwyuOUkqE5s1/8348fJ0jCdsMsA4fUC?= =?utf-8?q?ojXvqhqo07RvCGJsXVTYMslHT4GdR53zpT6UBqGuzot+whQ31k2x+u5te/KnRmZir?= =?utf-8?q?JjaPL9Q0MQ0Jv2OOxQEQtNvYfyRdaO9wW4QbKLaVgvgsjTwHMRVCeAJpRqjBKKDBn?= =?utf-8?q?cb56xJNYwao4Y90S1Cy6wwXPIXqe56dRDDOz5g9eKVcktstygOtY95B/Xknh2KaV7?= =?utf-8?q?ScrZ5m6er7jwNvrQVATdHfu+5l2yPErX9iO/TOd6QJiprJUJY4WmVtrSO81Nd3Hxi?= =?utf-8?q?/BdD7H6fEOzOvC+Gdsf0Sta47NHjhgx4FYKzOpoGjB+h0r8dFMus1OdKIT8SFUAAB?= =?utf-8?q?CFGLOf0vQVUnriNvN4j1KeK9bxTlUjGraL8ZKxeUVmcI6LSIuxvLuDYxSe/xPjD8l?= =?utf-8?q?7YsXjsS/ItU/VyMXmj4EUIpoLznI2xG8zwnDfQ2ZSKkqQNopIPP0nhPDqWqkQbJ38?= =?utf-8?q?JdGt8t/4TTXwUf2l4dgdU07vHv2UOHxW2RJp0Mb6BrSvXBk/ayUdEelE=3D?= Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-OriginatorOrg: motorola.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: SEZPR03MB6786.apcprd03.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 41533f5e-8e81-4757-83c2-08dc0c8da293 X-MS-Exchange-CrossTenant-originalarrivaltime: 03 Jan 2024 18:56:03.7196 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 5c7d0b28-bdf8-410c-aa93-4df372b16203 X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: l9awrSHyn7yxVOUIPMjip0cOU7dbUCGhdfemICCdOwUQIixlEkK9jbPC0PO9VqB2/d5AgxMflWC5T9VAwDyR8A== X-MS-Exchange-Transport-CrossTenantHeadersStamped: KL1PR0302MB5412 X-Proofpoint-ORIG-GUID: 7ZMRFfZmydWo-EuZ_SPLrqleReczmpUK X-Proofpoint-GUID: 7ZMRFfZmydWo-EuZ_SPLrqleReczmpUK X-Proofpoint-Virus-Version: vendor=baseguard engine=ICAP:2.0.272,Aquarius:18.0.997,Hydra:6.0.619,FMLib:17.11.176.26 definitions=2023-12-02_01,2023-11-30_01,2023-05-22_02 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 mlxscore=0 malwarescore=0 impostorscore=0 lowpriorityscore=0 adultscore=0 bulkscore=0 mlxlogscore=999 spamscore=0 clxscore=1015 priorityscore=1501 suspectscore=0 phishscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.19.0-2311290000 definitions=main-2401030153 From: Tenut Subject: [PATCH 2/2] Adding BPF CFI Check offset of BPF instructions in the interpreter to make sure the BPF program is executed from the correct starting point Signed-off-by: Maxwell Bland --- kernel/bpf/Kconfig | 10 +++++++ kernel/bpf/core.c | 79 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) diff --git a/kernel/bpf/Kconfig b/kernel/bpf/Kconfig index 7160dcaaa58a..9c64db0ddd63 100644 --- a/kernel/bpf/Kconfig +++ b/kernel/bpf/Kconfig @@ -94,6 +94,7 @@ config BPF_HARDENING help Enhance bpf interpreter's security +if BPF_HARDENING config BPF_NX bool "Enable bpf NX" depends on BPF_HARDENING && !DYNAMIC_MEMORY_LAYOUT @@ -102,6 +103,15 @@ bool "Enable bpf NX" Allocate eBPF programs in seperate area and make sure the interpreted programs are in the region. +config BPF_CFI + bool "Enable bpf CFI" + depends on BPF_NX + default n + help + Enable alignment checks for eBPF program starting points + +endif + source "kernel/bpf/preload/Kconfig" config BPF_LSM diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c index 56d9e8d4a6de..dee0d2713c3b 100644 --- a/kernel/bpf/core.c +++ b/kernel/bpf/core.c @@ -116,6 +116,75 @@ static void bpf_insn_check_range(const struct bpf_insn *insn) } #endif /* CONFIG_BPF_NX */ +#ifdef CONFIG_BPF_CFI +#define BPF_ON 1 +#define BPF_OFF 0 + +struct bpf_mode_flag { + u8 byte_array[PAGE_SIZE]; +}; +DEFINE_PER_CPU_PAGE_ALIGNED(struct bpf_mode_flag, bpf_exec_mode); + +static void __init lock_bpf_exec_mode(void) +{ + struct bpf_mode_flag *flag_page; + int cpu; + for_each_possible_cpu(cpu) { + flag_page = per_cpu_ptr(&bpf_exec_mode, cpu); + set_memory_ro((unsigned long)flag_page, 1); + }; +} +subsys_initcall(lock_bpf_exec_mode); + +static void write_cr0_nocheck(unsigned long val) +{ + asm volatile("mov %0,%%cr0": "+r" (val) : : "memory"); +} + +/* + * Notice that get_cpu_var also disables preemption so no + * extra care needed for that. + */ +static void enter_bpf_exec_mode(unsigned long *flagsp) +{ + struct bpf_mode_flag *flag_page; + flag_page = &get_cpu_var(bpf_exec_mode); + local_irq_save(*flagsp); + write_cr0_nocheck(read_cr0() & ~X86_CR0_WP); + flag_page->byte_array[0] = BPF_ON; + write_cr0_nocheck(read_cr0() | X86_CR0_WP); +} + +static void leave_bpf_exec_mode(unsigned long *flagsp) +{ + struct bpf_mode_flag *flag_page; + flag_page = this_cpu_ptr(&bpf_exec_mode); + write_cr0_nocheck(read_cr0() & ~X86_CR0_WP); + flag_page->byte_array[0] = BPF_OFF; + write_cr0_nocheck(read_cr0() | X86_CR0_WP); + local_irq_restore(*flagsp); + put_cpu_var(bpf_exec_mode); +} + +static void check_bpf_exec_mode(void) +{ + struct bpf_mode_flag *flag_page; + flag_page = this_cpu_ptr(&bpf_exec_mode); + BUG_ON(flag_page->byte_array[0] != BPF_ON); +} + +static void bpf_check_cfi(const struct bpf_insn *insn) +{ + const struct bpf_prog *fp; + fp = container_of(insn, struct bpf_prog, insnsi[0]); + if (!IS_ALIGNED((unsigned long)fp, BPF_MEMORY_ALIGN)) + BUG(); +} + +#else /* CONFIG_BPF_CFI */ +static void check_bpf_exec_mode(void) {} +#endif /* CONFIG_BPF_CFI */ + struct bpf_prog *bpf_prog_alloc_no_stats(unsigned int size, gfp_t gfp_extra_flags) { gfp_t gfp_flags = bpf_memcg_flags(GFP_KERNEL | __GFP_ZERO | gfp_extra_flags); @@ -1719,11 +1788,18 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) #undef BPF_INSN_2_LBL u32 tail_call_cnt = 0; +#ifdef CONFIG_BPF_CFI + unsigned long flags; + enter_bpf_exec_mode(&flags); + bpf_check_cfi(insn); +#endif + #define CONT ({ insn++; goto select_insn; }) #define CONT_JMP ({ insn++; goto select_insn; }) select_insn: bpf_insn_check_range(insn); + check_bpf_exec_mode(); goto *jumptable[insn->code]; /* Explicitly mask the register-based shift amounts with 63 or 31 @@ -2034,6 +2110,9 @@ static u64 ___bpf_prog_run(u64 *regs, const struct bpf_insn *insn) insn += insn->imm; CONT; JMP_EXIT: +#ifdef CONFIG_BPF_CFI + leave_bpf_exec_mode(&flags); +#endif return BPF_R0; /* JMP */ #define COND_JMP(SIGN, OPCODE, CMP_OP) \