ANDROID: arm64: bpf: implement arch_bpf_jit_check_func
Implement arch_bpf_jit_check_func to check that pointers to jited BPF
functions are correctly aligned and point to the BPF JIT region. This
narrows down the attack surface on the stored pointer.
Bug: 140377409
Change-Id: I10c448eda6a8b0bf4c16ee591fc65974696216b9
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
(cherry picked from commit c10baf7606
)
This commit is contained in:
parent
89aed473c5
commit
cfd89c3d47
1 changed files with 22 additions and 0 deletions
|
@ -949,3 +949,25 @@ out:
|
||||||
tmp : orig_prog);
|
tmp : orig_prog);
|
||||||
return prog;
|
return prog;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef CONFIG_CFI_CLANG
|
||||||
|
bool arch_bpf_jit_check_func(const struct bpf_prog *prog)
|
||||||
|
{
|
||||||
|
const uintptr_t func = (const uintptr_t)prog->bpf_func;
|
||||||
|
|
||||||
|
/*
|
||||||
|
* bpf_func must be correctly aligned and within the correct region.
|
||||||
|
* module_alloc places JIT code in the module region, unless
|
||||||
|
* ARM64_MODULE_PLTS is enabled, in which case we might end up using
|
||||||
|
* the vmalloc region too.
|
||||||
|
*/
|
||||||
|
if (unlikely(!IS_ALIGNED(func, sizeof(u32))))
|
||||||
|
return false;
|
||||||
|
|
||||||
|
if (IS_ENABLED(CONFIG_ARM64_MODULE_PLTS) &&
|
||||||
|
is_vmalloc_addr(prog->bpf_func))
|
||||||
|
return true;
|
||||||
|
|
||||||
|
return (func >= MODULES_VADDR && func < MODULES_END);
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
Loading…
Reference in a new issue