diff options
| author | Ravi Bangoria <ravi.bangoria@linux.ibm.com> | 2021-10-12 18:00:54 +0530 |
|---|---|---|
| committer | Michael Ellerman <mpe@ellerman.id.au> | 2021-11-25 11:25:32 +1100 |
| commit | 9c70c7147ffec31de67d33243570a533b29f9759 (patch) | |
| tree | 7c7e32383adc9ddce499014df4dd355d49f0bf3c /arch/powerpc/lib/code-patching.c | |
| parent | 983bdc0245a29cdefcd30d9d484d3edbc4b6d787 (diff) | |
| download | linux-9c70c7147ffec31de67d33243570a533b29f9759.tar.gz linux-9c70c7147ffec31de67d33243570a533b29f9759.tar.bz2 linux-9c70c7147ffec31de67d33243570a533b29f9759.zip | |
bpf ppc64: Access only if addr is kernel address
On PPC64 with KUAP enabled, any kernel code which wants to
access userspace needs to be surrounded by disable-enable KUAP.
But that is not happening for BPF_PROBE_MEM load instruction.
So, when BPF program tries to access invalid userspace address,
page-fault handler considers it as bad KUAP fault:
Kernel attempted to read user page (d0000000) - exploit attempt? (uid: 0)
Considering the fact that PTR_TO_BTF_ID (which uses BPF_PROBE_MEM
mode) could either be a valid kernel pointer or NULL but should
never be a pointer to userspace address, execute BPF_PROBE_MEM load
only if addr is kernel address, otherwise set dst_reg=0 and move on.
This will catch NULL, valid or invalid userspace pointers. Only bad
kernel pointer will be handled by BPF exception table.
[Alexei suggested for x86]
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Ravi Bangoria <ravi.bangoria@linux.ibm.com>
Signed-off-by: Hari Bathini <hbathini@linux.ibm.com>
Reviewed-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20211012123056.485795-7-hbathini@linux.ibm.com
Diffstat (limited to 'arch/powerpc/lib/code-patching.c')
0 files changed, 0 insertions, 0 deletions