bpf: force BPF_F_RDONLY_PROG on insn array creation

The original implementation added a hack to check_mem_access()
to prevent programs from writing into insn arrays. To get rid
of this hack, enforce BPF_F_RDONLY_PROG on map creation.

Also fix the corresponding selftest, as the error message changes
with this patch.

Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Link: https://lore.kernel.org/r/20251128063224.1305482-2-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/bpf_insn_array.c b/kernel/bpf/bpf_insn_array.c
index 61ce52882632870355f3966add699c339e07de96..c96630cb75bf7a0cc1f2ee060ad8459667d41946 100644 (file)
--- a/kernel/bpf/bpf_insn_array.c
+++ b/kernel/bpf/bpf_insn_array.c
@@ -55,6 +55,9 @@ static struct bpf_map *insn_array_alloc(union bpf_attr *attr)
 
        bpf_map_init_from_attr(&insn_array->map, attr);
 
+       /* BPF programs aren't allowed to write to the map */
+       insn_array->map.map_flags |= BPF_F_RDONLY_PROG;
+
        return &insn_array->map;
 }
 

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 766695491bc5b71249ce86910ac71cb2e0baa5f0..4a53ca1d3104889fb35ed2db7ddb6cc258d1051c 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7565,11 +7565,6 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
                        verbose(env, "R%d leaks addr into map\n", value_regno);
                        return -EACCES;
                }
-               if (t == BPF_WRITE && insn_array) {
-                       verbose(env, "writes into insn_array not allowed\n");
-                       return -EACCES;
-               }
-
                err = check_map_access_type(env, regno, off, size, t);
                if (err)
                        return err;
@@ -7584,10 +7579,14 @@ static int check_mem_access(struct bpf_verifier_env *env, int insn_idx, u32 regn
                } else if (t == BPF_READ && value_regno >= 0) {
                        struct bpf_map *map = reg->map_ptr;
 
-                       /* if map is read-only, track its contents as scalars */
+                       /*
+                        * If map is read-only, track its contents as scalars,
+                        * unless it is an insn array (see the special case below)
+                        */
                        if (tnum_is_const(reg->var_off) &&
                            bpf_map_is_rdonly(map) &&
-                           map->ops->map_direct_value_addr) {
+                           map->ops->map_direct_value_addr &&
+                           map->map_type != BPF_MAP_TYPE_INSN_ARRAY) {
                                int map_off = off + reg->var_off.value;
                                u64 val = 0;
 

diff --git a/tools/testing/selftests/bpf/progs/verifier_gotox.c b/tools/testing/selftests/bpf/progs/verifier_gotox.c
index 536c9f3e217035205ea40941207a36cdd68790c7..607dad058ca16be9b3e55c04afff9ee857b2a56d 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_gotox.c
+++ b/tools/testing/selftests/bpf/progs/verifier_gotox.c
@@ -244,7 +244,7 @@ jt0_%=:                                                             \
 }
 
 SEC("socket")
-__failure __msg("writes into insn_array not allowed")
+__failure __msg("write into map forbidden, value_size=16 off=8 size=8")
 __naked void jump_table_no_writes(void)
 {
        asm volatile ("                                         \