git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/commit

author	Andrii Nakryiko <andrii@kernel.org>
	Thu, 27 May 2021 00:11:00 +0000 (02:11 +0200)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Fri, 28 May 2021 10:39:10 +0000 (12:39 +0200)
commit	15735c6b0d603672cc967621106e801e8587ec7b
tree	bcfaffc562d1f929097d40d98df38037b7d7d3e5	tree
parent	e58b5a02adf7b57d576b87cbce5f64e83f0dc004	commit \| diff

bpf: Prevent writable memory-mapping of read-only ringbuf pages

Only the very first page of BPF ringbuf that contains consumer position
counter is supposed to be mapped as writeable by user-space. Producer
position is read-only and can be modified only by the kernel code. BPF ringbuf
data pages are read-only as well and are not meant to be modified by
user-code to maintain integrity of per-record headers.

This patch allows to map only consumer position page as writeable and
everything else is restricted to be read-only. remap_vmalloc_range()
internally adds VM_DONTEXPAND, so all the established memory mappings can't be
extended, which prevents any future violations through mremap()'ing.

Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
Reported-by: Ryota Shiga (Flatt Security)
Reported-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
(cherry picked from commit 04ea3086c4d73da7009de1e84962a904139af219 bpf.git)
CVE-2021-3489
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Acked-by: Tim Gardner <tim.gardner@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>