diff options
| author | Anton Protopopov <a.s.protopopov@gmail.com> | 2025-11-28 06:32:23 +0000 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2025-11-28 15:15:43 -0800 |
| commit | 7feff23cdf2ecd30909872f3be1da820df839ab0 (patch) | |
| tree | 2121e89fecabf2830a3d00602cadeaee64e21c85 | |
| parent | 688b745401ab16e2e1a3b504863f0a45fd345638 (diff) | |
bpf: force BPF_F_RDONLY_PROG on insn array creation
The original implementation added a hack to check_mem_access()
to prevent programs from writing into insn arrays. To get rid
of this hack, enforce BPF_F_RDONLY_PROG on map creation.
Also fix the corresponding selftest, as the error message changes
with this patch.
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20251128063224.1305482-2-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
| -rw-r--r-- | kernel/bpf/bpf_insn_array.c | 3 | ||||
| -rw-r--r-- | kernel/bpf/verifier.c | 13 | ||||
| -rw-r--r-- | tools/testing/selftests/bpf/progs/verifier_gotox.c | 2 |
3 files changed, 10 insertions, 8 deletions
diff --git a/kernel/bpf/bpf_insn_array.c b/kernel/bpf/bpf_insn_array.c index 61ce52882632..c96630cb75bf 100644 --- a/kernel/bpf/bpf_insn_array.c +++ b/kernel/bpf/bpf_insn_array.c @@ -55,6 +55,9 @@ static struct bpf_map *insn_array_alloc(union bpf_attr *attr) bpf_map_init_from_attr(&insn_array->map, attr); + /* BPF programs aren't allowed to write to the map */ + insn_array->map.map_flags |= BPF_F_RDONLY_PROG; + return &insn_array->map; } diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 766695491bc5..4a53ca1d3104 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7565,11 +7565,6 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn verbose(env, "R%d leaks addr into map\n", value_regno); return -EACCES; } - if (t == BPF_WRITE && insn_array) { - verbose(env, "writes into insn_array not allowed\n"); - return -EACCES; - } - err = check_map_access_type(env, regno, off, size, t); if (err) return err; @@ -7584,10 +7579,14 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn } else if (t == BPF_READ && value_regno >= 0) { struct bpf_map *map = reg->map_ptr; - /* if map is read-only, track its contents as scalars */ + /* + * If map is read-only, track its contents as scalars, + * unless it is an insn array (see the special case below) + */ if (tnum_is_const(reg->var_off) && bpf_map_is_rdonly(map) && - map->ops->map_direct_value_addr) { + map->ops->map_direct_value_addr && + map->map_type != BPF_MAP_TYPE_INSN_ARRAY) { int map_off = off + reg->var_off.value; u64 val = 0; diff --git a/tools/testing/selftests/bpf/progs/verifier_gotox.c b/tools/testing/selftests/bpf/progs/verifier_gotox.c index 536c9f3e2170..607dad058ca1 100644 --- a/tools/testing/selftests/bpf/progs/verifier_gotox.c +++ b/tools/testing/selftests/bpf/progs/verifier_gotox.c @@ -244,7 +244,7 @@ jt0_%=: \ } SEC("socket") -__failure __msg("writes into insn_array not allowed") +__failure __msg("write into map forbidden, value_size=16 off=8 size=8") __naked void jump_table_no_writes(void) { asm volatile (" \ |