Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Alexei Starovoitov says: ==================== pull-request: bpf 2019-01-02 The following pull-request contains BPF updates for your *net* tree. The main changes are: 1) prevent out of bounds speculation on pointer arithmetic, from Daniel. 2) typo fix, from Xiaozhou. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
commit
be63004336
6 changed files with 1433 additions and 89 deletions
|
|
@ -148,6 +148,7 @@ struct bpf_verifier_state {
|
|||
/* call stack tracking */
|
||||
struct bpf_func_state *frame[MAX_CALL_FRAMES];
|
||||
u32 curframe;
|
||||
bool speculative;
|
||||
};
|
||||
|
||||
#define bpf_get_spilled_reg(slot, frame) \
|
||||
|
|
@ -167,15 +168,24 @@ struct bpf_verifier_state_list {
|
|||
struct bpf_verifier_state_list *next;
|
||||
};
|
||||
|
||||
/* Possible states for alu_state member. */
|
||||
#define BPF_ALU_SANITIZE_SRC 1U
|
||||
#define BPF_ALU_SANITIZE_DST 2U
|
||||
#define BPF_ALU_NEG_VALUE (1U << 2)
|
||||
#define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \
|
||||
BPF_ALU_SANITIZE_DST)
|
||||
|
||||
struct bpf_insn_aux_data {
|
||||
union {
|
||||
enum bpf_reg_type ptr_type; /* pointer type for load/store insns */
|
||||
unsigned long map_state; /* pointer/poison value for maps */
|
||||
s32 call_imm; /* saved imm field of call insn */
|
||||
u32 alu_limit; /* limit for add/sub register with pointer */
|
||||
};
|
||||
int ctx_field_size; /* the ctx field size for load insn, maybe 0 */
|
||||
int sanitize_stack_off; /* stack slot to be cleared */
|
||||
bool seen; /* this insn was processed by the verifier */
|
||||
u8 alu_state; /* used in combination with alu_limit */
|
||||
};
|
||||
|
||||
#define MAX_USED_MAPS 64 /* max number of maps accessed by one eBPF program */
|
||||
|
|
@ -212,6 +222,8 @@ struct bpf_subprog_info {
|
|||
* one verifier_env per bpf_check() call
|
||||
*/
|
||||
struct bpf_verifier_env {
|
||||
u32 insn_idx;
|
||||
u32 prev_insn_idx;
|
||||
struct bpf_prog *prog; /* eBPF program being verified */
|
||||
const struct bpf_verifier_ops *ops;
|
||||
struct bpf_verifier_stack_elem *head; /* stack of verifier states to be processed */
|
||||
|
|
|
|||
|
|
@ -53,14 +53,10 @@ struct sock_reuseport;
|
|||
#define BPF_REG_D BPF_REG_8 /* data, callee-saved */
|
||||
#define BPF_REG_H BPF_REG_9 /* hlen, callee-saved */
|
||||
|
||||
/* Kernel hidden auxiliary/helper register for hardening step.
|
||||
* Only used by eBPF JITs. It's nothing more than a temporary
|
||||
* register that JITs use internally, only that here it's part
|
||||
* of eBPF instructions that have been rewritten for blinding
|
||||
* constants. See JIT pre-step in bpf_jit_blind_constants().
|
||||
*/
|
||||
/* Kernel hidden auxiliary/helper register. */
|
||||
#define BPF_REG_AX MAX_BPF_REG
|
||||
#define MAX_BPF_JIT_REG (MAX_BPF_REG + 1)
|
||||
#define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
|
||||
#define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
|
||||
|
||||
/* unused opcode to mark special call to bpf_tail_call() helper */
|
||||
#define BPF_TAIL_CALL 0xf0
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue