mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 dfeb376dd4
			
		
	
	
		dfeb376dd4
		
	
	
	
	
		
			
			As discussed in [0], it's dangerous to allow mapping BPF map, that's meant to
be frozen and is read-only on BPF program side, because that allows user-space
to actually store a writable view to the page even after it is frozen. This is
exacerbated by BPF verifier making a strong assumption that contents of such
frozen map will remain unchanged. To prevent this, disallow mapping
BPF_F_RDONLY_PROG mmap()'able BPF maps as writable, ever.
  [0] https://lore.kernel.org/bpf/CAEf4BzYGWYhXdp6BJ7_=9OQPJxQpgug080MMjdSB72i9R+5c6g@mail.gmail.com/
Fixes: fc9702273e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY")
Suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Andrii Nakryiko <andriin@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Reviewed-by: Jann Horn <jannh@google.com>
Link: https://lore.kernel.org/bpf/20200519053824.1089415-1-andriin@fb.com
		
	
			
		
			
				
	
	
		
			54 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			54 lines
		
	
	
		
			1.1 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| // SPDX-License-Identifier: GPL-2.0
 | |
| // Copyright (c) 2019 Facebook
 | |
| 
 | |
| #include <linux/bpf.h>
 | |
| #include <stdint.h>
 | |
| #include <bpf/bpf_helpers.h>
 | |
| 
 | |
| char _license[] SEC("license") = "GPL";
 | |
| 
 | |
| struct {
 | |
| 	__uint(type, BPF_MAP_TYPE_ARRAY);
 | |
| 	__uint(max_entries, 4096);
 | |
| 	__uint(map_flags, BPF_F_MMAPABLE | BPF_F_RDONLY_PROG);
 | |
| 	__type(key, __u32);
 | |
| 	__type(value, char);
 | |
| } rdonly_map SEC(".maps");
 | |
| 
 | |
| struct {
 | |
| 	__uint(type, BPF_MAP_TYPE_ARRAY);
 | |
| 	__uint(max_entries, 512 * 4); /* at least 4 pages of data */
 | |
| 	__uint(map_flags, BPF_F_MMAPABLE);
 | |
| 	__type(key, __u32);
 | |
| 	__type(value, __u64);
 | |
| } data_map SEC(".maps");
 | |
| 
 | |
| __u64 in_val = 0;
 | |
| __u64 out_val = 0;
 | |
| 
 | |
| SEC("raw_tracepoint/sys_enter")
 | |
| int test_mmap(void *ctx)
 | |
| {
 | |
| 	int zero = 0, one = 1, two = 2, far = 1500;
 | |
| 	__u64 val, *p;
 | |
| 
 | |
| 	out_val = in_val;
 | |
| 
 | |
| 	/* data_map[2] = in_val; */
 | |
| 	bpf_map_update_elem(&data_map, &two, (const void *)&in_val, 0);
 | |
| 
 | |
| 	/* data_map[1] = data_map[0] * 2; */
 | |
| 	p = bpf_map_lookup_elem(&data_map, &zero);
 | |
| 	if (p) {
 | |
| 		val = (*p) * 2;
 | |
| 		bpf_map_update_elem(&data_map, &one, &val, 0);
 | |
| 	}
 | |
| 
 | |
| 	/* data_map[far] = in_val * 3; */
 | |
| 	val = in_val * 3;
 | |
| 	bpf_map_update_elem(&data_map, &far, &val, 0);
 | |
| 
 | |
| 	return 0;
 | |
| }
 | |
| 
 |