• Daniel Borkmann's avatar
    net: bpf: arm64: address randomize and write protect JIT code · b569c1c6
    Daniel Borkmann authored
    This is the ARM64 variant for 314beb9b ("x86: bpf_jit_comp: secure bpf
    jit against spraying attacks").
    
    Thanks to commit 11d91a77 ("arm64: Add CONFIG_DEBUG_SET_MODULE_RONX
    support") which added necessary infrastructure, we can now implement
    RO marking of eBPF generated JIT image pages and randomize start offset
    for the JIT code, so that it does not reside directly on a page boundary
    anymore. Likewise, the holes are filled with illegal instructions: here
    we use BRK #0x100 (opcode 0xd4202000) to trigger a fault in the kernel
    (unallocated BRKs would trigger a fault through do_debug_exception). This
    seems more reliable as we don't have a guaranteed undefined instruction
    space on ARM64.
    
    This is basically the ARM64 variant of what we already have in ARM via
    commit 55309dd3 ("net: bpf: arm: address randomize and write protect
    JIT code"). Moreover, this commit also presents a merge resolution due to
    conflicts with commit 60a3b225 ("net: bpf: make eBPF interpreter images
    read-only") as we don't use kfree() in bpf_jit_free() anymore to release
    the locked bpf_prog structure, but instead bpf_prog_unlock_free() through
    a different allocator.
    
    JIT tested on aarch64 with BPF test suite.
    
    Reference: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.htmlSigned-off-by: default avatarDaniel Borkmann <dborkman@redhat.com>
    Reviewed-by: default avatarZi Shen Lim <zlim.lnx@gmail.com>
    Acked-by: default avatarWill Deacon <will.deacon@arm.com>
    Cc: David S. Miller <davem@davemloft.net>
    Cc: Alexei Starovoitov <ast@plumgrid.com>
    Signed-off-by: default avatarCatalin Marinas <catalin.marinas@arm.com>
    b569c1c6
bpf_jit_comp.c 17.4 KB