Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4697976pxj; Wed, 12 May 2021 11:08:18 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyXP4kPAZPJM2Zvnfa/MWCAIKCxuPI1eH04e0JvZccaaM9iwbwiEJUVT0aoAqhZku3us4RM X-Received: by 2002:a17:906:81c4:: with SMTP id e4mr575543ejx.27.1620842898031; Wed, 12 May 2021 11:08:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620842898; cv=none; d=google.com; s=arc-20160816; b=yEW9lIYR4MHD/MDAGxzzoEuyXszJep6/gIwloR1sMoq++5J9rOm0V8S42V7mM0/sW5 vfTuYNmN5hZtSlqHIPr+q03h5jmDzEzqpz5yVCWNyfifKZk/Imh8VCMzPZe3uHcFqnFs 3ceFkJkeV1YfERgGOUnY9LAc+PVix9AeeuX3fjReSMpGbtcnARyxfxE0dnDsXqP0CUUM a2T73XOtDeANaIQLR1P0e9BCLgVtkzyk3OSLnvmCyAh/igExbb/PjagpI+QEFIG+ZHNG OiQ/7f9gITU59Wtepm1OEfdAYB1xWqPaudydHu/qJfhlDOTTnGFZKT8XdgUBcNReQsD+ KMkg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=evmM+l3YGnT+4llgoKcNudN5h/qKfMeXt1liW1X9I0I=; b=hg1jYoIrz6fiaeBmJv537n3PtYwgw7YnltYvO62Avi6aftuclGrMf2+6pGfxneLKSu troA7hWBaDG2bhOZdXVH4hOCA3fUAt4/g/XFysR2SSy5RliOqSpml9di6IemUHTSFryE IqStXwLzyNku0CBfqo0vOcgVmLsi7XGLMpU/e/lfPvb3WXeaeoxauKO5qLU8N6u26IkI iM+xsJJZ2Aymcm1Hf+YDPunnC3oX6uAYHDVzxZujs+jlEH1/5wVTrO/+5DS6SiP8kJlr 1/gaEkDcWgQ+STtC2k6xzZmqaPqSMJ7alYs07sO/4TA6Ze6JAE0TW/5Dhsg+VA4H25t/ NxQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zvxlD8Wt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id cb3si366403edb.209.2021.05.12.11.07.53; Wed, 12 May 2021 11:08:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=zvxlD8Wt; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351624AbhELSB0 (ORCPT + 99 others); Wed, 12 May 2021 14:01:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:43080 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241110AbhELQ0Y (ORCPT ); Wed, 12 May 2021 12:26:24 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4727E619B8; Wed, 12 May 2021 15:49:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620834585; bh=pbxj6mVkDRr5GwQnnzNiBrvsiYzhgsNJMOp0UGum6LI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zvxlD8WtUSMvhUEJPOLu+Y1SK/Ejl1QEkR2lQy16cxY6/TN/59FpZ9f8eI5iz2EOn rCBq3HaJTdd8XuOBZp1qaKCVOmkv6RHjxNkjECWyqbhqncYdcbhhxkcf8dIKGhHkig 42aCPaW5XWFYFNDnWcXUpvEawfFMyfPKCfGyDcLQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thadeu Lima de Souza Cascardo , Andrii Nakryiko , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.11 597/601] bpf: Prevent writable memory-mapping of read-only ringbuf pages Date: Wed, 12 May 2021 16:51:14 +0200 Message-Id: <20210512144847.516737275@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144827.811958675@linuxfoundation.org> References: <20210512144827.811958675@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrii Nakryiko commit 04ea3086c4d73da7009de1e84962a904139af219 upstream. Only the very first page of BPF ringbuf that contains consumer position counter is supposed to be mapped as writeable by user-space. Producer position is read-only and can be modified only by the kernel code. BPF ringbuf data pages are read-only as well and are not meant to be modified by user-code to maintain integrity of per-record headers. This patch allows to map only consumer position page as writeable and everything else is restricted to be read-only. remap_vmalloc_range() internally adds VM_DONTEXPAND, so all the established memory mappings can't be extended, which prevents any future violations through mremap()'ing. Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Reported-by: Ryota Shiga (Flatt Security) Reported-by: Thadeu Lima de Souza Cascardo Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/ringbuf.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/kernel/bpf/ringbuf.c +++ b/kernel/bpf/ringbuf.c @@ -221,25 +221,20 @@ static int ringbuf_map_get_next_key(stru return -ENOTSUPP; } -static size_t bpf_ringbuf_mmap_page_cnt(const struct bpf_ringbuf *rb) -{ - size_t data_pages = (rb->mask + 1) >> PAGE_SHIFT; - - /* consumer page + producer page + 2 x data pages */ - return RINGBUF_POS_PAGES + 2 * data_pages; -} - static int ringbuf_map_mmap(struct bpf_map *map, struct vm_area_struct *vma) { struct bpf_ringbuf_map *rb_map; - size_t mmap_sz; rb_map = container_of(map, struct bpf_ringbuf_map, map); - mmap_sz = bpf_ringbuf_mmap_page_cnt(rb_map->rb) << PAGE_SHIFT; - - if (vma->vm_pgoff * PAGE_SIZE + (vma->vm_end - vma->vm_start) > mmap_sz) - return -EINVAL; + if (vma->vm_flags & VM_WRITE) { + /* allow writable mapping for the consumer_pos only */ + if (vma->vm_pgoff != 0 || vma->vm_end - vma->vm_start != PAGE_SIZE) + return -EPERM; + } else { + vma->vm_flags &= ~VM_MAYWRITE; + } + /* remap_vmalloc_range() checks size and offset constraints */ return remap_vmalloc_range(vma, rb_map->rb, vma->vm_pgoff + RINGBUF_PGOFF); }