Skip to content

Commit 2ba5622

Browse files
davem330davem330
committed
Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says: ==================== pull-request: bpf 2018-05-05 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) Sanitize attr->{prog,map}_type from bpf(2) since used as an array index to retrieve prog/map specific ops such that we prevent potential out of bounds value under speculation, from Mark and Daniel. ==================== Signed-off-by: David S. Miller <[email protected]>
2 parents 52c5cd1 + d0f1a45 commit 2ba5622

File tree

1 file changed

+14
-5
lines changed

1 file changed

+14
-5
lines changed

kernel/bpf/syscall.c

Lines changed: 14 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -26,6 +26,7 @@
2626
#include <linux/cred.h>
2727
#include <linux/timekeeping.h>
2828
#include <linux/ctype.h>
29+
#include <linux/nospec.h>
2930

3031
#define IS_FD_ARRAY(map) ((map)->map_type == BPF_MAP_TYPE_PROG_ARRAY || \
3132
(map)->map_type == BPF_MAP_TYPE_PERF_EVENT_ARRAY || \
@@ -102,12 +103,14 @@ const struct bpf_map_ops bpf_map_offload_ops = {
102103
static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
103104
{
104105
const struct bpf_map_ops *ops;
106+
u32 type = attr->map_type;
105107
struct bpf_map *map;
106108
int err;
107109

108-
if (attr->map_type >= ARRAY_SIZE(bpf_map_types))
110+
if (type >= ARRAY_SIZE(bpf_map_types))
109111
return ERR_PTR(-EINVAL);
110-
ops = bpf_map_types[attr->map_type];
112+
type = array_index_nospec(type, ARRAY_SIZE(bpf_map_types));
113+
ops = bpf_map_types[type];
111114
if (!ops)
112115
return ERR_PTR(-EINVAL);
113116

@@ -122,7 +125,7 @@ static struct bpf_map *find_and_alloc_map(union bpf_attr *attr)
122125
if (IS_ERR(map))
123126
return map;
124127
map->ops = ops;
125-
map->map_type = attr->map_type;
128+
map->map_type = type;
126129
return map;
127130
}
128131

@@ -871,11 +874,17 @@ static const struct bpf_prog_ops * const bpf_prog_types[] = {
871874

872875
static int find_prog_type(enum bpf_prog_type type, struct bpf_prog *prog)
873876
{
874-
if (type >= ARRAY_SIZE(bpf_prog_types) || !bpf_prog_types[type])
877+
const struct bpf_prog_ops *ops;
878+
879+
if (type >= ARRAY_SIZE(bpf_prog_types))
880+
return -EINVAL;
881+
type = array_index_nospec(type, ARRAY_SIZE(bpf_prog_types));
882+
ops = bpf_prog_types[type];
883+
if (!ops)
875884
return -EINVAL;
876885

877886
if (!bpf_prog_is_dev_bound(prog->aux))
878-
prog->aux->ops = bpf_prog_types[type];
887+
prog->aux->ops = ops;
879888
else
880889
prog->aux->ops = &bpf_offload_prog_ops;
881890
prog->type = type;

0 commit comments

Comments
 (0)