Revision - 773cd38 - net: filter: x86: fix JIT address randomization

Revision 773cd38f40b8834be991dbfed36683acc1dd41ee authored by Alexei Starovoitov on 13 May 2014, 22:05:55 UTC, committed by David S. Miller on 13 May 2014, 22:31:13 UTC

net: filter: x86: fix JIT address randomization

bpf_alloc_binary() adds 128 bytes of room to JITed program image
and rounds it up to the nearest page size. If image size is close
to page size (like 4000), it is rounded to two pages:
round_up(4000 + 4 + 128) == 8192
then 'hole' is computed as 8192 - (4000 + 4) = 4188
If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
then kernel will crash during bpf_jit_free():

kernel BUG at arch/x86/mm/pageattr.c:887!
Call Trace:
 [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
 [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
 [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
 [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
 [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
 [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
 [<ffffffff8106c90c>] worker_thread+0x11c/0x370

since bpf_jit_free() does:
  unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
  struct bpf_binary_header *header = (void *)addr;
to compute start address of 'bpf_binary_header'
and header->pages will pass junk to:
  set_memory_rw(addr, header->pages);

Fix it by making sure that &header->image[prandom_u32() % hole] and &header
are in the same page

Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 parent 6262971

Files
Changes

Permalinks

File	Mode	Size
ABI
DocBook
EDID
PCI
RCU
accounting
acpi
aoe
arm
arm64
auxdisplay
backlight
blackfin
block
blockdev
bus-devices
cdrom
cgroups
connector
console
cpu-freq
cpuidle
cris
crypto
development-process
device-mapper
devicetree
driver-model
dvb
early-userspace
extcon
fault-injection
fb
filesystems
firmware_class
fmc
frv
gpio
hid
hwmon
i2c
i2o
ia64
ide
infiniband
input
ioctl
isdn
ja_JP
kbuild
kdump
ko_KR
laptops
leds
m68k
make
memory-devices
metag
mic
mips
misc-devices
mmc
mn10300
mtd
namespaces
netlabel
networking
nfc
parisc
pcmcia
phy
power
powerpc
pps
prctl
pti
ptp
rapidio
s390
scheduler
scsi
security
serial
sh
sound
spi
sysctl
target
thermal
timers
tpm
trace
usb
vDSO
video4linux
virtual
vm
w1
watchdog
wimax
x86
xtensa
zh_CN
.gitignore	-rw-r--r--	107 bytes
00-INDEX	-rw-r--r--	17.1 KB
BUG-HUNTING	-rw-r--r--	8.1 KB
Changes	-rw-r--r--	11.5 KB
CodingStyle	-rw-r--r--	30.8 KB
DMA-API-HOWTO.txt	-rw-r--r--	31.6 KB
DMA-API.txt	-rw-r--r--	27.5 KB
DMA-ISA-LPC.txt	-rw-r--r--	5.2 KB
DMA-attributes.txt	-rw-r--r--	4.5 KB
HOWTO	-rw-r--r--	27.2 KB
IPMI.txt	-rw-r--r--	26.1 KB
IRQ-affinity.txt	-rw-r--r--	2.5 KB
IRQ-domain.txt	-rw-r--r--	6.9 KB
IRQ.txt	-rw-r--r--	962 bytes
Intel-IOMMU.txt	-rw-r--r--	3.8 KB
Makefile	-rw-r--r--	174 bytes
ManagementStyle	-rw-r--r--	12.9 KB
SAK.txt	-rw-r--r--	2.8 KB
SM501.txt	-rw-r--r--	2.8 KB
SecurityBugs	-rw-r--r--	1.8 KB
SubmitChecklist	-rw-r--r--	4.4 KB
SubmittingDrivers	-rw-r--r--	6.3 KB
SubmittingPatches	-rw-r--r--	30.2 KB
VGA-softcursor.txt	-rw-r--r--	2.0 KB
applying-patches.txt	-rw-r--r--	19.5 KB
assoc_array.txt	-rw-r--r--	20.0 KB
atomic_ops.txt	-rw-r--r--	21.7 KB
bad_memory.txt	-rw-r--r--	1.1 KB
basic_profiling.txt	-rw-r--r--	1.7 KB
bcache.txt	-rw-r--r--	16.4 KB
binfmt_misc.txt	-rw-r--r--	5.9 KB
braille-console.txt	-rw-r--r--	1.4 KB
bt8xxgpio.txt	-rw-r--r--	4.3 KB
btmrvl.txt	-rw-r--r--	2.9 KB
bus-virt-phys-mapping.txt	-rw-r--r--	7.9 KB
cachetlb.txt	-rw-r--r--	17.1 KB
circular-buffers.txt	-rw-r--r--	8.4 KB
clk.txt	-rw-r--r--	11.2 KB
coccinelle.txt	-rw-r--r--	9.0 KB
cpu-hotplug.txt	-rw-r--r--	16.8 KB
cpu-load.txt	-rw-r--r--	3.0 KB
cputopology.txt	-rw-r--r--	3.8 KB
crc32.txt	-rw-r--r--	8.5 KB
dcdbas.txt	-rw-r--r--	3.6 KB
debugging-modules.txt	-rw-r--r--	954 bytes
debugging-via-ohci1394.txt	-rw-r--r--	7.3 KB
dell_rbu.txt	-rw-r--r--	4.9 KB
devices.txt	-rw-r--r--	116.2 KB
digsig.txt	-rw-r--r--	2.8 KB
dma-buf-sharing.txt	-rw-r--r--	20.7 KB
dmaengine.txt	-rw-r--r--	7.6 KB
dmatest.txt	-rw-r--r--	3.4 KB
dontdiff	-rw-r--r--	2.5 KB
dynamic-debug-howto.txt	-rw-r--r--	12.6 KB
edac.txt	-rw-r--r--	24.3 KB
efi-stub.txt	-rw-r--r--	2.3 KB
eisa.txt	-rw-r--r--	7.1 KB
email-clients.txt	-rw-r--r--	8.6 KB
flexible-arrays.txt	-rw-r--r--	5.5 KB
futex-requeue-pi.txt	-rw-r--r--	5.0 KB
gcov.txt	-rw-r--r--	7.6 KB
highuid.txt	-rw-r--r--	2.4 KB
hw_random.txt	-rw-r--r--	3.5 KB
hwspinlock.txt	-rw-r--r--	12.1 KB
init.txt	-rw-r--r--	2.5 KB
initrd.txt	-rw-r--r--	14.1 KB
intel_txt.txt	-rw-r--r--	10.2 KB
io-mapping.txt	-rw-r--r--	3.2 KB
io_ordering.txt	-rw-r--r--	1.9 KB
iostats.txt	-rw-r--r--	8.0 KB
irqflags-tracing.txt	-rw-r--r--	2.3 KB
isapnp.txt	-rw-r--r--	433 bytes
java.txt	-rw-r--r--	10.7 KB
kernel-doc-nano-HOWTO.txt	-rw-r--r--	11.7 KB
kernel-docs.txt	-rw-r--r--	33.1 KB
kernel-parameters.txt	-rw-r--r--	125.8 KB
kernel-per-CPU-kthreads.txt	-rw-r--r--	12.8 KB
kmemcheck.txt	-rw-r--r--	29.9 KB
kmemleak.txt	-rw-r--r--	8.3 KB
kobject.txt	-rw-r--r--	18.0 KB
kprobes.txt	-rw-r--r--	29.5 KB
kref.txt	-rw-r--r--	8.4 KB
ldm.txt	-rw-r--r--	3.8 KB
local_ops.txt	-rw-r--r--	6.1 KB
lockdep-design.txt	-rw-r--r--	11.6 KB
lockstat.txt	-rw-r--r--	11.1 KB
lockup-watchdogs.txt	-rw-r--r--	3.1 KB
logo.gif	-rw-r--r--	16.0 KB
logo.txt	-rw-r--r--	563 bytes
magic-number.txt	-rw-r--r--	8.8 KB
md.txt	-rw-r--r--	25.3 KB
media-framework.txt	-rw-r--r--	14.7 KB
memory-barriers.txt	-rw-r--r--	104.7 KB
memory-hotplug.txt	-rw-r--r--	16.1 KB
module-signing.txt	-rw-r--r--	8.7 KB
mono.txt	-rw-r--r--	2.5 KB
mutex-design.txt	-rw-r--r--	5.8 KB
nommu-mmap.txt	-rw-r--r--	12.7 KB
numastat.txt	-rw-r--r--	836 bytes
oops-tracing.txt	-rw-r--r--	12.6 KB
padata.txt	-rw-r--r--	7.3 KB
parport-lowlevel.txt	-rw-r--r--	32.2 KB
parport.txt	-rw-r--r--	8.8 KB
percpu-rw-semaphore.txt	-rw-r--r--	1.1 KB
phy.txt	-rw-r--r--	7.2 KB
pi-futex.txt	-rw-r--r--	5.7 KB
pinctrl.txt	-rw-r--r--	50.0 KB
pnp.txt	-rw-r--r--	6.8 KB
preempt-locking.txt	-rw-r--r--	5.2 KB
printk-formats.txt	-rw-r--r--	7.5 KB
pwm.txt	-rw-r--r--	4.3 KB
ramoops.txt	-rw-r--r--	4.6 KB
rbtree.txt	-rw-r--r--	13.3 KB
remoteproc.txt	-rw-r--r--	12.3 KB
rfkill.txt	-rw-r--r--	4.7 KB
robust-futex-ABI.txt	-rw-r--r--	8.7 KB
robust-futexes.txt	-rw-r--r--	9.4 KB
rpmsg.txt	-rw-r--r--	13.5 KB
rt-mutex-design.txt	-rw-r--r--	32.8 KB
rt-mutex.txt	-rw-r--r--	3.5 KB
rtc.txt	-rw-r--r--	15.6 KB
serial-console.txt	-rw-r--r--	4.0 KB
sgi-ioc4.txt	-rw-r--r--	2.0 KB
smsc_ece1099.txt	-rw-r--r--	2.4 KB
sparse.txt	-rw-r--r--	3.8 KB
spinlocks.txt	-rw-r--r--	6.5 KB
stable_api_nonsense.txt	-rw-r--r--	9.2 KB
stable_kernel_rules.txt	-rw-r--r--	4.4 KB
static-keys.txt	-rw-r--r--	11.9 KB
svga.txt	-rw-r--r--	14.1 KB
sysfs-rules.txt	-rw-r--r--	8.1 KB
sysrq.txt	-rw-r--r--	11.7 KB
this_cpu_ops.txt	-rw-r--r--	6.4 KB
unaligned-memory-access.txt	-rw-r--r--	10.4 KB
unicode.txt	-rw-r--r--	6.5 KB
unshare.txt	-rw-r--r--	13.1 KB
vfio.txt	-rw-r--r--	15.9 KB
vgaarbiter.txt	-rw-r--r--	8.1 KB
video-output.txt	-rw-r--r--	1.1 KB
vme_api.txt	-rw-r--r--	13.2 KB
volatile-considered-harmful.txt	-rw-r--r--	5.6 KB
workqueue.txt	-rw-r--r--	14.7 KB
ww-mutex-design.txt	-rw-r--r--	12.4 KB
xz.txt	-rw-r--r--	5.7 KB
zorro.txt	-rw-r--r--	2.9 KB

Showing with 0 additions and 0 deletions (0 / 0 diffs computed)

Computing file changes ...