Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4751722pxj; Wed, 12 May 2021 12:24:17 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz1TmMQjpqAIzZYD2ZYC6gnniAqiRtcwS7s2Kgres8g+wGJs+w2Zg2dRFJ3n4WJlEu+fZuY X-Received: by 2002:a05:6402:546:: with SMTP id i6mr20088987edx.376.1620847457056; Wed, 12 May 2021 12:24:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620847457; cv=none; d=google.com; s=arc-20160816; b=hAdyT8KICGrEUtw+yeImY8jUrWq4QxegIGM6bkFZ07zhecELc/jEVNtUYKj88Lf3o+ Gd/X2+dmkV6XYntUa20wk1g7wGhMW3D5bAf3G4pwubCgwKy4I/EK1XgN4ZjD0Xf/dt7d 3D3YKUnDbTeXP8fqQRzHKqwVkkXioE9BDorKroop3dNOoLauEcBAkj2JzfQ/tDpK0dAu q998roFWVaFnUedJackD0WVXp5vqm15N3TuNZCQ4F0yaHZq7riTiDRRy097pzDQd00P1 SYL5Qcm79bXb4gDwBDkmbv7zh2jFwLtZoXilYxX6bsE0MENGjoLwelxWknDRg0lj2R5O dFkA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=evmM+l3YGnT+4llgoKcNudN5h/qKfMeXt1liW1X9I0I=; b=Pd+GanhjrB34swwbjsOGl2IXNaGyNs49jchXhNkVtXrLP+Lx/K6EvFzBElVdQEFOVG yawhFIDQPu6tuR4DlD+IL/dI/guH3jWqUUDbuma7wtJUlQ9kzkeUO+nexlqjKSHVVMJ/ K8meqGxKpg1TKB0Gw7W/av/ja533A6tJ5yXO0VUoLnsBcWO/dpTZfCuFywkZnAXIqUkM SVDrswjTcpGOKyPf1Drdc+eXkih+JVlWgeGP0kNFIGOdyv2Ux6k83TxKYuLi3O2S1Gl6 CoR+sinJKnc4Ph/A7/spZf/1KZjmC+GXO7h9sQ4XZ/36kkwZofuVe0D6U7pUQUojpPjQ hH3Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=amgyqtQz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v1si513724edc.485.2021.05.12.12.23.53; Wed, 12 May 2021 12:24:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=amgyqtQz; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1379670AbhELTUH (ORCPT + 99 others); Wed, 12 May 2021 15:20:07 -0400 Received: from mail.kernel.org ([198.145.29.99]:48454 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S244739AbhELQvI (ORCPT ); Wed, 12 May 2021 12:51:08 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id CEC6661C85; Wed, 12 May 2021 16:17:37 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620836258; bh=pbxj6mVkDRr5GwQnnzNiBrvsiYzhgsNJMOp0UGum6LI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=amgyqtQzX+4opwmkX3pnYrIT0Uo/4G+2P1tR6xwS+Z5Ag+znRUSvYmUd9Mh4BH+1E L+SkQGTfQBBKPOM0t+wU+/jnzDntgcM03WO9JBhSYVtzrtvtAEfLEUnrFlIEf4feeE abEHScsiO/TPEZQSVhPZ2FZ0k2dB+8UZ9h0/LIbY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Thadeu Lima de Souza Cascardo , Andrii Nakryiko , Daniel Borkmann , Alexei Starovoitov Subject: [PATCH 5.12 673/677] bpf: Prevent writable memory-mapping of read-only ringbuf pages Date: Wed, 12 May 2021 16:51:59 +0200 Message-Id: <20210512144859.717775673@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144837.204217980@linuxfoundation.org> References: <20210512144837.204217980@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Andrii Nakryiko commit 04ea3086c4d73da7009de1e84962a904139af219 upstream. Only the very first page of BPF ringbuf that contains consumer position counter is supposed to be mapped as writeable by user-space. Producer position is read-only and can be modified only by the kernel code. BPF ringbuf data pages are read-only as well and are not meant to be modified by user-code to maintain integrity of per-record headers. This patch allows to map only consumer position page as writeable and everything else is restricted to be read-only. remap_vmalloc_range() internally adds VM_DONTEXPAND, so all the established memory mappings can't be extended, which prevents any future violations through mremap()'ing. Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it") Reported-by: Ryota Shiga (Flatt Security) Reported-by: Thadeu Lima de Souza Cascardo Signed-off-by: Andrii Nakryiko Signed-off-by: Daniel Borkmann Acked-by: Alexei Starovoitov Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/ringbuf.c | 21 ++++++++------------- 1 file changed, 8 insertions(+), 13 deletions(-) --- a/kernel/bpf/ringbuf.c +++ b/kernel/bpf/ringbuf.c @@ -221,25 +221,20 @@ static int ringbuf_map_get_next_key(stru return -ENOTSUPP; } -static size_t bpf_ringbuf_mmap_page_cnt(const struct bpf_ringbuf *rb) -{ - size_t data_pages = (rb->mask + 1) >> PAGE_SHIFT; - - /* consumer page + producer page + 2 x data pages */ - return RINGBUF_POS_PAGES + 2 * data_pages; -} - static int ringbuf_map_mmap(struct bpf_map *map, struct vm_area_struct *vma) { struct bpf_ringbuf_map *rb_map; - size_t mmap_sz; rb_map = container_of(map, struct bpf_ringbuf_map, map); - mmap_sz = bpf_ringbuf_mmap_page_cnt(rb_map->rb) << PAGE_SHIFT; - - if (vma->vm_pgoff * PAGE_SIZE + (vma->vm_end - vma->vm_start) > mmap_sz) - return -EINVAL; + if (vma->vm_flags & VM_WRITE) { + /* allow writable mapping for the consumer_pos only */ + if (vma->vm_pgoff != 0 || vma->vm_end - vma->vm_start != PAGE_SIZE) + return -EPERM; + } else { + vma->vm_flags &= ~VM_MAYWRITE; + } + /* remap_vmalloc_range() checks size and offset constraints */ return remap_vmalloc_range(vma, rb_map->rb, vma->vm_pgoff + RINGBUF_PGOFF); }