[RFC PATCH v2 22/26] perf bpf: Implement boundary check code in ubpf

From: He Kuang
Date: Sun Jun 26 2016 - 07:24:13 EST

Next message: He Kuang: "[RFC PATCH v2 20/26] perf bpf: Accept uBPF programs"
Previous message: He Kuang: "[RFC PATCH v2 15/26] perf bpf: Introduce the entity and engine for userspace bpf"
In reply to: He Kuang: "[RFC PATCH v2 15/26] perf bpf: Introduce the entity and engine for userspace bpf"
Next in thread: He Kuang: "[RFC PATCH v2 20/26] perf bpf: Accept uBPF programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Make sure that ubpf load/store instructions only access the context
and stack region.

Signed-off-by: He Kuang <hekuang@xxxxxxxxxx>
---
tools/perf/util/bpf-vm.c | 35 +++++++++++++++++++++++++++++++++++
tools/perf/util/bpf-vm.h | 3 ++-
2 files changed, 37 insertions(+), 1 deletion(-)

diff --git a/tools/perf/util/bpf-vm.c b/tools/perf/util/bpf-vm.c
index 23ac784..191ed42 100644
--- a/tools/perf/util/bpf-vm.c
+++ b/tools/perf/util/bpf-vm.c
@@ -2,6 +2,11 @@
#include "util.h"
#include "tools/be_byteshift.h"
#include "bpf-vm.h"
+#include "debug.h"
+#include <linux/filter.h>
+
+#define DST regs[insn->dst_reg]
+#define SRC regs[insn->src_reg]

static inline void
bpf_vm_jmp_call_handler(u64 *regs __maybe_unused, void *ctx __maybe_unused,
@@ -30,5 +35,35 @@ static inline void *bpf_load_pointer(const void *skb __maybe_unused,
return NULL;
}

+static bool
+bounds_check(void *addr, int size, void *ctx, size_t ctx_len, void *stack)
+{
+ if (ctx && (addr >= ctx && (addr + size) <= (ctx + ctx_len))) {
+ /* Context access */
+ return true;
+ } else if (addr >= stack && (addr + size) <= (stack + MAX_BPF_STACK)) {
+ /* Stack access */
+ return true;
+ }
+
+ pr_debug("bpf: bounds_check failed\n");
+ return false;
+}
+
+#define BOUNDS_CHECK_LOAD(size) \
+ do { \
+ if (!bounds_check((void *)SRC + insn->off, size, \
+ ctx, ctx_len, stack)) { \
+ return -1; \
+ } \
+ } while (0)
+#define BOUNDS_CHECK_STORE(size) \
+ do { \
+ if (!bounds_check((void *)DST + insn->off, size, \
+ ctx, ctx_len, stack)) { \
+ return -1; \
+ } \
+ } while (0)
+
#define UBPF_BUILD
#include <../../../kernel/bpf/vm.c>
diff --git a/tools/perf/util/bpf-vm.h b/tools/perf/util/bpf-vm.h
index bf96caa..66956fbb 100644
--- a/tools/perf/util/bpf-vm.h
+++ b/tools/perf/util/bpf-vm.h
@@ -2,6 +2,7 @@
#define _BPF_VM_H

struct bpf_insn;
-unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn);
+unsigned int __bpf_prog_run(void *ctx, const struct bpf_insn *insn,
+ size_t ctx_len);

#endif /* _BPF_VM_H */
--
1.8.5.2

Next message: He Kuang: "[RFC PATCH v2 20/26] perf bpf: Accept uBPF programs"
Previous message: He Kuang: "[RFC PATCH v2 15/26] perf bpf: Introduce the entity and engine for userspace bpf"
In reply to: He Kuang: "[RFC PATCH v2 15/26] perf bpf: Introduce the entity and engine for userspace bpf"
Next in thread: He Kuang: "[RFC PATCH v2 20/26] perf bpf: Accept uBPF programs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]