| From 7d1bfa8ee6c2613377661374184431c1aaac6a50 Mon Sep 17 00:00:00 2001 |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| Date: Sat, 2 Nov 2019 00:17:58 +0100 |
| Subject: [PATCH] bpf: Make use of probe_user_write in probe write helper |
| |
| commit eb1b66887472eaa7342305b7890ae510dd9d1a79 upstream. |
| |
| Convert the bpf_probe_write_user() helper to probe_user_write() such that |
| writes are not attempted under KERNEL_DS anymore which is buggy as kernel |
| and user space pointers can have overlapping addresses. Also, given we have |
| the access_ok() check inside probe_user_write(), the helper doesn't need |
| to do it twice. |
| |
| Fixes: 96ae52279594 ("bpf: Add bpf_probe_write_user BPF helper to be called in tracers") |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Acked-by: Andrii Nakryiko <andriin@fb.com> |
| Link: https://lore.kernel.org/bpf/841c461781874c07a0ee404a454c3bc0459eed30.1572649915.git.daniel@iogearbox.net |
| Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> |
| |
| diff --git a/kernel/trace/bpf_trace.c b/kernel/trace/bpf_trace.c |
| index aaf66cd9daa6..a2c30e1eb7e4 100644 |
| --- a/kernel/trace/bpf_trace.c |
| +++ b/kernel/trace/bpf_trace.c |
| @@ -155,7 +155,7 @@ static const struct bpf_func_proto bpf_probe_read_proto = { |
| .arg3_type = ARG_ANYTHING, |
| }; |
| |
| -BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, |
| +BPF_CALL_3(bpf_probe_write_user, void __user *, unsafe_ptr, const void *, src, |
| u32, size) |
| { |
| /* |
| @@ -178,10 +178,8 @@ BPF_CALL_3(bpf_probe_write_user, void *, unsafe_ptr, const void *, src, |
| return -EPERM; |
| if (unlikely(!nmi_uaccess_okay())) |
| return -EPERM; |
| - if (!access_ok(unsafe_ptr, size)) |
| - return -EPERM; |
| |
| - return probe_kernel_write(unsafe_ptr, src, size); |
| + return probe_user_write(unsafe_ptr, src, size); |
| } |
| |
| static const struct bpf_func_proto bpf_probe_write_user_proto = { |
| -- |
| 2.7.4 |
| |