bpf: sanitize bpf tracepoint access during bpf program loading remember the last byte of ctx access and at the time of attaching the program to tracepoint check that the program doesn't access bytes beyond defined in tracepoint fields This also disallows access to __dynamic_array fields, but can be relaxed in the future. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net>

commit: 32bbe0078afe86a8bf4c67c6b3477781b15e94dc [log] [tgz]
author: Alexei Starovoitov <ast@fb.com> Wed Apr 06 18:43:28 2016 -0700
committer: David S. Miller <davem@davemloft.net> Thu Apr 07 21:04:26 2016 -0400
tree: 8c5290f51108de3a2c98cb7171942fb9d5e36ab2
parent: 9940d67c93b5bb7ddcf862b41b1847cb728186c4 [diff] [blame]
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2e08f8e..58792fe 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c

@@ -652,8 +652,12 @@
 			    enum bpf_access_type t)
 {
 	if (env->prog->aux->ops->is_valid_access &&
-	    env->prog->aux->ops->is_valid_access(off, size, t))
+	    env->prog->aux->ops->is_valid_access(off, size, t)) {
+		/* remember the offset of last byte accessed in ctx */
+		if (env->prog->aux->max_ctx_offset < off + size)
+			env->prog->aux->max_ctx_offset = off + size;
 		return 0;
+	}
 
 	verbose("invalid bpf_context access off=%d size=%d\n", off, size);
 	return -EACCES;
commit	32bbe0078afe86a8bf4c67c6b3477781b15e94dc	[log] [tgz]
author	Alexei Starovoitov <ast@fb.com>	Wed Apr 06 18:43:28 2016 -0700
committer	David S. Miller <davem@davemloft.net>	Thu Apr 07 21:04:26 2016 -0400
tree	8c5290f51108de3a2c98cb7171942fb9d5e36ab2
parent	9940d67c93b5bb7ddcf862b41b1847cb728186c4 [diff] [blame]