filter: do not output bpf image address for security reason
authorEric Dumazet <edumazet@google.com>
Fri, 17 May 2013 16:57:37 +0000 (16:57 +0000)
committerDavid S. Miller <davem@davemloft.net>
Mon, 20 May 2013 06:56:41 +0000 (23:56 -0700)
Do not leak starting address of BPF JIT code for non root users,
as it might help intruders to perform an attack.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ben Hutchings <bhutchings@solarflare.com>
Cc: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
include/linux/filter.h

index c050dcc322a43e2264bdaf49b3667a0b2e63c6ab..56a6b7fbb3c6f068020e6c37ebd997d8d04917a9 100644 (file)
@@ -58,10 +58,10 @@ extern void bpf_jit_free(struct sk_filter *fp);
 static inline void bpf_jit_dump(unsigned int flen, unsigned int proglen,
                                u32 pass, void *image)
 {
-       pr_err("flen=%u proglen=%u pass=%u image=%p\n",
+       pr_err("flen=%u proglen=%u pass=%u image=%pK\n",
               flen, proglen, pass, image);
        if (image)
-               print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_ADDRESS,
+               print_hex_dump(KERN_ERR, "JIT code: ", DUMP_PREFIX_OFFSET,
                               16, 1, image, proglen, false);
 }
 #define SK_RUN_FILTER(FILTER, SKB) (*FILTER->bpf_func)(SKB, FILTER->insns)