linux/arch/arm64
Daniel Borkmann b569c1c622 net: bpf: arm64: address randomize and write protect JIT code
This is the ARM64 variant for 314beb9bca ("x86: bpf_jit_comp: secure bpf
jit against spraying attacks").

Thanks to commit 11d91a770f ("arm64: Add CONFIG_DEBUG_SET_MODULE_RONX
support") which added necessary infrastructure, we can now implement
RO marking of eBPF generated JIT image pages and randomize start offset
for the JIT code, so that it does not reside directly on a page boundary
anymore. Likewise, the holes are filled with illegal instructions: here
we use BRK #0x100 (opcode 0xd4202000) to trigger a fault in the kernel
(unallocated BRKs would trigger a fault through do_debug_exception). This
seems more reliable as we don't have a guaranteed undefined instruction
space on ARM64.

This is basically the ARM64 variant of what we already have in ARM via
commit 55309dd3d4 ("net: bpf: arm: address randomize and write protect
JIT code"). Moreover, this commit also presents a merge resolution due to
conflicts with commit 60a3b2253c ("net: bpf: make eBPF interpreter images
read-only") as we don't use kfree() in bpf_jit_free() anymore to release
the locked bpf_prog structure, but instead bpf_prog_unlock_free() through
a different allocator.

JIT tested on aarch64 with BPF test suite.

Reference: http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Reviewed-by: Zi Shen Lim <zlim.lnx@gmail.com>
Acked-by: Will Deacon <will.deacon@arm.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Alexei Starovoitov <ast@plumgrid.com>
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
2014-10-20 17:47:03 +01:00
..
boot Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2014-10-18 09:31:37 -07:00
configs ARM64: SoC changes for 3.18 2014-10-08 17:40:02 -04:00
crypto arm64/crypto: remove redundant update of data 2014-08-26 11:42:22 +01:00
include arm64: compat: fix compat types affecting struct compat_elf_prpsinfo 2014-10-20 17:47:02 +01:00
kernel Merge git://git.infradead.org/users/eparis/audit 2014-10-19 16:25:56 -07:00
kvm Second batch of changes for KVM/{arm,arm64} for 3.18 2014-10-18 14:32:31 -07:00
lib arm64: lib: Implement optimized string length routines 2014-05-23 15:17:12 +01:00
mm arm64: mm: Correct fixmap pagetable types 2014-10-20 17:47:02 +01:00
net net: bpf: arm64: address randomize and write protect JIT code 2014-10-20 17:47:03 +01:00
xen arm: xen: implement multicall hypercall support. 2014-04-24 13:09:46 +01:00
Kconfig arm64: Allow 48-bits VA space without ARM_SMMU 2014-10-20 17:47:02 +01:00
Kconfig.debug arm64: Add CONFIG_DEBUG_SET_MODULE_RONX support 2014-09-08 14:39:18 +01:00
Makefile Merge branch 'kbuild' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild 2014-10-14 09:22:26 +02:00