| From 0403262c02ebf37f3db9b78ba901caaa88668699 Mon Sep 17 00:00:00 2001 |
| From: Daniel Borkmann <daniel@iogearbox.net> |
| Date: Mon, 28 Jan 2019 21:23:24 +0100 |
| Subject: bpf: restrict map value pointer arithmetic for unprivileged |
| |
| [ commit 0d6303db7970e6f56ae700fa07e11eb510cda125 upstream ] |
| |
| Restrict map value pointer arithmetic for unprivileged users in that |
| arithmetic itself must not go out of bounds as opposed to the actual |
| access later on. Therefore after each adjust_ptr_min_max_vals() with a |
| map value pointer as a destination it will simulate a check_map_access() |
| of 1 byte on the destination and once that fails the program is rejected |
| for unprivileged program loads. We use this later on for masking any |
| pointer arithmetic with the remainder of the map value space. The |
| likelihood of breaking any existing real-world unprivileged eBPF |
| program is very small for this corner case. |
| |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Acked-by: Alexei Starovoitov <ast@kernel.org> |
| Signed-off-by: Alexei Starovoitov <ast@kernel.org> |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Signed-off-by: Sasha Levin <sashal@kernel.org> |
| --- |
| kernel/bpf/verifier.c | 11 +++++++++++ |
| 1 file changed, 11 insertions(+) |
| |
| diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c |
| index 05dcd313279c..7c97d7cf4113 100644 |
| --- a/kernel/bpf/verifier.c |
| +++ b/kernel/bpf/verifier.c |
| @@ -3165,6 +3165,17 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
| __update_reg_bounds(dst_reg); |
| __reg_deduce_bounds(dst_reg); |
| __reg_bound_offset(dst_reg); |
| + |
| + /* For unprivileged we require that resulting offset must be in bounds |
| + * in order to be able to sanitize access later on. |
| + */ |
| + if (!env->allow_ptr_leaks && dst_reg->type == PTR_TO_MAP_VALUE && |
| + check_map_access(env, dst, dst_reg->off, 1, false)) { |
| + verbose(env, "R%d pointer arithmetic of map value goes out of range, prohibited for !root\n", |
| + dst); |
| + return -EACCES; |
| + } |
| + |
| return 0; |
| } |
| |
| -- |
| 2.19.1 |
| |