diff options
Diffstat (limited to 'arch/x86')
-rw-r--r-- | arch/x86/net/bpf_jit_comp.c | 61 |
1 files changed, 44 insertions, 17 deletions
diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c index f66b54086ce5..79c216aa0e2b 100644 --- a/arch/x86/net/bpf_jit_comp.c +++ b/arch/x86/net/bpf_jit_comp.c | |||
@@ -12,6 +12,7 @@ | |||
12 | #include <linux/netdevice.h> | 12 | #include <linux/netdevice.h> |
13 | #include <linux/filter.h> | 13 | #include <linux/filter.h> |
14 | #include <linux/if_vlan.h> | 14 | #include <linux/if_vlan.h> |
15 | #include <linux/random.h> | ||
15 | 16 | ||
16 | /* | 17 | /* |
17 | * Conventions : | 18 | * Conventions : |
@@ -144,6 +145,39 @@ static int pkt_type_offset(void) | |||
144 | return -1; | 145 | return -1; |
145 | } | 146 | } |
146 | 147 | ||
148 | struct bpf_binary_header { | ||
149 | unsigned int pages; | ||
150 | /* Note : for security reasons, bpf code will follow a randomly | ||
151 | * sized amount of int3 instructions | ||
152 | */ | ||
153 | u8 image[]; | ||
154 | }; | ||
155 | |||
156 | static struct bpf_binary_header *bpf_alloc_binary(unsigned int proglen, | ||
157 | u8 **image_ptr) | ||
158 | { | ||
159 | unsigned int sz, hole; | ||
160 | struct bpf_binary_header *header; | ||
161 | |||
162 | /* Most of BPF filters are really small, | ||
163 | * but if some of them fill a page, allow at least | ||
164 | * 128 extra bytes to insert a random section of int3 | ||
165 | */ | ||
166 | sz = round_up(proglen + sizeof(*header) + 128, PAGE_SIZE); | ||
167 | header = module_alloc(sz); | ||
168 | if (!header) | ||
169 | return NULL; | ||
170 | |||
171 | memset(header, 0xcc, sz); /* fill whole space with int3 instructions */ | ||
172 | |||
173 | header->pages = sz / PAGE_SIZE; | ||
174 | hole = sz - (proglen + sizeof(*header)); | ||
175 | |||
176 | /* insert a random number of int3 instructions before BPF code */ | ||
177 | *image_ptr = &header->image[prandom_u32() % hole]; | ||
178 | return header; | ||
179 | } | ||
180 | |||
147 | void bpf_jit_compile(struct sk_filter *fp) | 181 | void bpf_jit_compile(struct sk_filter *fp) |
148 | { | 182 | { |
149 | u8 temp[64]; | 183 | u8 temp[64]; |
@@ -153,6 +187,7 @@ void bpf_jit_compile(struct sk_filter *fp) | |||
153 | int t_offset, f_offset; | 187 | int t_offset, f_offset; |
154 | u8 t_op, f_op, seen = 0, pass; | 188 | u8 t_op, f_op, seen = 0, pass; |
155 | u8 *image = NULL; | 189 | u8 *image = NULL; |
190 | struct bpf_binary_header *header = NULL; | ||
156 | u8 *func; | 191 | u8 *func; |
157 | int pc_ret0 = -1; /* bpf index of first RET #0 instruction (if any) */ | 192 | int pc_ret0 = -1; /* bpf index of first RET #0 instruction (if any) */ |
158 | unsigned int cleanup_addr; /* epilogue code offset */ | 193 | unsigned int cleanup_addr; /* epilogue code offset */ |
@@ -693,7 +728,7 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; | |||
693 | if (unlikely(proglen + ilen > oldproglen)) { | 728 | if (unlikely(proglen + ilen > oldproglen)) { |
694 | pr_err("bpb_jit_compile fatal error\n"); | 729 | pr_err("bpb_jit_compile fatal error\n"); |
695 | kfree(addrs); | 730 | kfree(addrs); |
696 | module_free(NULL, image); | 731 | module_free(NULL, header); |
697 | return; | 732 | return; |
698 | } | 733 | } |
699 | memcpy(image + proglen, temp, ilen); | 734 | memcpy(image + proglen, temp, ilen); |
@@ -717,10 +752,8 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; | |||
717 | break; | 752 | break; |
718 | } | 753 | } |
719 | if (proglen == oldproglen) { | 754 | if (proglen == oldproglen) { |
720 | image = module_alloc(max_t(unsigned int, | 755 | header = bpf_alloc_binary(proglen, &image); |
721 | proglen, | 756 | if (!header) |
722 | sizeof(struct work_struct))); | ||
723 | if (!image) | ||
724 | goto out; | 757 | goto out; |
725 | } | 758 | } |
726 | oldproglen = proglen; | 759 | oldproglen = proglen; |
@@ -730,7 +763,8 @@ cond_branch: f_offset = addrs[i + filter[i].jf] - addrs[i]; | |||
730 | bpf_jit_dump(flen, proglen, pass, image); | 763 | bpf_jit_dump(flen, proglen, pass, image); |
731 | 764 | ||
732 | if (image) { | 765 | if (image) { |
733 | bpf_flush_icache(image, image + proglen); | 766 | bpf_flush_icache(header, image + proglen); |
767 | set_memory_ro((unsigned long)header, header->pages); | ||
734 | fp->bpf_func = (void *)image; | 768 | fp->bpf_func = (void *)image; |
735 | } | 769 | } |
736 | out: | 770 | out: |
@@ -738,20 +772,13 @@ out: | |||
738 | return; | 772 | return; |
739 | } | 773 | } |
740 | 774 | ||
741 | static void jit_free_defer(struct work_struct *arg) | ||
742 | { | ||
743 | module_free(NULL, arg); | ||
744 | } | ||
745 | |||
746 | /* run from softirq, we must use a work_struct to call | ||
747 | * module_free() from process context | ||
748 | */ | ||
749 | void bpf_jit_free(struct sk_filter *fp) | 775 | void bpf_jit_free(struct sk_filter *fp) |
750 | { | 776 | { |
751 | if (fp->bpf_func != sk_run_filter) { | 777 | if (fp->bpf_func != sk_run_filter) { |
752 | struct work_struct *work = (struct work_struct *)fp->bpf_func; | 778 | unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK; |
779 | struct bpf_binary_header *header = (void *)addr; | ||
753 | 780 | ||
754 | INIT_WORK(work, jit_free_defer); | 781 | set_memory_rw(addr, header->pages); |
755 | schedule_work(work); | 782 | module_free(NULL, header); |
756 | } | 783 | } |
757 | } | 784 | } |