From: Sami Tolvanen Date: Wed, 4 Sep 2019 21:56:40 +0000 (-0700) Subject: ANDROID: arm64: bpf: implement arch_bpf_jit_check_func X-Git-Url: https://git.stricted.de/?a=commitdiff_plain;h=840f7113596036a447c973159885ae10025d8f30;p=GitHub%2FLineageOS%2Fandroid_kernel_motorola_exynos9610.git ANDROID: arm64: bpf: implement arch_bpf_jit_check_func Implement arch_bpf_jit_check_func to check that pointers to jited BPF functions are correctly aligned and point to the BPF JIT region. This narrows down the attack surface on the stored pointer. Bug: 140377409 Change-Id: I10c448eda6a8b0bf4c16ee591fc65974696216b9 Signed-off-by: Sami Tolvanen --- diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c index 1bbb457c293f..7f4b0b4a6ec0 100644 --- a/arch/arm64/net/bpf_jit_comp.c +++ b/arch/arm64/net/bpf_jit_comp.c @@ -943,3 +943,25 @@ out: tmp : orig_prog); return prog; } + +#ifdef CONFIG_CFI_CLANG +bool arch_bpf_jit_check_func(const struct bpf_prog *prog) +{ + const uintptr_t func = (const uintptr_t)prog->bpf_func; + + /* + * bpf_func must be correctly aligned and within the correct region. + * module_alloc places JIT code in the module region, unless + * ARM64_MODULE_PLTS is enabled, in which case we might end up using + * the vmalloc region too. + */ + if (unlikely(!IS_ALIGNED(func, sizeof(u32)))) + return false; + + if (IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) && + is_vmalloc_addr(prog->bpf_func)) + return true; + + return (func >= MODULES_VADDR && func < MODULES_END); +} +#endif