From: Jiri Slaby <jslaby@suse.cz>
To: gregkh@linuxfoundation.org
Cc: stable@vger.kernel.org, ast@kernel.org, netdev@vger.kernel.org,
Alexei Starovoitov <ast@fb.com>,
"David S . Miller" <davem@davemloft.net>,
Jiri Slaby <jslaby@suse.cz>
Subject: [PATCH 4.4-stable 5/6] bpf: adjust insn_aux_data when patching insns
Date: Fri, 12 Jan 2018 17:17:20 +0100 [thread overview]
Message-ID: <20180112161721.8843-6-jslaby@suse.cz> (raw)
In-Reply-To: <20180112161721.8843-1-jslaby@suse.cz>
From: Alexei Starovoitov <ast@fb.com>
commit 8041902dae5299c1f194ba42d14383f734631009 upstream.
convert_ctx_accesses() replaces single bpf instruction with a set of
instructions. Adjust corresponding insn_aux_data while patching.
It's needed to make sure subsequent 'for(all insn)' loops
have matching insn and insn_aux_data.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
---
kernel/bpf/verifier.c | 40 +++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 47bb3eee950c..bb4b5405d1a5 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -2107,6 +2107,41 @@ static void convert_pseudo_ld_imm64(struct verifier_env *env)
insn->src_reg = 0;
}
+/* single env->prog->insni[off] instruction was replaced with the range
+ * insni[off, off + cnt). Adjust corresponding insn_aux_data by copying
+ * [0, off) and [off, end) to new locations, so the patched range stays zero
+ */
+static int adjust_insn_aux_data(struct verifier_env *env, u32 prog_len,
+ u32 off, u32 cnt)
+{
+ struct bpf_insn_aux_data *new_data, *old_data = env->insn_aux_data;
+
+ if (cnt == 1)
+ return 0;
+ new_data = vzalloc(sizeof(struct bpf_insn_aux_data) * prog_len);
+ if (!new_data)
+ return -ENOMEM;
+ memcpy(new_data, old_data, sizeof(struct bpf_insn_aux_data) * off);
+ memcpy(new_data + off + cnt - 1, old_data + off,
+ sizeof(struct bpf_insn_aux_data) * (prog_len - off - cnt + 1));
+ env->insn_aux_data = new_data;
+ vfree(old_data);
+ return 0;
+}
+
+static struct bpf_prog *bpf_patch_insn_data(struct verifier_env *env, u32 off,
+ const struct bpf_insn *patch, u32 len)
+{
+ struct bpf_prog *new_prog;
+
+ new_prog = bpf_patch_insn_single(env->prog, off, patch, len);
+ if (!new_prog)
+ return NULL;
+ if (adjust_insn_aux_data(env, new_prog->len, off, len))
+ return NULL;
+ return new_prog;
+}
+
/* convert load instructions that access fields of 'struct __sk_buff'
* into sequence of instructions that access fields of 'struct sk_buff'
*/
@@ -2132,7 +2167,7 @@ static int convert_ctx_accesses(struct verifier_env *env)
else
continue;
- if (env->insn_aux_data[i].ptr_type != PTR_TO_CTX)
+ if (env->insn_aux_data[i + delta].ptr_type != PTR_TO_CTX)
continue;
cnt = env->prog->aux->ops->
@@ -2143,8 +2178,7 @@ static int convert_ctx_accesses(struct verifier_env *env)
return -EINVAL;
}
- new_prog = bpf_patch_insn_single(env->prog, i + delta, insn_buf,
- cnt);
+ new_prog = bpf_patch_insn_data(env, i + delta, insn_buf, cnt);
if (!new_prog)
return -ENOMEM;
--
2.15.1
next prev parent reply other threads:[~2018-01-12 16:17 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-01-12 16:17 [PATCH 4.4-stable 0/6] bpf: prevent out-of-bounds speculation Jiri Slaby
2018-01-12 16:17 ` [PATCH 4.4-stable 1/6] bpf: add bpf_patch_insn_single helper Jiri Slaby
2018-01-12 16:17 ` [PATCH 4.4-stable 2/6] bpf: don't (ab)use instructions to store state Jiri Slaby
2018-01-12 16:17 ` [PATCH 4.4-stable 3/6] bpf: move fixup_bpf_calls() function Jiri Slaby
2018-01-12 16:17 ` [PATCH 4.4-stable 4/6] bpf: refactor fixup_bpf_calls() Jiri Slaby
2018-01-12 16:17 ` Jiri Slaby [this message]
2018-01-12 16:17 ` [PATCH 4.4-stable 6/6] bpf: prevent out-of-bounds speculation Jiri Slaby
2018-01-12 16:52 ` Eric Dumazet
2018-01-12 16:28 ` [PATCH 4.4-stable 0/6] " Daniel Borkmann
2018-01-12 16:58 ` [PATCH 4.4-stable 7/7] bpf, array: fix overflow in max_entries and undefined behavior in index_mask Jiri Slaby
2018-01-13 15:39 ` Patch "bpf, array: fix overflow in max_entries and undefined behavior in index_mask" has been added to the 4.4-stable tree gregkh
2018-01-13 19:49 ` [PATCH 4.4-stable 0/6] bpf: prevent out-of-bounds speculation Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180112161721.8843-6-jslaby@suse.cz \
--to=jslaby@suse.cz \
--cc=ast@fb.com \
--cc=ast@kernel.org \
--cc=davem@davemloft.net \
--cc=gregkh@linuxfoundation.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.