Google Git
Sign in
cos / third_party / kernel / fa50651ae4450032ed8565f050845935213ceebc
commitfa50651ae4450032ed8565f050845935213ceebc[log] [tgz]
authorAlexei Starovoitov <[email protected]>Thu May 12 18:10:24 2022 -0700
committerCOS Cherry Picker <[email protected]>Thu Jan 09 15:11:03 2025 -0800
tree5fd621910e197719b6b9e7da1fd5b4f31143f899
parent03a6865b96513d1f3582b628313d4ddd914c475c [diff]
bpf: Fix combination of jit blinding and pointers to bpf subprogs.

The combination of jit blinding and pointers to bpf subprogs causes:
[   36.989548] BUG: unable to handle page fault for address: 0000000100000001
[   36.990342] #PF: supervisor instruction fetch in kernel mode
[   36.990968] #PF: error_code(0x0010) - not-present page
[   36.994859] RIP: 0010:0x100000001
[   36.995209] Code: Unable to access opcode bytes at RIP 0xffffffd7.
[   37.004091] Call Trace:
[   37.004351]  <TASK>
[   37.004576]  ? bpf_loop+0x4d/0x70
[   37.004932]  ? bpf_prog_3899083f75e4c5de_F+0xe3/0x13b

The jit blinding logic didn't recognize that ld_imm64 with an address
of bpf subprogram is a special instruction and proceeded to randomize it.
By itself it wouldn't have been an issue, but jit_subprogs() logic
relies on two step process to JIT all subprogs and then JIT them
again when addresses of all subprogs are known.
Blinding process in the first JIT phase caused second JIT to miss
adjustment of special ld_imm64.

Fix this issue by ignoring special ld_imm64 instructions that don't have
user controlled constants and shouldn't be blinded.

BUG=b/385548908
TEST=presubmit, repro
RELEASE_NOTE=Fixed a kernel crash that occurred when running some BPF
programs.

cos-patch: bug
Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper")
Reported-by: Andrii Nakryiko <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Andrii Nakryiko <[email protected]>
Acked-by: Martin KaFai Lau <[email protected]>
Link: https://lore.kernel.org/bpf/[email protected]
(cherry picked from commit 4b6313cf99b0d51b49aeaea98ec76ca8161ecb80)
Signed-off-by: Robert Kolchmeyer <[email protected]>
Change-Id: Ib1a414caa3ff2b3cbce97e45e11c83f26caf587c
Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/90059
Main-Branch-Verified: Cusky Presubmit Bot <[email protected]>
Reviewed-by: Kevin Berry <[email protected]>
Tested-by: Cusky Presubmit Bot <[email protected]>
1 file changed
tree: 5fd621910e197719b6b9e7da1fd5b4f31143f899
  1. arch/
  2. block/
  3. certs/
  4. crypto/
  5. Documentation/
  6. drivers/
  7. fs/
  8. google/
  9. include/
  10. init/
  11. io_uring/
  12. ipc/
  13. kernel/
  14. lib/
  15. LICENSES/
  16. mm/
  17. net/
  18. samples/
  19. scripts/
  20. security/
  21. sound/
  22. tools/
  23. usr/
  24. virt/
  25. .clang-format
  26. .cocciconfig
  27. .get_maintainer.ignore
  28. .gitattributes
  29. .gitignore
  30. .mailmap
  31. COPYING
  32. CREDITS
  33. Kbuild
  34. Kconfig
  35. MAINTAINERS
  36. Makefile
  37. PRESUBMIT.cfg
  38. README