Re: [PATCH net] net: filter: x86: fix JIT address randomization

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Heiko Carstens <heiko.carstens@de.ibm.com>
To: Alexei Starovoitov <ast@plumgrid.com>
Cc: "David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	"H. Peter Anvin" <hpa@zytor.com>,
	Daniel Borkmann <dborkman@redhat.com>,
	netdev@vger.kernel.org
Subject: Re: [PATCH net] net: filter: x86: fix JIT address randomization
Date: Wed, 14 May 2014 09:36:56 +0200	[thread overview]
Message-ID: <20140514073656.GA9848@osiris> (raw)
In-Reply-To: <1400007214-3236-1-git-send-email-ast@plumgrid.com>

On Tue, May 13, 2014 at 11:53:34AM -0700, Alexei Starovoitov wrote:
> bpf_alloc_binary() adds 128 bytes of room to JITed program image
> and rounds it up to the nearest page size. If image size is close
> to page size (like 4000), it is rounded to two pages:
> round_up(4000 + 4 + 128) == 8192
> then 'hole' is computed as 8192 - (4000 + 4) = 4188
> If prandom_u32() % hole selects a number >= 4096, then kernel will crash
> during bpf_jit_free():

[...]

> Fixes: 314beb9bcabfd ("x86: bpf_jit_comp: secure bpf jit against spraying attacks")
> Signed-off-by: Alexei Starovoitov <ast@plumgrid.com>
> ---
> 
> s390 commit aa2d2c73c21f ("s390/bpf,jit: address randomize and write protect jit code")
> seems to have the same problem

Yes, that's the same bug on s390. Would you mind fixing s390 as well, since I
assume you're going to send a new patch for x86?

Would be good to keep the code quite identical so these issues can be easily
seen across architectures.

     prev parent reply	other threads:[~2014-05-14  7:37 UTC|newest]

Thread overview: 6+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-05-13 18:53 [PATCH net] net: filter: x86: fix JIT address randomization Alexei Starovoitov
2014-05-13 20:23 ` Eric Dumazet
2014-05-13 20:34   ` Alexei Starovoitov
2014-05-13 21:28     ` H. Peter Anvin
2014-05-13 21:38       ` David Miller
2014-05-14  7:36 ` Heiko Carstens [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20140514073656.GA9848@osiris \
    --to=heiko.carstens@de.ibm.com \
    --cc=ast@plumgrid.com \
    --cc=davem@davemloft.net \
    --cc=dborkman@redhat.com \
    --cc=edumazet@google.com \
    --cc=hpa@zytor.com \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.