summaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorAlexei Starovoitov <ast@kernel.org>2017-12-19 05:15:20 +0100
committerDaniel Borkmann <daniel@iogearbox.net>2017-12-21 02:26:29 +0100
commit82abbf8d2fc46d79611ab58daa7c608df14bb3ee (patch)
tree288d426963ab3a782ef0876a8ad41ce1d5856401 /include
parentMerge branch 'bpf-verifier-sec-fixes' (diff)
downloadlinux-82abbf8d2fc46d79611ab58daa7c608df14bb3ee.tar.xz
linux-82abbf8d2fc46d79611ab58daa7c608df14bb3ee.zip
bpf: do not allow root to mangle valid pointers
Do not allow root to convert valid pointers into unknown scalars. In particular disallow: ptr &= reg ptr <<= reg ptr += ptr and explicitly allow: ptr -= ptr since pkt_end - pkt == length 1. This minimizes amount of address leaks root can do. In the future may need to further tighten the leaks with kptr_restrict. 2. If program has such pointer math it's likely a user mistake and when verifier complains about it right away instead of many instructions later on invalid memory access it's easier for users to fix their progs. 3. when register holding a pointer cannot change to scalar it allows JITs to optimize better. Like 32-bit archs could use single register for pointers instead of a pair required to hold 64-bit scalars. 4. reduces architecture dependent behavior. Since code: r1 = r10; r1 &= 0xff; if (r1 ...) will behave differently arm64 vs x64 and offloaded vs native. A significant chunk of ptr mangling was allowed by commit f1174f77b50c ("bpf/verifier: rework value tracking") yet some of it was allowed even earlier. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'include')
0 files changed, 0 insertions, 0 deletions