Commit 30ec0ec0 authored by Anton Protopopov's avatar Anton Protopopov Committed by Alexei Starovoitov
Browse files

bpf: support instructions arrays with constants blinding 



When bpf_jit_harden is enabled, all constants in the BPF code are
blinded to prevent JIT spraying attacks. This happens during JIT
phase. Adjust all the related instruction arrays accordingly.

Signed-off-by: default avatarAnton Protopopov <a.s.protopopov@gmail.com>
Reviewed-by: default avatarEduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20251105090410.1250500-6-a.s.protopopov@gmail.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 218edd6d

kernel/bpf/core.c

+20 −0
Original line number Diff line number Diff line
@@ -1450,6 +1450,23 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other) 
	bpf_prog_clone_free(fp_other);

}



static void adjust_insn_arrays(struct bpf_prog *prog, u32 off, u32 len)

{

#ifdef CONFIG_BPF_SYSCALL

	struct bpf_map *map;

	int i;



	if (len <= 1)

		return;



	for (i = 0; i < prog->aux->used_map_cnt; i++) {

		map = prog->aux->used_maps[i];

		if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY)

			bpf_insn_array_adjust(map, off, len);

	}

#endif

}



struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)

{

	struct bpf_insn insn_buff[16], aux[2];
@@ -1505,6 +1522,9 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog) 
		clone = tmp;

		insn_delta = rewritten - 1;



		/* Instructions arrays must be updated using absolute xlated offsets */

		adjust_insn_arrays(clone, prog->aux->subprog_start + i, rewritten);



		/* Walk new program and skip insns we just inserted. */

		insn = clone->insnsi + i + insn_delta;

		insn_cnt += insn_delta;

kernel/bpf/verifier.c

+10 −1
Original line number Diff line number Diff line
@@ -21632,6 +21632,7 @@ static int jit_subprogs(struct bpf_verifier_env *env) 
	struct bpf_insn *insn;

	void *old_bpf_func;

	int err, num_exentries;

	int old_len, subprog_start_adjustment = 0;









	if (env->subprog_cnt <= 1)









		return 0;








@@ -21706,7 +21707,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)







		func[i]->aux->func_idx = i;









		/* Below members will be freed only at prog->aux */









		func[i]->aux->btf = prog->aux->btf;









		func[i]->aux->subprog_start = subprog_start;









		func[i]->aux->subprog_start = subprog_start + subprog_start_adjustment;









		func[i]->aux->func_info = prog->aux->func_info;









		func[i]->aux->func_info_cnt = prog->aux->func_info_cnt;









		func[i]->aux->poke_tab = prog->aux->poke_tab;








@@ -21762,7 +21763,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)







		func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;









		if (!i)









			func[i]->aux->exception_boundary = env->seen_exception;

















		/*









		 * To properly pass the absolute subprog start to jit









		 * all instruction adjustments should be accumulated









		 */









		old_len = func[i]->len;









		func[i] = bpf_int_jit_compile(func[i]);









		subprog_start_adjustment += func[i]->len - old_len;

















		if (!func[i]->jited) {









			err = -ENOTSUPP;









			goto out_free;