diff options
| author | Andrii Nakryiko <andrii@kernel.org> | 2021-05-04 16:38:00 -0700 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2021-05-11 13:31:10 +0200 |
| commit | 04ea3086c4d73da7009de1e84962a904139af219 (patch) | |
| tree | fa1319ec2102abc1141abccb4a28e73c231db8d4 /init/Kconfig | |
| parent | 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea (diff) | |
| download | linux-04ea3086c4d73da7009de1e84962a904139af219.tar.gz | |
bpf: Prevent writable memory-mapping of read-only ringbuf pages
Only the very first page of BPF ringbuf that contains consumer position
counter is supposed to be mapped as writeable by user-space. Producer
position is read-only and can be modified only by the kernel code. BPF ringbuf
data pages are read-only as well and are not meant to be modified by
user-code to maintain integrity of per-record headers.
This patch allows to map only consumer position page as writeable and
everything else is restricted to be read-only. remap_vmalloc_range()
internally adds VM_DONTEXPAND, so all the established memory mappings can't be
extended, which prevents any future violations through mremap()'ing.
Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: Ryota Shiga (Flatt Security)
Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'init/Kconfig')
0 files changed, 0 insertions, 0 deletions