From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756179AbdDRVsF (ORCPT ); Tue, 18 Apr 2017 17:48:05 -0400 Received: from mail-io0-f170.google.com ([209.85.223.170]:32901 "EHLO mail-io0-f170.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751276AbdDRVsC (ORCPT ); Tue, 18 Apr 2017 17:48:02 -0400 MIME-Version: 1.0 In-Reply-To: <20170328234650.19695-2-mic@digikod.net> References: <20170328234650.19695-1-mic@digikod.net> <20170328234650.19695-2-mic@digikod.net> From: Kees Cook Date: Tue, 18 Apr 2017 14:48:00 -0700 X-Google-Sender-Auth: XEl4iMsSJqaQec6tChGya5PHsNk Message-ID: Subject: Re: [PATCH net-next v6 01/11] bpf: Add eBPF program subtype and is_valid_subtype() verifier To: =?UTF-8?B?TWlja2HDq2wgU2FsYcO8bg==?= Cc: LKML , Alexei Starovoitov , Andy Lutomirski , Arnaldo Carvalho de Melo , Casey Schaufler , Daniel Borkmann , David Drysdale , "David S . Miller" , "Eric W . Biederman" , James Morris , Jann Horn , Jonathan Corbet , Matthew Garrett , Michael Kerrisk , Paul Moore , Sargun Dhillon , "Serge E . Hallyn" , Shuah Khan , Tejun Heo , Thomas Graf , Will Drewry , "kernel-hardening@lists.openwall.com" , Linux API , linux-security-module , Network Development Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from quoted-printable to 8bit by mail.home.local id v3ILmKCc005190 On Tue, Mar 28, 2017 at 4:46 PM, Mickaël Salaün wrote: > The goal of the program subtype is to be able to have different static > fine-grained verifications for a unique program type. > > The struct bpf_verifier_ops gets a new optional function: > is_valid_subtype(). This new verifier is called at the beginning of the > eBPF program verification to check if the (optional) program subtype is > valid. > > For now, only Landlock eBPF programs are using a program subtype (see > next commit) but this could be used by other program types in the future. > > Changes since v5: > * use a prog_subtype pointer and make it future-proof > * add subtype test > * constify bpf_load_program()'s subtype argument > * cleanup subtype initialization > * rebase > > Changes since v4: > * replace the "status" field with "version" (more generic) > * replace the "access" field with "ability" (less confusing) > > Changes since v3: > * remove the "origin" field > * add an "option" field > * cleanup comments > > Signed-off-by: Mickaël Salaün > Cc: Alexei Starovoitov > Cc: Arnaldo Carvalho de Melo > Cc: Daniel Borkmann > Cc: David S. Miller > Link: https://lkml.kernel.org/r/20160827205559.GA43880@ast-mbp.thefacebook.com > --- > [...] > diff --git a/kernel/bpf/syscall.c b/kernel/bpf/syscall.c > index c35ebfe6d84d..3d07b10ade5e 100644 > --- a/kernel/bpf/syscall.c > +++ b/kernel/bpf/syscall.c > @@ -843,6 +879,26 @@ static int bpf_prog_load(union bpf_attr *attr) > if (err < 0) > goto free_prog; > > + /* copy eBPF program subtype from user space */ > + if (attr->prog_subtype) { > + __u32 size; > + > + size = check_user_buf((void __user *)attr->prog_subtype, > + attr->prog_subtype_size, > + sizeof(prog->subtype)); > + if (size < 0) { > + err = size; > + goto free_prog; > + } > + /* prog->subtype is __GFP_ZERO */ > + if (copy_from_user(&prog->subtype, > + u64_to_user_ptr(attr->prog_subtype), size) > + != 0) It might be worth adding a comment here about how the ToCToU of the check-then-copy doesn't matter in this case, since it's just a future-proofing of bits, etc. -Kees -- Kees Cook Pixel Security