ANDROID: arm64: bpf: implement arch_bpf_jit_check_func

Implement arch_bpf_jit_check_func to check that pointers to jited BPF
functions are correctly aligned and point to the BPF JIT region. This
narrows down the attack surface on the stored pointer.

Bug: 140377409
Change-Id: I10c448eda6a8b0bf4c16ee591fc65974696216b9
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>

diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 1bbb457c293f91d88ae3c149caee0b7f80ed8767..7f4b0b4a6ec020b653b3dd0d7332b165d157fa8d 100644 (file)
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -943,3 +943,25 @@ out:
                                           tmp : orig_prog);
        return prog;
 }
+
+#ifdef CONFIG_CFI_CLANG
+bool arch_bpf_jit_check_func(const struct bpf_prog *prog)
+{
+       const uintptr_t func = (const uintptr_t)prog->bpf_func;
+
+       /*
+        * bpf_func must be correctly aligned and within the correct region.
+        * module_alloc places JIT code in the module region, unless
+        * ARM64_MODULE_PLTS is enabled, in which case we might end up using
+        * the vmalloc region too.
+        */
+       if (unlikely(!IS_ALIGNED(func, sizeof(u32))))
+               return false;
+
+       if (IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) &&
+                       is_vmalloc_addr(prog->bpf_func))
+               return true;
+
+       return (func >= MODULES_VADDR && func < MODULES_END);
+}
+#endif