Google Git
Sign in
android-kvm / linux / 32bbe0078afe86a8bf4c67c6b3477781b15e94dc^! / . / kernel
commit32bbe0078afe86a8bf4c67c6b3477781b15e94dc[log] [tgz]
authorAlexei Starovoitov <ast@fb.com>Wed Apr 06 18:43:28 2016 -0700
committerDavid S. Miller <davem@davemloft.net>Thu Apr 07 21:04:26 2016 -0400
tree8c5290f51108de3a2c98cb7171942fb9d5e36ab2
parent9940d67c93b5bb7ddcf862b41b1847cb728186c4 [diff]
bpf: sanitize bpf tracepoint access

during bpf program loading remember the last byte of ctx access
and at the time of attaching the program to tracepoint check that
the program doesn't access bytes beyond defined in tracepoint fields

This also disallows access to __dynamic_array fields, but can be
relaxed in the future.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2e08f8e..58792fe 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c

@@ -652,8 +652,12 @@
 			    enum bpf_access_type t)
 {
 	if (env->prog->aux->ops->is_valid_access &&
-	    env->prog->aux->ops->is_valid_access(off, size, t))
+	    env->prog->aux->ops->is_valid_access(off, size, t)) {
+		/* remember the offset of last byte accessed in ctx */
+		if (env->prog->aux->max_ctx_offset < off + size)
+			env->prog->aux->max_ctx_offset = off + size;
 		return 0;
+	}
 
 	verbose("invalid bpf_context access off=%d size=%d\n", off, size);
 	return -EACCES;

diff --git a/kernel/events/core.c b/kernel/events/core.c
index e5ffe97..9a01019 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c

@@ -7133,6 +7133,14 @@
 		return -EINVAL;
 	}
 
+	if (is_tracepoint) {
+		int off = trace_event_get_offsets(event->tp_event);
+
+		if (prog->aux->max_ctx_offset > off) {
+			bpf_prog_put(prog);
+			return -EACCES;
+		}
+	}
 	event->tp_event->prog = prog;
 
 	return 0;

diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 05ddc08..ced9630 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c

@@ -204,6 +204,24 @@
 	}
 }
 
+/*
+ * run-time version of trace_event_get_offsets_<call>() that returns the last
+ * accessible offset of trace fields excluding __dynamic_array bytes
+ */
+int trace_event_get_offsets(struct trace_event_call *call)
+{
+	struct ftrace_event_field *tail;
+	struct list_head *head;
+
+	head = trace_get_fields(call);
+	/*
+	 * head->next points to the last field with the largest offset,
+	 * since it was added last by trace_define_field()
+	 */
+	tail = list_first_entry(head, struct ftrace_event_field, link);
+	return tail->offset + tail->size;
+}
+
 int trace_event_raw_init(struct trace_event_call *call)
 {
 	int id;