Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4634986pxj; Wed, 12 May 2021 09:43:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJznfvqHCNtCc0uefR/FRivlZEwd1TP4m68clY+uYHGcBJT8wawprIT/BPn7cF7A2Hdg46MP X-Received: by 2002:a05:6402:1115:: with SMTP id u21mr44314728edv.383.1620837796061; Wed, 12 May 2021 09:43:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620837796; cv=none; d=google.com; s=arc-20160816; b=PEkWnI9u2rI+YFHn3VQdg9U5BIt2KYofdPeIAr79so//AcWMTF8rnTbHXc5App2kVI u0AU3ziVuZVf4/LOGUYe6OFr+HT4Fbgi+LHObvDUF0Fdcj8a9T13Qq/dkFOERngTqK7R pikTZ1Y3iPS8et+5ZngSZk+cdjKrkCOsvb5olfYWZyYwKEVymlZqRe6JqD0iRK0QIzO9 P1YGzsWy7th7aFbu/TIFqIrofGq5RQLT8Bqk+zfXKHEs7HEHtQDk9sxrWa4BdGrDiwGL MSWkPmYuu6vpoaK/F2i8AxDDBafY8ULy186Og9nX3YrJdqckCPKEKWYNM9t13iulR1iP l2Gw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5MnxVNmVZN0U99CDZ+9erqcMqzzkInAlLRFhfdXC2cU=; b=PSbaCfmU/LSPA+PnxpwoJodTBSBZforA8FJWB3HPms7cI7eCKFlO2RV2J4AS37Th6w HhrZBw6wcpySoYjd8W+w4n9ECNSs8MJoFQT6ATqz3hTJYFqcYr/5FsL3gWDZ1GgzWvOW Yl+C9D1OJGHNhFPhOaMBA5N8qNrtpmhYpnEFa0bALDvCJ0rjZVvB9gnO2fOc5gBn5ljo ypaf+mZCE+ID3hBGPIoeZkTrPgOFnSAaY3wKKLoCJzP37jbZ8Z/JCMehJ19vN7krcBSX T9GiP33KvrPAVPZq6+Q9PkanXpt3pMQX2lDFeuIapthhE0oJ8FSkYf2DnYeTUBBxxZs+ SCqw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CQeplcaA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bx19si153700edb.389.2021.05.12.09.42.51; Wed, 12 May 2021 09:43:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=CQeplcaA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242699AbhELQkV (ORCPT + 99 others); Wed, 12 May 2021 12:40:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:41830 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236894AbhELPrM (ORCPT ); Wed, 12 May 2021 11:47:12 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E8FAD61CA3; Wed, 12 May 2021 15:23:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620833039; bh=SQsyFzsfdIXn5S+wlW+H+nxr6GGUlvrq4fWV21u146E=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=CQeplcaAlx3M/86tglWueYlQH5T7JAi5JzszN5pNHhjOTzdQND+qmrLxeDpXtlNeH s+fhK/E4hMMa1sgIUDwHwkSL8vmtjp5g5kqpoYK4ruoGGki4JX98fRM1JGRTfmjS1u 4byESYD15bMFd3gsDqfkDEWqZws4MmSNJ+SdabI8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thadeu Lima de Souza Cascardo , Andrii Nakryiko , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.10 525/530] bpf: Prevent writable memory-mapping of read-only ringbuf pages Date: Wed, 12 May 2021 16:50:35 +0200 Message-Id: <20210512144837.001206763@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144819.664462530@linuxfoundation.org> References: <20210512144819.664462530@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrii Nakryiko commit 04ea3086c4d73da7009de1e84962a904139af219 upstream. Only the very first page of BPF ringbuf that contains consumer position counter is supposed to be mapped as writeable by user-space. Producer position is read-only and can be modified only by the kernel code. BPF ringbuf data pages are read-only as well and are not meant to be modified by user-code to maintain integrity of per-record headers. This patch allows to map only consumer position page as writeable and everything else is restricted to be read-only. remap_vmalloc_range() internally adds VM_DONTEXPAND, so all the established memory mappings can't be extended, which prevents any future violations through mremap()'ing. Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Reported-by: Ryota Shiga (Flatt Security) Reported-by: Thadeu Lima de Souza Cascardo Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/ringbuf.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/kernel/bpf/ringbuf.c +++ b/kernel/bpf/ringbuf.c @@ -240,25 +240,20 @@ static int ringbuf_map_get_next_key(stru return -ENOTSUPP; } -static size_t bpf_ringbuf_mmap_page_cnt(const struct bpf_ringbuf *rb) -{ - size_t data_pages = (rb->mask + 1) >> PAGE_SHIFT; - - /* consumer page + producer page + 2 x data pages */ - return RINGBUF_POS_PAGES + 2 * data_pages; -} - static int ringbuf_map_mmap(struct bpf_map *map, struct vm_area_struct *vma) { struct bpf_ringbuf_map *rb_map; - size_t mmap_sz; rb_map = container_of(map, struct bpf_ringbuf_map, map); - mmap_sz = bpf_ringbuf_mmap_page_cnt(rb_map->rb) << PAGE_SHIFT; - - if (vma->vm_pgoff * PAGE_SIZE + (vma->vm_end - vma->vm_start) > mmap_sz) - return -EINVAL; + if (vma->vm_flags & VM_WRITE) { + /* allow writable mapping for the consumer_pos only */ + if (vma->vm_pgoff != 0 || vma->vm_end - vma->vm_start != PAGE_SIZE) + return -EPERM; + } else { + vma->vm_flags &= ~VM_MAYWRITE; + } + /* remap_vmalloc_range() checks size and offset constraints */ return remap_vmalloc_range(vma, rb_map->rb, vma->vm_pgoff + RINGBUF_PGOFF); }