tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

bpf: force BPF_F_RDONLY_PROG on insn array creation

The original implementation added a hack to check_mem_access()
to prevent programs from writing into insn arrays. To get rid
of this hack, enforce BPF_F_RDONLY_PROG on map creation.

Also fix the corresponding selftest, as the error message changes
with this patch.

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20251128063224.1305482-2-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

authored by

Anton Protopopov and committed by
Alexei Starovoitov 7feff23c 688b7454

+10 -8
+3
kernel/bpf/bpf_insn_array.c
··· 55 55 56 56 bpf_map_init_from_attr(&insn_array->map, attr); 57 57 58 + /* BPF programs aren't allowed to write to the map */ 59 + insn_array->map.map_flags |= BPF_F_RDONLY_PROG; 60 + 58 61 return &insn_array->map; 59 62 } 60 63
+6 -7
kernel/bpf/verifier.c
··· 7565 7565 verbose(env, "R%d leaks addr into map\n", value_regno); 7566 7566 return -EACCES; 7567 7567 } 7568 - if (t == BPF_WRITE && insn_array) { 7569 - verbose(env, "writes into insn_array not allowed\n"); 7570 - return -EACCES; 7571 - } 7572 - 7573 7568 err = check_map_access_type(env, regno, off, size, t); 7574 7569 if (err) 7575 7570 return err; ··· 7579 7584 } else if (t == BPF_READ && value_regno >= 0) { 7580 7585 struct bpf_map *map = reg->map_ptr; 7581 7586 7582 - /* if map is read-only, track its contents as scalars */ 7587 + /* 7588 + * If map is read-only, track its contents as scalars, 7589 + * unless it is an insn array (see the special case below) 7590 + */ 7583 7591 if (tnum_is_const(reg->var_off) && 7584 7592 bpf_map_is_rdonly(map) && 7585 - map->ops->map_direct_value_addr) { 7593 + map->ops->map_direct_value_addr && 7594 + map->map_type != BPF_MAP_TYPE_INSN_ARRAY) { 7586 7595 int map_off = off + reg->var_off.value; 7587 7596 u64 val = 0; 7588 7597
+1 -1
tools/testing/selftests/bpf/progs/verifier_gotox.c
··· 244 244 } 245 245 246 246 SEC("socket") 247 - __failure __msg("writes into insn_array not allowed") 247 + __failure __msg("write into map forbidden, value_size=16 off=8 size=8") 248 248 __naked void jump_table_no_writes(void) 249 249 { 250 250 asm volatile (" \