bpf: support instructions arrays with constants blinding

When bpf_jit_harden is enabled, all constants in the BPF code are
blinded to prevent JIT spraying attacks. This happens during JIT
phase. Adjust all the related instruction arrays accordingly.

Signed-off-by: Anton Protopopov <a.s.protopopov@gmail.com>
Reviewed-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20251105090410.1250500-6-a.s.protopopov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index d595fe512498ccfd18d96ba908f5bbcb6c5532a8..4b62a03d6df5cb03646c3b83b05578f502c70235 100644 (file)
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -1450,6 +1450,23 @@ void bpf_jit_prog_release_other(struct bpf_prog *fp, struct bpf_prog *fp_other)
        bpf_prog_clone_free(fp_other);
 }
 
+static void adjust_insn_arrays(struct bpf_prog *prog, u32 off, u32 len)
+{
+#ifdef CONFIG_BPF_SYSCALL
+       struct bpf_map *map;
+       int i;
+
+       if (len <= 1)
+               return;
+
+       for (i = 0; i < prog->aux->used_map_cnt; i++) {
+               map = prog->aux->used_maps[i];
+               if (map->map_type == BPF_MAP_TYPE_INSN_ARRAY)
+                       bpf_insn_array_adjust(map, off, len);
+       }
+#endif
+}
+
 struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
 {
        struct bpf_insn insn_buff[16], aux[2];
@@ -1505,6 +1522,9 @@ struct bpf_prog *bpf_jit_blind_constants(struct bpf_prog *prog)
                clone = tmp;
                insn_delta = rewritten - 1;
 
+               /* Instructions arrays must be updated using absolute xlated offsets */
+               adjust_insn_arrays(clone, prog->aux->subprog_start + i, rewritten);
+
                /* Walk new program and skip insns we just inserted. */
                insn = clone->insnsi + i + insn_delta;
                insn_cnt += insn_delta;

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index dfe5741812b9965bb23fe8eecbec761491888489..781669f649f23f2fed678b9679c83079c77c0cc2 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -21632,6 +21632,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
        struct bpf_insn *insn;
        void *old_bpf_func;
        int err, num_exentries;
+       int old_len, subprog_start_adjustment = 0;
 
        if (env->subprog_cnt <= 1)
                return 0;
@@ -21706,7 +21707,7 @@ static int jit_subprogs(struct bpf_verifier_env *env)
                func[i]->aux->func_idx = i;
                /* Below members will be freed only at prog->aux */
                func[i]->aux->btf = prog->aux->btf;
-               func[i]->aux->subprog_start = subprog_start;
+               func[i]->aux->subprog_start = subprog_start + subprog_start_adjustment;
                func[i]->aux->func_info = prog->aux->func_info;
                func[i]->aux->func_info_cnt = prog->aux->func_info_cnt;
                func[i]->aux->poke_tab = prog->aux->poke_tab;
@@ -21762,7 +21763,15 @@ static int jit_subprogs(struct bpf_verifier_env *env)
                func[i]->aux->might_sleep = env->subprog_info[i].might_sleep;
                if (!i)
                        func[i]->aux->exception_boundary = env->seen_exception;
+
+               /*
+                * To properly pass the absolute subprog start to jit
+                * all instruction adjustments should be accumulated
+                */
+               old_len = func[i]->len;
                func[i] = bpf_int_jit_compile(func[i]);
+               subprog_start_adjustment += func[i]->len - old_len;
+
                if (!func[i]->jited) {
                        err = -ENOTSUPP;
                        goto out_free;