bpf: sanitize bpf tracepoint access

during bpf program loading remember the last byte of ctx access and at the time of attaching the program to tracepoint check that the program doesn't access bytes beyond defined in tracepoint fields This also disallows access to __dynamic_array fields, but can be relaxed in the future. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alexei Starovoitov <ast@fb.com> 2016-04-06 18:43:28 -0700
committer: David S. Miller <davem@davemloft.net> 2016-04-07 21:04:26 -0400
commit: 32bbe0078afe86a8bf4c67c6b3477781b15e94dc (patch)
tree: 8c5290f51108de3a2c98cb7171942fb9d5e36ab2 /kernel/bpf
parent: 9940d67c93b5bb7ddcf862b41b1847cb728186c4 (diff)
1 files changed, 5 insertions, 1 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2e08f8e9b771..58792fed5678 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -652,8 +652,12 @@ static int check_ctx_access(struct verifier_env *env, int off, int size,
 			    enum bpf_access_type t)
 {
 	if (env->prog->aux->ops->is_valid_access &&
-	    env->prog->aux->ops->is_valid_access(off, size, t))
+	    env->prog->aux->ops->is_valid_access(off, size, t)) {
+		/* remember the offset of last byte accessed in ctx */
+		if (env->prog->aux->max_ctx_offset < off + size)
+			env->prog->aux->max_ctx_offset = off + size;
 		return 0;
+	}
 
 	verbose("invalid bpf_context access off=%d size=%d\n", off, size);
 	return -EACCES;
author	Alexei Starovoitov <ast@fb.com>	2016-04-06 18:43:28 -0700
committer	David S. Miller <davem@davemloft.net>	2016-04-07 21:04:26 -0400
commit	32bbe0078afe86a8bf4c67c6b3477781b15e94dc (patch)
tree	8c5290f51108de3a2c98cb7171942fb9d5e36ab2 /kernel/bpf
parent	9940d67c93b5bb7ddcf862b41b1847cb728186c4 (diff)