diff options
| author |   Alexei Starovoitov <ast@fb.com> | 2016-04-06 18:43:28 -0700 |
|---|---|---|
| committer |   David S. Miller <davem@davemloft.net> | 2016-04-07 21:04:26 -0400 |
| commit | 32bbe0078afe86a8bf4c67c6b3477781b15e94dc (patch) | |
| tree | 8c5290f51108de3a2c98cb7171942fb9d5e36ab2 /kernel/bpf/verifier.c | |
| parent | bpf: support bpf_get_stackid() and bpf_perf_event_output() in tracepoint programs (diff) | |
| download | linux-dev-32bbe0078afe86a8bf4c67c6b3477781b15e94dc.tar.xz linux-dev-32bbe0078afe86a8bf4c67c6b3477781b15e94dc.zip | |
bpf: sanitize bpf tracepoint access
during bpf program loading remember the last byte of ctx access
and at the time of attaching the program to tracepoint check that
the program doesn't access bytes beyond defined in tracepoint fields
This also disallows access to __dynamic_array fields, but can be
relaxed in the future.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'kernel/bpf/verifier.c')
| -rw-r--r-- | kernel/bpf/verifier.c | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 2e08f8e9b771..58792fed5678 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -652,8 +652,12 @@ static int check_ctx_access(struct verifier_env *env, int off, int size, enum bpf_access_type t) { if (env->prog->aux->ops->is_valid_access && - env->prog->aux->ops->is_valid_access(off, size, t)) + env->prog->aux->ops->is_valid_access(off, size, t)) { + /* remember the offset of last byte accessed in ctx */ + if (env->prog->aux->max_ctx_offset < off + size) + env->prog->aux->max_ctx_offset = off + size; return 0; + } verbose("invalid bpf_context access off=%d size=%d\n", off, size); return -EACCES; |